You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
According to SAML spec, deflate compression should only be used in Redirect binding, because we want to reduce length of URL string. For POST binding, there's no need to use compression (your server request should probably be gzipped anyway.)
Currently, there are two parameters which control compression:
compress_request - Applies to AuthN request and SLO request
compress_response - Applies to SLO response
Proposed Change
I think these parameters should be removed, and instead we should simply control compression based whether the binding is redirect (if so, enable) or POST (if so disable).
The text was updated successfully, but these errors were encountered:
johnnyshields
changed the title
POST binding should not use compression by default.
POST binding should not use compression by default
Jan 9, 2024
Background
According to SAML spec, deflate compression should only be used in Redirect binding, because we want to reduce length of URL string. For POST binding, there's no need to use compression (your server request should probably be gzipped anyway.)
This is important, because some SAML IdP providers like PingFederate don't support compression on POST binding: https://support.pingidentity.com/s/topic/0TO1W000000IESfWAO/deflate
Current Spec
Currently, there are two parameters which control compression:
compress_request
- Applies to AuthN request and SLO requestcompress_response
- Applies to SLO responseProposed Change
I think these parameters should be removed, and instead we should simply control compression based whether the binding is redirect (if so, enable) or POST (if so disable).
The text was updated successfully, but these errors were encountered: