IdP returning response via http-redirect

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

IdP returning response via http-redirect

Jon Stockdill
I appreciate all the help this community has provided.

I am trying to return a response from shib-idp via http-redirect.  I
am guessing it will do this if the authnrequest from the SP has a
   ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"

Is this correct?  If so, Is it possible to have sp.testshib.org send a
authnrequest w/ the above binding?

Thanks,

--jon
Reply | Threaded
Open this post in threaded view
|

Re: IdP returning response via http-redirect

Chad La Joie
The IdP will use bindings that your SP supports.  If you want the SP to
only receive redirects then, in metadata, only list redirect endpoints.
 Then the IdP will use that.

Jon Stockdill wrote:

> I appreciate all the help this community has provided.
>
> I am trying to return a response from shib-idp via http-redirect.  I
> am guessing it will do this if the authnrequest from the SP has a
>    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
>
> Is this correct?  If so, Is it possible to have sp.testshib.org send a
> authnrequest w/ the above binding?
>
> Thanks,
>
> --jon

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Z├╝rich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[hidden email], http://www.switch.ch

Reply | Threaded
Open this post in threaded view
|

RE: IdP returning response via http-redirect

Cantor, Scott E.
In reply to this post by Jon Stockdill
Jon Stockdill wrote on 2009-01-16:
> I am trying to return a response from shib-idp via http-redirect.

That isn't legal.

> I am guessing it will do this if the authnrequest from the SP has a
>    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"

The inbound binding has nothing whatsoever to do with the outbound binding.

> Is this correct?  If so, Is it possible to have sp.testshib.org send a
> authnrequest w/ the above binding?

I would imagine it does by default, but the answer is no, you can't make
that happen on an SP you don't control.

-- Scott



Reply | Threaded
Open this post in threaded view
|

Re: IdP returning response via http-redirect

Jon Stockdill
In reply to this post by Jon Stockdill
On Fri, Jan 16, 2009 at 9:57 AM, Scott Cantor <[hidden email]> wrote:

> Jon Stockdill wrote on 2009-01-16:
>> I am trying to return a response from shib-idp via http-redirect.
>
> That isn't legal.
>
>> I am guessing it will do this if the authnrequest from the SP has a
>>    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
>
> The inbound binding has nothing whatsoever to do with the outbound binding.
>
>> Is this correct?  If so, Is it possible to have sp.testshib.org send a
>> authnrequest w/ the above binding?
>
> I would imagine it does by default, but the answer is no, you can't make
> that happen on an SP you don't control.

Cool.  Thanks for the reassurance.

--jon
Reply | Threaded
Open this post in threaded view
|

RE: IdP returning response via http-redirect

Cantor, Scott E.
Jon Stockdill wrote on 2009-01-16:
>>> I am guessing it will do this if the authnrequest from the SP has a
>>>    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
>>  The inbound binding has nothing whatsoever to do with the outbound
>> binding.

Sorry, I misread this initially. Yes, the *ProtocolBinding* in the request
is partially involved in selection of the outbound binding. But by spec, SSO
outbound can't be with a redirect, it won't fit.

-- Scott