saml-dev message

Subject: ECP client redirects

I'm trying to clarify the following 2 questions (1 & 2):

1) Is an ECP client required to be able to handle redirect responses from an IdP after posting an AuthnRequest to the IdP SOAP binding endpoint?

I can't find this in any of the SAML specifications, if you have a pointer that would be appreciated.

It would help to have context for the question. We have an IdP implementation whose architecture relies on redirecting to it's own endpoints while it is processing an AuthnRequest, the redirect is not internal, it relies on the browser to follow the redirect. This was never an issue for Web SSO using the HTTP-Redirect or HTTP-Post bindings because browsers happily followed the redirect.

However an ECP client is supposed to be a much less capable HTTP client and ECP unlike Web SSO does not inherently have the concept of redirects (with the exclusion of the final SP response).

Reading between the lines of the SAML specs seems to be the assumption posting an AuthnRequest is akin to a REST API call, a simple request/response. It also seems one of the design goals, at least with ECP is avoiding redirection to unknown IdP's. If the IdP responds with a redirect it then become the client's responsibility to verify the redirect is back to the original IdP, an unnecessary burden for the ECP client.

The above raises the next general SAML question.

2) Are redirects after submitting an AuthnRequest to a IdP SSO binding endpoint permitted if the IsPassive flag is True?

One way of interpreting the IsPassive flag is the IdP is supposed to immediately respond with a SAMLResponse, if this is the case then performing redirects before responding with a SAMLResponse would appear to violate that.



