SAML: support HTTP redirect binding #1042
Comments
|
Dex supports the SAML POST binding, which doesn't use compression
3.5.4 Message Encoding - https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf The HTTP redirect binding does use encryption (section 3.4.4), but that binding isn't used by dex. This behavior was actually addressed in #785 From my reading, compliant providers shouldn't enforce compression (or even support compression) of the SAMLRequest on the HTTP POST binding. Though they may for the HTTP redirect binding. Which provider are you using? |
|
vSphere SSO. It offers HTTP redirect binding. However it also accepts POST but requires compression on SAMLRequest. |
|
I have PR proposed: #1044 Without the change, dex won't work with vSphere SSO using SAML2.0. |
|
According to SAML standard, how can we use HTTP redirect binding with dex? It seems HTTP redirect binding is the only option in vSphere SSO. |
|
We would have to add the HTTP redirect binding, though that's not unreasonable. |
|
I can help on that. I have a PR working in progress to support HTTP redirect binding. |
|
@easeway perfect, please feel free to send the PR and tag me for review. I can also do this if that's easier. |
ericchiang
changed the title
|
I wasn't aware of this issue, but there's another recent attempt to fix this here: #1175 |
Some identity provider requires SAMLRequest to be compressed and then base64 encoded. There's no configuration option to compress SAMLRequest and dex won't work with these identity providers.
The text was updated successfully, but these errors were encountered: