According to SAML spec, deflate compression should only be used in Redirect binding, because we want to reduce length of URL string. For POST binding, there's no need to use compression (your server request should probably be gzipped anyway.)
Currently, there are two parameters which control compression:
compress_request - Applies to AuthN request and SLO request
compress_response - Applies to SLO response
Proposed Change
I think these parameters should be removed, and instead we should simply control compression based whether the binding is redirect (if so, enable) or POST (if so disable).
Background
According to SAML spec, deflate compression should only be used in Redirect binding, because we want to reduce length of URL string. For POST binding, there's no need to use compression (your server request should probably be gzipped anyway.)
This is important, because some SAML IdP providers like PingFederate don't support compression on POST binding: https://support.pingidentity.com/s/topic/0TO1W000000IESfWAO/deflate
Current Spec
Currently, there are two parameters which control compression:
compress_request- Applies to AuthN request and SLO requestcompress_response- Applies to SLO responseProposed Change
I think these parameters should be removed, and instead we should simply control compression based whether the binding is redirect (if so, enable) or POST (if so disable).