Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I am trying to create SSO with an IDP which only supports HTTP-POST Binding. Based on the request structure I see here https://www.samltool.com/generic_sso_req.php, the requests are not posting ast HTTP-POST Binding as I don't see the SignedInfo or certificate data in the request (when I walk though the module code with a debugger.).
I have already set the 'Name ID Format' to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST and have checked off all the sections in the Security section. What else and I missing?
Below is a sample request (urls changed) of what I have currently:
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ONELOGIN_1d3998bf5646997340f22b5fa1e229b6a605a5f6"
Version="2.0"
IssueInstant="2017-02-21T22:36:55Z"
Destination="https://example.org/SAML/SSOService.aspx"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="http://spexample.com/saml/acs">
<saml:Issuer>http://spexample.com/saml/metadata</saml:Issuer>
<samlp:NameIDPolicy
Format="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AllowCreate="true" />
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
Comments
Comment #2
jdesrig CreditAttribution: jdesrig commentedComment #3
roderikThe OneLogin SAML library does not support HTTP-POST binding. After seeing that it's just not there in the code, I came across https://github.com/onelogin/php-saml/issues/92 that says the same thing.
If you need to work with this IDP, you should probably use the simplesamlphp_auth module. SimpleSAMLphp is a bit more work to set up (since it's a standalone 'app' that needs to be reachable in your docroot / on another host)... but it + the 'wrapper' simplesamlphp_auth module support AuthnRequests over HTTP-POST.
Comment #4
awm CreditAttribution: awm commented@roderik wish I have seen this earlier... thanks
Comment #5
Antoine Lafontaine CreditAttribution: Antoine Lafontaine commentedNew versions of the Onelogin library seems to now support POST Bindings.Scratch that.
Comment #6
ElusiveMind CreditAttribution: ElusiveMind at ITCON Services Inc. commentedIt looks like as of OneLogin PHP-SAML v3.4.1 supports the POST bindings.
Comment #7
roderikI don't see a sign of that.
For completeness:
(Why? I think maybe because OneLogin had a reason to only want their IdP to consume GET requests, but responses must be POST according to the SAML standard and/or de facto established standard for SAML implementations. Is my guess.)
Comment #8
ElusiveMind CreditAttribution: ElusiveMind at ITCON Services Inc. commentedWell, I can absolutely say that using:
External Authentication and SAML Auth, it pulls in OneLogin v3.4.1 - and I have working eAuth/SAML implementations as per my work with USDA. So I have it working. I did have the HTTP_POST issue prior to using 3.4.1 so my report is experiential and not based on logs.
EDIT: I did have to use the 3.x-dev branch of SAML Auth.
Comment #9
gido CreditAttribution: gido at Antistatique commentedWe are currently working a project that require a SAML authentication and we choose this module (over SimpleSAMLphp) for simplicity.
We discovered a bit late that our IDP doesn't support HTTP-Redirect binding for sending login Authn Request. Also in our case, the request must be signed and with the certificate embeded.
So with @wengerk we worked on a patch.
It is not perfect but solve our issue.
I digged a bit in the OneLogin php-saml lib and it seems that HTTP-POST binding will not be implemented soon. One good reason avanced:
I found some interresting discussions:
Well, we have to deal with non fully standard IDP and I assume we are not alone :)
I understand that this kind of code (building and returning an HTML Form) doesn't fit well in a library and will increase the complexity (and support request). Still it "feel ok" in a component that use the lib as the work and changes was less than expected (see the patch).
Currently only Login is implemented under HTTP-POST binding but soon we will have to deal with the Logout too.
I'm really curious about your feedback on this!
Kind regards,
Gilles.
Comment #10
roderikWow, nice work. I'm going to set "Needs review" to indicate that there is a patch. (I could have set "needs work" but I don't have specific feedback.)
I'm unlikely to commit this though, before having some longer-term stability assurance in the form of functional tests that exercise test logins. (#3202137: Write tests) Otherwise this will break at some point, for lack of me testing it manually.
And the likelihood of those tests being written is... well, your guess is as good as mine...
Comment #11
DeFr CreditAttribution: DeFr commentedI also need to deal with an IdP than only supports POST requests, so I've been trying out this patch, which seems to work.
This IdP requires the login requests to be signed too, so I was also very interested in the
hunk ; can't figure out though how you can end up with $library_config['httpPostBinding'] being set as is though, I guess you have another custom patch to set it ? That's what I did, and with all that, the communication with the IdP seems to work fine.