-
-
Notifications
You must be signed in to change notification settings - Fork 309
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is there a workaround for HTTP-POST binding for SLO? #205
Comments
Hello, I'll shamelessly jump in, if Octa supports only POST, than this is the question for Octa... The idP should support both. So just like #204 |
Thanks for jumping in but I am gonna have to disagree. Also it's spelled "Okta" with a "K". The question is:
|
Hi @CR1AT0RS
No
This library implements the basic (LITE), and SLO HTTP-Redirect binding is the one required on SP LITE.
Disagree, the library is agnostic and is compatible with SAML IdPs that follows SAML standard. Based on the definition of the Conformance SAML spec Page 9:
Also the saml2int profile specifies:
And defines the requirement of support HTTP-POST only for samlp:Response:
Not sure why Okta decided to not support HTTP-Redirect binding on SLO. Have you asked them? |
I would like to see support for the HTTP-POST binding as well. |
Although it's been made clear that there is no plan to support HTTP-POST binding for logout, is there a way one can implement it by himself/herself while still using this library? Is there a way where in one can use classes/methods from this library and implement it? |
@rajeshyogeshwar Yes, it is possible to add HTTP-POST binding support to the library. In all the following scenarios, when you generate the SAML Message, you will need to send it via POST instead of Redirect and sign the XML and include the signature embed, if the sign flag is enabled, I will describe the complex scenario, but take in mind the add_sign is optional. If you are looking for being able to send AuthNRequest supporting HTTP-POST then you need to extend the Auth class adding a new login method that will initialize the object with no signature, retrieving it with get_request and then embed the Signature on the XML using the add_sign. Check this In order to be able to send LogoutRequest using HTTP-POST you will need to make a similar process than the previously mentioned, but adding a new logout method that will get a LogoutRequest class, get the request and sign it. In order to be able to send LogoutRequest using HTTP-POST you will need to extend the processSLO method and get the LogoutResponse and sign it. If you also want to support LogoutRequest and LogoutResponse to be received via POST, you will need to extend the processSLO in order to be able to read SAML Message on GET parameters and also verify the Signature element if it is included inside the XML. As you see, supporting HTTP-POST binding is doable, if I decide to support it I will need to support all the previous scenarios described, and that introduces extra complexity to the toolkit as you can see. Ideally, I could add its support as an addon so only in specific cases dev could add it when they need it, but I didn't found the time to implement this. Take in mind that SAML toolkits are supported not only for Python, but for PHP, Ruby and Java where I should implement its support as well, so the effort isn't trivial. |
@pitbulk I absolutely appreciate your response and I do understand that a good amount of effort is required for it to be done, hence I am not saying it had to be there in the library. But if others knew a way for it to be done by themselves, it definitely takes away the need for constant demand for the support. I hope you understand what I mean here. Thank you for quick response and guidance. I will take my time to try it out and see if I can get it functional. |
Do we know if AuthNRequest is supporting HTTP-POST in the latest java library version? |
In django's example, https://github.com/onelogin/python3-saml/blob/master/demo-django/demo/views.py def index(request):
|
First I wanna thank you for making this library very well structured and easy to use.
Question:
My IDP Okta's logout SLO supports HTTP-POST binding so I can't logout the user. Is there a workaround for Okta SLO and use it with the HTTP-POST binding?
My SP: Django
IDP: Okta
"idp": {
"entityId": "http://example.com/kbiebrwerwrw",
"singleSignOnService": {
"url": "https://test.okta.com/app/rtest/example/sso/saml",
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
},
"singleLogoutService": {
"url": "https://test.okta.com/app/testingwx_1/whew8389hrhui4/slo/saml",
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
},
The text was updated successfully, but these errors were encountered: