Use POST instead of Redirect after discovery to avoid big headers issues

[pdesgarets]

I am using SATOSA with Renater federation WAYF (SAML frontend / SAML backend with discovery).

The global nginx reverse proxy on our infra is sending 502 errors after the selection of the IDP on the WAYF, because the headers of the response contain the Location with the SAMLRequest query param and is too big (upstream sent too big header while reading response header from upstream).

I see the order of bindings_to_try in saml2.client.Saml2Client.prepare_for_negotiated_authenticate (called by satosa.backends.saml2.SAMLBackend.authn_request) is hardcoded. Could it be configurable, so that POST is preferred over Redirect ? (is there a reason to prefer Redirect ?) Should not preferred_binding be used there ? (I don't understand fully all the types of services, so maybe a silly idea)

[vladimir-mencl-eresearch]

Hi @pdesgarets ,

What version of SATOSA and pysaml2 are you running?

Just wondering whether this might be caused by an issue reported in pysaml2 IdentityPython/pysaml2#819 and resolved in #380. Prior to this fix, the AuthnRequest included an XML signature (besides being also signed at the redirect binding level) and that caused the overall redirect URL to be quite large.

If this still impacts you, removing the extra signature might be you below the threshold...

Hope this helps.

Cheers, Vlad

[pdesgarets]

I'm using the latest versions, SATOSA 8.4.0 and pysaml2 7.5.0 So I guess that's not the cause