Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

POST binding should not use compression by default #676

Open
johnnyshields opened this issue Jan 9, 2024 · 0 comments
Open

POST binding should not use compression by default #676

johnnyshields opened this issue Jan 9, 2024 · 0 comments

Comments

@johnnyshields
Copy link
Collaborator

johnnyshields commented Jan 9, 2024
edited

Background

According to SAML spec, deflate compression should only be used in Redirect binding, because we want to reduce length of URL string. For POST binding, there's no need to use compression (your server request should probably be gzipped anyway.)

This is important, because some SAML IdP providers like PingFederate don't support compression on POST binding: https://support.pingidentity.com/s/topic/0TO1W000000IESfWAO/deflate

Current Spec

Currently, there are two parameters which control compression:

  • compress_request - Applies to AuthN request and SLO request
  • compress_response - Applies to SLO response

Proposed Change

I think these parameters should be removed, and instead we should simply control compression based whether the binding is redirect (if so, enable) or POST (if so disable).
@johnnyshields johnnyshields changed the title POST binding should not use compression by default. POST binding should not use compression by default Jan 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@johnnyshields