Federation metadata exports BOTH HTTP-Redirect and HTTP-Post Bindings even though we selected ONLY HTTP-Post Binding in the Federation Partnership.
------ Detailed Usecase:
When we are creating SAML2 Federation partnership in the SSO section we are selecting the following options:
- FLOW: Partnership Federation - Partnerships - Create Partnership - SSO and SLO section:
- Authentication Request Binding -> only HTTP-Post is selected
- SSO Binding -> only HTTP-Post is selected
- But when we take the METADATA export we see that this metadata file has two bindings like below: HTTP-Redirect and HTTP-Post even though we selected ONLY HTTP-Post Binding in the Federation Partnership.
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://testentity.com/affwebservices/public/saml2sso"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://testentity.com/affwebservices/public/saml2sso"/>
CA siteminder (AKA SYMANTEC SITEMINDER) 12.8 SP4 environment
- Why we are getting HTTP-Redirect binding in the metadata even though we select ONLY HTTP-POST binding when we are creating Federation Partnership.
- "HTTP-Redirect" binding is basically a GET request to the FEDERATION Webservices so when partners exchange this metadata sometimes it is leading to issues because of the mismatch of Authentication REQUEST BINDING between two partnerships and allowing HTTP GET authentication request as well instead of ONLY POST authentication request.
- We are expecting the metadata to be exported without the HTTP-Redirect binding, as it is configured in the Partnership.
----- Solution:
We have a DEV FIX/PATCH (" DE510572 ") to resolve this issue which we received from Internal from SE Engineering team.
Kindly find the attached DEV FIX from the Defect.
Then follow the Instructions outlined in " readme.txt " inside the attached zip file for deployment of binaries.
This DEV FIX/PATCH helps to resolve the reported Issue.
If you observe this issue either in 12.8 SP2 and/or in 12.8 SP4 release, then please open a support ticket so that will provide you the required PATCH ("DE510572 ").
Also, kindly note that SE Engineering team will fix this issue in the upcoming releases.