Gobliins Gobliins - 26 days ago 6
HTTP Question

HowTo send a SAML Request?

i want to send a SAML request to my IDP (Azure AD) but ia m not sure how to send the request at all.

First i used OpenSAML to build an AuthRequest. Which i encoded as a String.

Now i wanted to use ApacheHttpClient to send the request and read the response and i am not sure if OpenSAML provides http sending methods at all so my idea was to use Apaches HttpClient for this for now.

String encodedAuthRequest = generateAuthRequest();
String url = "http://myidp/samlendpoint";
CloseableHttpClient client = HttpClientBuilder.create().build();
HttpGet request = new HttpGet(url);

// add request header
request.addHeader("User-Agent", USER_AGENT);

// what is to add else?

HttpResponse response = client.execute(request);


I am stuck now since i am not sure how to setup the request, does it need to be a query parameter like
?saml=....
in GET or do i have to put the encoded saml response in the body as POST..

Can someone help or clarify these issue?

Update from Guillaumes answer:

I have this from the IDPs MetaData:

<IDPSSODescriptor>
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://myidp/saml2" />
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://myidp/saml2" />

Answer

Depends on which binding you are supposed to use. The IdP documentation or metadata should mention that. There are several:

  • Redirect Binding (using a GET), by far the most common for Requests
  • POST Binding
  • Artifact Binding (more complex, but I have never seen it used for Requests)
  • ...

I suppose that Redirect Binding will be used in your case (EDIT: you added the metadata from your IdP, it mentions that you can use both Redirect and POST bindings). It is described here: https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf page 15.

Short version: your must first use the DEFLATE algorithm to compress your XML Request, encode it using base64, encode it using URL encoding, then pass it as a query parameter named SAMLRequest

?SAMLRequest=<your url-encoded base64-encoded deflated authnrequest>

https://en.wikipedia.org/wiki/SAML_2.0#SP_Redirect_Request.3B_IdP_POST_Response