ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

SP-initiated POST Binding in r12.0 SP3


Article ID: 41669


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On



Our application works only as an SP, and responds to SP-initiated requests. This application would HTTP-POST a SAML request to SiteMinder and SAML response need to be generated in response to the SAML request. 
We were are not able to make it work through SAML Request sent from SP (Application), because it requires HTTP-POST. We have a work around by putting in the JSP to convert the SP initiated request to IDP initiated. But this does not work since the SP application is expecting InResponseTo attribute in each SAML response.



Siteminder Policy Server 12.0 SP3
Web Agent 12.0 QMR03 



This issue is related to the fact that in version 12.0 of Siteminder, there is only HTTP-REDIRECT binding for SP-initiated SAML requests. In addition, the InResponseTo attribute is never populated in an IdP-initiated request, because of the unsolicited nature of an IdP request.



In your .jsp page, instead of forcing it to be an IdP request, convert the HTTP-POST SAMLREQUEST parameter into HTTP-REDIRECT 

1) Decode SAML request using the HTTP-POST binding decoding method
2) Re-encode the SAML request using HTTP-REDIRECT binding

You should then be able to construct a URL like this: 


This will do the work of "converting" the binding to one that is compatible with an application that requires HTTP-POST. 

Additional Information:

 Example of an online tool to encode/decode SAML requests:




Component: SMFED