AW: HTTP Redirect Binding and URL Length
Brent Putman
putmanb at georgetown.edu
Fri Nov 11 13:18:36 EST 2016
On 11/11/16 9:33 AM, Roehrl Patrick wrote:
>
> Yeah the XML contains also the signature information (SignatureValue,
> SignedInfo, KeyInfo) and that makes it so big. And the request
> contains also the signature as parameter…so seems like a signature
> too much.
>
Ok, that confirms that the SP is broken. An XML signature on the
protocol message is not allowed, per the Redirect DEFLATE binding. A
signature on an embedded child object (which is very unlikely with an
AuthnRequest) isn't technically disallowed, but in practice means you
can't use such a message with the Redirect binding. See SAML 2 Bindings
spec, section 3.4.4.1:
"Any signature on the SAML protocol message, including the
<ds:Signature> XML element itself,
MUST be removed. Note that if the content of the message includes
another signature, such as a
signed SAML assertion, this embedded signature is not removed. However,
the length of such a
message after encoding essentially precludes using this mechanism. Thus
SAML protocol
messages that contain signed content SHOULD NOT be encoded using this
mechanism."
> So our SP uses the wrong binding for Redirect.
>
It's more correct to say that their implementation of the Redirect
DEFLATE binding is broken. It should not emit a protocol message with
the XML signature, period.
> POST Binding àembedded signature in XML
>
> Redirect Binding àsignature as request parameter
>
> This would be correct?
Yes, that's essentially correct.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20161111/14d6ddd2/attachment.html>
More information about the users
mailing list