Can't get request to use HTTP-POST Binding [#2854751]

I am trying to create SSO with an IDP which only supports HTTP-POST Binding. Based on the request structure I see here https://www.samltool.com/generic_sso_req.php, the requests are not posting ast HTTP-POST Binding as I don't see the SignedInfo or certificate data in the request (when I walk though the module code with a debugger.).

I have already set the 'Name ID Format' to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST and have checked off all the sections in the Security section. What else and I missing?

Below is a sample request (urls changed) of what I have currently:

<samlp:AuthnRequest
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="ONELOGIN_1d3998bf5646997340f22b5fa1e229b6a605a5f6"
    Version="2.0"

    IssueInstant="2017-02-21T22:36:55Z"
    Destination="https://example.org/SAML/SSOService.aspx"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    AssertionConsumerServiceURL="http://spexample.com/saml/acs">
    <saml:Issuer>http://spexample.com/saml/metadata</saml:Issuer>
    <samlp:NameIDPolicy
        Format="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
        AllowCreate="true" />
    <samlp:RequestedAuthnContext Comparison="exact">
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

Comment	File	Size	Author
#9	2854751-09.patch	8.1 KB	gido
#9	8.x-3.x: PHP 5.5 & MySQL 5.5, D8.9.20 Composer error. Unable to continue. PHP 5.5 & PostgreSQL 9.1, D8.9.20 Composer error. Unable to continue. PHP 5.5 & SQLite 3.8, D8.9.20 Composer error. Unable to continue. PHP 5.6 & MySQL 5.5, D8.9.20 Composer error. Unable to continue. PHP 7 & MySQL 5.5, D8.9.20 2 fail PHP 7 & PostgreSQL 9.1, D8.9.20 2 fail PHP 7 & SQLite 3.14, D8.9.20 2 fail

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

22 February 2017 at 03:54

jdesrig created an issue. See original summary.

Comment #2

jdesrig CreditAttribution: jdesrig commented 22 February 2017 at 03:55

Issue summary:

View changes

Comment #3

roderik

Dutch

Amsterdam,NL / Budapest,HU

CreditAttribution: roderik at Cheppers for Acquia commented 24 February 2017 at 18:37

The OneLogin SAML library does not support HTTP-POST binding. After seeing that it's just not there in the code, I came across https://github.com/onelogin/php-saml/issues/92 that says the same thing.

If you need to work with this IDP, you should probably use the simplesamlphp_auth module. SimpleSAMLphp is a bit more work to set up (since it's a standalone 'app' that needs to be reachable in your docroot / on another host)... but it + the 'wrapper' simplesamlphp_auth module support AuthnRequests over HTTP-POST.

Comment #4

awm CreditAttribution: awm commented 21 February 2018 at 22:04

@roderik wish I have seen this earlier... thanks

Comment #5

Antoine Lafontaine CreditAttribution: Antoine Lafontaine commented 2 April 2020 at 20:08

~~New versions of the Onelogin library seems to now support POST Bindings.~~
Scratch that.

Comment #6

ElusiveMind CreditAttribution: ElusiveMind at ITCON Services Inc. commented 18 May 2020 at 17:40

It looks like as of OneLogin PHP-SAML v3.4.1 supports the POST bindings.

Comment #7

roderik

Dutch

Amsterdam,NL / Budapest,HU

CreditAttribution: roderik at Cheppers for Acquia commented 18 May 2020 at 18:37

I don't see a sign of that.

For completeness:

The SAMLRequests for login/logout to be sent by the SP/Drupal, must be sent trough the HTTP-Redirect binding / GET requests. POST is not supported.
The SAMLResponses for both that come back from the IdP must be POST requests.
A LogoutRequest from the IdP must be a GET request.

(Why? I think maybe because OneLogin had a reason to only want their IdP to consume GET requests, but responses must be POST according to the SAML standard and/or de facto established standard for SAML implementations. Is my guess.)

Comment #8

ElusiveMind CreditAttribution: ElusiveMind at ITCON Services Inc. commented 18 May 2020 at 18:44

Well, I can absolutely say that using:

External Authentication and SAML Auth, it pulls in OneLogin v3.4.1 - and I have working eAuth/SAML implementations as per my work with USDA. So I have it working. I did have the HTTP_POST issue prior to using 3.4.1 so my report is experiential and not based on logs.

EDIT: I did have to use the 3.x-dev branch of SAML Auth.

Comment #9

gido CreditAttribution: gido at Antistatique commented 4 December 2021 at 13:51

File	Size
2854751-09.patch	8.1 KB
8.x-3.x: PHP 5.5 & MySQL 5.5, D8.9.20 Composer error. Unable to continue. PHP 5.5 & PostgreSQL 9.1, D8.9.20 Composer error. Unable to continue. PHP 5.5 & SQLite 3.8, D8.9.20 Composer error. Unable to continue. PHP 5.6 & MySQL 5.5, D8.9.20 Composer error. Unable to continue. PHP 7 & MySQL 5.5, D8.9.20 2 fail PHP 7 & PostgreSQL 9.1, D8.9.20 2 fail PHP 7 & SQLite 3.14, D8.9.20 2 fail

We are currently working a project that require a SAML authentication and we choose this module (over SimpleSAMLphp) for simplicity.
We discovered a bit late that our IDP doesn't support HTTP-Redirect binding for sending login Authn Request. Also in our case, the request must be signed and with the certificate embeded.

So with @wengerk we worked on a patch.
It is not perfect but solve our issue.

I digged a bit in the OneLogin php-saml lib and it seems that HTTP-POST binding will not be implemented soon. One good reason avanced:

if you review Conformance Requirements for the OASIS Security Assertion Markup Language (SAML) V2.0 Page 9, you will see that all IdPs MUST support the HTTP-Redirect binding, so you should experience any issue with IdPs that follows the SAML standard rules.

— pitbulk, main contributor of OneLogin PHP-SAML lib, on 27 Oct 2017 (source)

I found some interresting discussions:

Well, we have to deal with non fully standard IDP and I assume we are not alone :)

I understand that this kind of code (building and returning an HTML Form) doesn't fit well in a library and will increase the complexity (and support request). Still it "feel ok" in a component that use the lib as the work and changes was less than expected (see the patch).

Currently only Login is implemented under HTTP-POST binding but soon we will have to deal with the Logout too.
I'm really curious about your feedback on this!

Kind regards,
Gilles.

Comment #10

roderik

Dutch

Amsterdam,NL / Budapest,HU

CreditAttribution: roderik at Cheppers for Acquia commented 2 January 2022 at 16:34

Status:

Active

» Needs review

Wow, nice work. I'm going to set "Needs review" to indicate that there is a patch. (I could have set "needs work" but I don't have specific feedback.)

I'm unlikely to commit this though, before having some longer-term stability assurance in the form of functional tests that exercise test logins. (#3202137: Write tests) Otherwise this will break at some point, for lack of me testing it manually.
And the likelihood of those tests being written is... well, your guess is as good as mine...

Comment #11

DeFr CreditAttribution: DeFr commented 2 May 2023 at 16:52

I also need to deal with an IdP than only supports POST requests, so I've been trying out this patch, which seems to work.

This IdP requires the login requests to be signed too, so I was also very interested in the

$add_cert = $add_cert === 'FAKE' && !empty($library_config['httpPostBinding']) ? TRUE : $add_cert;

hunk ; can't figure out though how you can end up with $library_config['httpPostBinding'] being set as is though, I guess you have another custom patch to set it ? That's what I did, and with all that, the communication with the IdP seems to work fine.