How to send a SAML Request?

java http azure saml-2.0 opensaml

13,873

Depends on which binding you are supposed to use. The IdP documentation or metadata should mention that. There are several:

Redirect Binding (using a GET), by far the most common for Requests
POST Binding
Artifact Binding (more complex, but I have never seen it used for Requests)
...

I suppose that Redirect Binding will be used in your case (EDIT: you added the metadata from your IdP, it mentions that you can use both Redirect and POST bindings). It is described here: https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf page 15.

Short version: your must first use the DEFLATE algorithm to compress your XML Request, encode it using base64, encode it using URL encoding, then pass it as a query parameter named SAMLRequest

?SAMLRequest=<your url-encoded base64-encoded deflated authnrequest>

https://en.wikipedia.org/wiki/SAML_2.0#SP_Redirect_Request.3B_IdP_POST_Response

13,873

Author by

Gobliins

Updated on June 04, 2022

Comments

Gobliins about 2 years
i want to send a SAML request to my IDP (Azure AD) but ia m not sure how to send the request at all.

First i used OpenSAML to build an AuthRequest. Which i encoded as a String.

Now i wanted to use ApacheHttpClient to send the request and read the response and i am not sure if OpenSAML provides http sending methods at all so my idea was to use Apaches HttpClient for this for now.
```
String encodedAuthRequest = generateAuthRequest();
String url = "http://myidp/samlendpoint";
CloseableHttpClient client = HttpClientBuilder.create().build();
HttpGet request = new HttpGet(url);

// add request header
request.addHeader("User-Agent", USER_AGENT);

// what is to add else?

HttpResponse response = client.execute(request);
```
I am stuck now since i am not sure how to setup the request, does it need to be a query parameter like ?saml=.... in GET or do i have to put the encoded saml response in the body as POST..

Can someone help or clarify these issue?

Update from Guillaumes answer:

I have this from the IDPs MetaData:
```
<IDPSSODescriptor>
    <SingleSignOnService
        Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
        Location="https://myidp/saml2" />
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
        Location="https://myidp/saml2" />
```
Gobliins over 7 years

I have added some info to my Question.
Guillaume over 7 years

so you can use either Redirect or POST bindings, which are quite commons.
Guillaume over 7 years

POST binding will be easier, you do not need to DEFLATE the request first, just to base64 it then pass it as form data (with the same name SAMLRequest)
Gobliins over 7 years

Ok, in my code the encoded Message was already deflated and then encoded to Base64 so it's ok i guess.