How to implement HTTP-REDIRECT protocol binding? #328

slavab89 · 2023-10-01T12:28:07Z

slavab89
Oct 1, 2023

We are successfully using SAML and implementing the redirect protocol. However, one of the IDP that we're testing against is more strict as it verifies the ProtocolBinding option.
From the codebase, it seems that its being set to HTTP-POST without any option to change it.
https://github.com/node-saml/node-saml/blob/master/src/saml.ts#L215
There does seem to be a constructor option for autnRequestBinding at https://github.com/node-saml/node-saml/blob/master/src/saml.ts#L147 but it doesn't seem to be utilized anywhere?

What am i missing?

Answered by srd90

Oct 2, 2023

First of all at the time when this discussion was started master pointed to version e691ccf39b9f3521268fc31b8b8f099beae4654c so here is your question re-written so that links pointing to master are replaced with links pointing to exact version in order to preserve situation for anyone who lands this discussion in the future (and after content of master branch has evolved):

We are successfully using SAML and implementing the redirect protocol. However, one of the IDP that we're testing against is more strict as it verifies the ProtocolBinding option.
From the codebase, it seems that its being set to HTTP-POST without any option to change it.

node-saml/src/saml.ts

Line 215 in e691ccf

View full answer

srd90 · 2023-10-02T02:05:40Z

srd90
Oct 2, 2023

First of all at the time when this discussion was started master pointed to version e691ccf39b9f3521268fc31b8b8f099beae4654c so here is your question re-written so that links pointing to master are replaced with links pointing to exact version in order to preserve situation for anyone who lands this discussion in the future (and after content of master branch has evolved):

We are successfully using SAML and implementing the redirect protocol. However, one of the IDP that we're testing against is more strict as it verifies the ProtocolBinding option.
From the codebase, it seems that its being set to HTTP-POST without any option to change it.

node-saml/src/saml.ts

Line 215 in e691ccf

"@ProtocolBinding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",

There does seem to be a constructor option for autnRequestBinding at

node-saml/src/saml.ts

Line 147 in e691ccf

authnRequestBinding: ctorOptions.authnRequestBinding ?? "HTTP-Redirect",

but it doesn't seem to be utilized anywhere?

What am i missing?

About this part of your question:

...
From the codebase, it seems that its being set to HTTP-POST without any option to change it.

node-saml/src/saml.ts

Line 215 in e691ccf

"@ProtocolBinding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",

...

See SAML specifications (list is provided e.g. here: #326 (comment) ).

IMHO you are missing that based on Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0 Chapter 3.4 Authentication Request Protocol (lines 1968 - 2323 of that document) ProtocolBindingis used at AuthnRequest to (quote from lines 2068 - 2072 of previously mentioned document):

ProtocolBinding [Optional]
A URI reference that identifies a SAML protocol binding to be used when returning the <Response>
message. See [SAMLBind] for more information about protocol bindings and URI references defined
for them. This attribute is mutually exclusive with the AssertionConsumerServiceIndex attribute
and is typically accompanied by the AssertionConsumerServiceURL attribute.

i.e. it tells which binding of the ACS at the SP side should be used when IdP delivers response.

@node-saml/node-saml (and @node-saml/passport-saml) supports at the moment only HTTP-POST binding for authn responses. So there is no need to have that configurable. Quote from #316 (comment)

...
node-saml (and passprot-saml) supports at the moment implementation of SAML 2.0 Web SSO profile. Web SSO profile defines 2 bindings for ACS endpoint (HTTP POST and HTTP Artifact, see SAML 2.0 Profiles spec lines 421-425 and 483-502).

Furthermore node-saml (and passport-saml) supports at the moment only HTTP POST binding for ACS.
...

and about this part of your question:

...
There does seem to be a constructor option for autnRequestBinding at

node-saml/src/saml.ts

Line 147 in e691ccf

authnRequestBinding: ctorOptions.authnRequestBinding ?? "HTTP-Redirect",

but it doesn't seem to be utilized anywhere?
...

It seems that @node-saml/node-saml is not using it internally, but e.g. @node-saml/passport-saml's SAML strategy use that value to choose between redirect and http post biding when sending authnrequest to IdP (do not mix this with SP side ACS binding mentioned earlier). Link to @node-saml/passport-saml 4.0.4 version's code:
https://github.com/node-saml/passport-saml/blob/0c2ccedf47076b0c8d68452eeb90af1465a20262/src/strategy.ts#L197-L204

about this:

...However, one of the IDP that we're testing against is more strict as it verifies the ProtocolBinding option.

Have you configured (with SAML metadata or manually) different protocol binding to IdP side for your SP (e.g. artifact binding) or maybe incorrect ACS URL?

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How to implement HTTP-REDIRECT protocol binding? #328

{{title}}

Replies: 1 comment

{{title}}

Select a reply

How to implement HTTP-REDIRECT protocol binding? #328

slavab89 Oct 1, 2023

Replies: 1 comment

srd90 Oct 2, 2023

slavab89
Oct 1, 2023

srd90
Oct 2, 2023