How to send a SAML Request?
Depends on which binding you are supposed to use. The IdP documentation or metadata should mention that. There are several:
- Redirect Binding (using a GET), by far the most common for Requests
- POST Binding
- Artifact Binding (more complex, but I have never seen it used for Requests)
- ...
I suppose that Redirect Binding will be used in your case (EDIT: you added the metadata from your IdP, it mentions that you can use both Redirect and POST bindings). It is described here: https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf page 15.
Short version: your must first use the DEFLATE algorithm to compress your XML Request, encode it using base64, encode it using URL encoding, then pass it as a query parameter named SAMLRequest
?SAMLRequest=<your url-encoded base64-encoded deflated authnrequest>
https://en.wikipedia.org/wiki/SAML_2.0#SP_Redirect_Request.3B_IdP_POST_Response
![Gobliins](https://i.stack.imgur.com/8BwZA.jpg?s=256&g=1)
Gobliins
Updated on June 04, 2022Comments
-
Gobliins about 2 years
i want to send a SAML request to my IDP (Azure AD) but ia m not sure how to send the request at all.
First i used OpenSAML to build an AuthRequest. Which i encoded as a String.
Now i wanted to use ApacheHttpClient to send the request and read the response and i am not sure if OpenSAML provides http sending methods at all so my idea was to use Apaches HttpClient for this for now.
String encodedAuthRequest = generateAuthRequest(); String url = "http://myidp/samlendpoint"; CloseableHttpClient client = HttpClientBuilder.create().build(); HttpGet request = new HttpGet(url); // add request header request.addHeader("User-Agent", USER_AGENT); // what is to add else? HttpResponse response = client.execute(request);
I am stuck now since i am not sure how to setup the request, does it need to be a query parameter like
?saml=....
in GET or do i have to put the encoded saml response in the body as POST..Can someone help or clarify these issue?
Update from Guillaumes answer:
I have this from the IDPs MetaData:
<IDPSSODescriptor> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://myidp/saml2" /> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://myidp/saml2" />
-
Gobliins over 7 yearsI have added some info to my Question.
-
Guillaume over 7 yearsso you can use either Redirect or POST bindings, which are quite commons.
-
Guillaume over 7 yearsPOST binding will be easier, you do not need to DEFLATE the request first, just to base64 it then pass it as form data (with the same name SAMLRequest)
-
Gobliins over 7 yearsOk, in my code the encoded Message was already deflated and then encoded to Base64 so it's ok i guess.