SAML2请求通过HTTP-GET绑定发送到WSO2 Identity Server,但仍然会对响应进行POST。是否有任何想法让WSO2IS尊重请求?
[2014-03-06 17:52:25,961] DEBUG {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} - Request message <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_73d5b9c1-d448-4076-9e9d-98767f1e2a2d" Version="2.0" IssueInstant="2014-03-06T17:52:21" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-GET" AssertionConsumerServiceURL="http://host.tld/java-saml/consume.jsp"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://host.tld/java-saml/</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" AllowCreate="true"></samlp:NameIDPolicy><samlp:RequestedAuthnContext Comparison="exact"></samlp:RequestedAuthnContext><saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:AuthnRequest>
导致firefox:
您现在被重定向回http://host.tld/java-saml/consume.jsp如果重定向失败,请点击发布按钮。
有什么想法解决它吗?在请求或WSO2IS中,我是否需要配置?
答案 0 :(得分:0)
是..它必须是预期的行为,SAML响应必须作为POST从IDP发送到SP。 (不能使用HTTP重定向)它在规范中定义。请查看saml-profile规范。 WSO2身份服务器可能不支持Artifact绑定,因此它执行HTTP POST。
The identity provider issues a <Response> message to be delivered by the user agent to the service provider. Either the HTTP POST, or HTTP Artifact binding can be used to transfer the message to the service provider through the user agent. The message may indicate an error, or will include (at least) an authentication assertion. The HTTP Redirect binding MUST NOT be used, as the response will typically exceed the URL length permitted by most user agents.
我猜,POST按钮和您显示的页面可以更改和修改。