search cancel

SAMLRequest Encoding for POST Versus REDIRECT Binding

book

Article ID: 215462

calendar_today

Updated On:

Products

CA Single Sign On Federation (SiteMinder)

Issue/Introduction

We have done a SAML integration with a 3rd party using HTTP-Redirect Authentication Request Binding. The SAMLRequest query parameter that is sent in the redirect is URL encoded, base64 encoded, but not XML deflated (compressed).  Sample data is given below.  The following error occurs in the FWSTrace.log for this request:

[04/27/2021][12:06:06][88767][95966976][15d9f69f-7b3bc80a-ada45b26-6be48a57-d825d117-6e6][SSO.java][doGet][Transaction with ID: 15d9f69f-7b3bc80a-ada45b26-6be48a57-d825d117-6e6 failed. Reason: BAD_SAML_REQUEST_ENCODING]

From this link (https://knowledge.broadcom.com/external/article/7847/http-status-400-bad-request-with-error.html ) it appears that XML deflation is required when encoding the SAMLRequest query parameter for HTTP-Redirect binding.

Excerpt from that document: GET(REDIRECT) encoding,  which uses  DEFLATE compression method, its output will be accepted by CA SSO in HTTP GET

 Can you confirm whether XML deflation is required in the encoding of the SAMLRequest query parameter? 

Environment

Release : 12.8.03

Component : SiteMinder Federation(Federation Manager)

Resolution

For POST binding, Siteminder expects the SAMLRequest to be Base64 encoded.  For REDIRECT binding, the expectation is for Base64 and Deflate encoding.