SAML IDP Protocol Bindings
Describes the support protocol bindings for SAML requests and responses in the SAML IDP Profile.
Supported Protocol Bindings#
The SAML protocol defines different messages as well as the means by which these messages can be transported between the different SAML parties. These means are referred to as Protocol Bindings. The SAML IDP Profile supports the following Protocol Bindings
| Protocol Binding | Request | Response | Description |
|---|---|---|---|
Redirect | Yes | Yes | The SAML message is encoded as a URL query parameter and sent using HTTP Redirect. |
POST | Yes | Yes | The SAML message is encoded as a form field and sent using HTTP POST. |
Artifact | No | Experimental | The SAML message is referenced using an artifact that is sent as a URL query parameter (Redirect) or form field (POST). The artifact is resolved on a separate endpoint |
Different binding have different consequences. For example, the Redirect binding has size limitations due to
URL length, as well as visibility of the (encoded) messages on the querystring. The POST binding does not have
these limitations, but requires the user-agent to support form submission. Form submission for the POST binding
is done by rendering an HTML form with JavaScript that automatically submits the form.
Request Bindings#
The allowed bindings for inbound SAML messages (i.e. the messages that the SAML IDP Profile receives) can be configured
on the SAML IDP Profile. By default, both the Redirect and POST bindings are enabled for receiving SAML messages.
Other than that, it is possible to restrict the allowed bindings for specific Service Providers by configuring them directly in the Service Provider configuration. This allows to enforce that a specific Service Provider can only use a specific binding.
Response Bindings#
The allowed bindings for outbound SAML messages (i.e. the messages that the SAML IDP Profile sends) are determined
dynamically based on the Service Provider configuration. Each Service Provider configuration can specify which binding
it wants to use for receiving SAML messages from the SAML IDP Profile through the Assertion Consumer Service
configuration. Here, the Service Provider can specify multiple Assertion Consumer Services, each with their own
destination (the URL) as well as which binding to use when sending messages to that destination.
When the SAML IDP profile needs to send a message to the Service Provider, the binding that is used, depends on
- the
Assertion Consumer Servicethat is specified in the original authentication request from the Service Provider (either by URL and ProtocolBinding or by index), or - if no
Assertion Consumer Serviceis specified in the request, the firstAssertion Consumer Servicethat is configured for the Service Provider is used.
Note on Artifact Binding#
Full support for Artifact Binding is still pending in version 10.6.