POST binding support for authnrequest

[ismailaksim]

Hello Everyone,

I hope you are doing well, I wanna ask about is there a way to make my authnrequest to support POST Binding or its impossible, I found some posts here about that but I don't know if you did add this functionnality or its still impossible to do that.

thank you

[pitbulk]

Is possible to extend the toolkit in order to have the POST Binding support for AuthNRequest, in fact, there is already a PR to add such support: https://github.com/SAML-Toolkits/php-saml/pull/422

But as discussed on this PR and other tickets, I'm not adding officially this feature to the toolkit as this will add complexity to the toolkit and I want to keep it as easy as possible. But feel free to extend the extension to cover your use cases.

[plufz]

First I want to say that I think that this is a great library and it has been a joy to use, clear error messages and easy to grasp documentation. Thank you!

From what I understand the reason you are not implementing this is because OneLogin does not use HTTP POST as you stated in #92. I selected the library because it described itself as a general library "SAML PHP toolkit let you build a SP (Service Provider) over your PHP application and connect it to any IdP (Identity Provider).".

My customer wants to use HTTP POST for their IdP and from what I can see in different issues here, some other people also would really like POST support. I would rather not maintain a fork, especially on a library that is security related, and the existing PR seems to make changes to the standard files. Can HTTP POST be implemented with the current toolkit without forking?

[pitbulk]

@plufz, the real reason can be found here.

HTTP-Redirect binding is the one that the SAML standard set as mandatory for AuthRequest, LogoutRequest and LogoutResponse, that way the SAML toolkits support this binding for such messages, and expect SAMLResponses using HTTP-POST as the standard also mandates.

Which IdP are you using that does not support HTTP-Redirect binding on AuthRequests?

[plufz]

@pitbulk That was a very reasonable answer, thank you for the quick and informed reply. My customer do support HTTP-Redirect but they said that they prefer POST. But if HTTP-Redirect is mandatory in the standard I think I can stand my ground in relation to my customer. ;)