1

After a short code review for php-saml maintained by OneLogin, it looks like php-saml does not support HTTP-POST for request being send from SP to IdP when SSO is initialised.

Is that correct or I'm missing something?

If HTTP-POST is not supported for initial request:

  • shouldn't we be worrying that IdP might respond with "Error 413: Request Entity too large"?
  • what about infosec implications sending request via GET?

A bit more insight is much appreciated!

rock3t
  • 2,193
  • 2
  • 19
  • 24

1 Answers1

0

In SAML "POST binding", no direct POST request is made from the SP to the IDP (or vice versa). The SP uses the client's browser as a conduit to deliver the SAML message to the IDP (and the same happens when the IDP responds).

Read more in this answer

And here's an example of SP-initiated SSO

By looking at php-saml library it looks POST binding is supported.

Regarding the infosec implications - In case you pass sensitive data in your SAML request, you have several things you can do to increase security:

  • Encrypt SAML message data (Part of the SAML specifications)
  • Use artifact binding (Look Scott T. answer to understand the benefits of using Artifact binding - https://stackoverflow.com/a/13618537/1163424)
  • And of course, always use SSL
Tomer Sela
  • 481
  • 9
  • 16