search cancel

partnership federation supports GET method on SAML Authn request

book

Article ID: 187650

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 
We're running a CA Access Gateway (SPS) and when the Service Provider
(SP) send HTTP POST Binding AuthnRequest, then the transaction fails
and CA Access Gateway (SPS) reports error :
 
  [02/24/2020][10:42:34][2367][82][21474121-b1b66261-26c75c0d-
  420cf956-ec227e76-43f][SSO.java][doGet][Transaction
  with ID: 21474121-b1b66261-26c75c0d-420cf956-ec227e76-43f
  failed. Reason: NO_SAML_REQUEST_OR_SPID]
 
  [02/24/2020][10:42:34][2367][82][21474121-b1b66261-26c75c0d-
  420cf956-ec227e76-43f][SSO.java][doGet][Ending
  SAML2 Single Sign-On Service request processing with HTTP error 400]
 
Why do we get such error ? Does legacy/partnership federation supports
HTTP GET method for saml authn request ?
 

Environment

 
Policy Server all versions
 

Resolution

 
At first glance, Legacy and Partnership Federation models accept
HTTP GET or POST for SAML Authnrequest.
 
The error we see above might due to the fact that the Session Store
cannot handle the data correctly as stated by this KD :
 
  SP(Salesforce & Tableau) Initiated calls are being failed with 400 Error.
  https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=136754
 
  SP-Initiated POST request results in 400 Error
  https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=37629
 
You can send an Authnrequest using GET or POST for Post binding.
 
Note that the request will be sent in a different way depending of the
http action :
 
GET :
 
  The SAMLRequest will be in the URL;
 
POST :
 
  The SAMLRequest will be send as a Header;
 
Both HTTP actions are supported.
 
There are 2 examples of :
 
Here you get a sample of "POST" HTTP-POST binding Authnrequest :
 
  SP-initiated Single Sign-On POST
 
    POST /SAML2/SSO/POST HTTP/1.1
    Host: idp.example.org
    Content-Type: application/x-www-form-urlencoded
    Content-Length: nnn
    SAMLRequest=request&RelayState=token
 
  http://saml.xml.org/wiki/sp-initiated-single-sign-on-postartifact-bindings
 
Here you get a sample of GET HTTP-POST binding Authnrequest :
 
HTTP-Redirect Binding SAML Request
 
  The redirect url is
 
  http://idp.example.com/SSOService.php?SAMLRequest={val1}&Signature={val2}&SigAlg={val3}
  with my SAMLRequest (without signature)
 
  <samlp:AuthnRequest ID="" Version="2.0" IssueInstant="2015-05-22T02:47:38Z" Destination="" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
      <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"></saml:Issuer>
      <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true" />
      <samlp:RequestedAuthnContext Comparison="exact" />
      <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
  </samlp:AuthnRequest>