Closed
Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
saml
Describe the bug
The SAML SP metadata always uses Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" for the AssertionConsumerService, even if "HTTP-POST binding response" is enabled in the Identity Provider configuration
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="...truncated...
Version
26.1.4
Regression
- The issue is a regression
Expected behavior
The ACS binding in the SP metadata should indicate HTTP-POST instead of HTTP-Redirect when "HTTP-POST binding response" is enabled.
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="...truncated...
Actual behavior
The ACS binding in the SP metadata always indicates HTTP-Redirect
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="...truncated...
How to Reproduce?
- Create a new SAML identity provider
- Specify IdP metadata
- Verify that "HTTP-POST binding response" is disabled
- View the SP metadata using the link in the Admin Console. Note that the ACS binding is HTTP-Redirect
- Toggle "HTTP-POST binding response" so that it's enabled
- Save
- View the SP metadata again using the link in the Admin Console. Note that the ACS binding is still HTTP-Redirect
Anything else?
A workaround which worked for me is to save the SP metadata, then manually change the ACS binding to "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" prior to uploading the SP metadata into the IdP.