RH-SSO does not properly force SAML POST binding

Solution Verified - Updated -

Environment

  • RH-SSO 7.5.x

Issue

  • When updated RHSSO from 7.4.10 to 7.5.1 and for one client (which is configured with SAML as client protocol and whose SP is configured to use both both the binding's "Force Artifact Binding" , "Force POST Binding") login issue is faced.
  • The client is configured to use "Force POST Binding" (7.4.10). However when upgraded to 7.5.1 the RHSSO started responding with "Force Artifact Binding" (starting with 7.5.0 RHSSO support "Force Artifact Binding" as well ) and not with "Force POST Binding" even though post upgrade to 7.5.1 you see the "Force Artifact Binding" as false and "Force POST Binding" as true.

Resolution

  • Artifact Binding is more complicated and never used on its own, essentially there is POST/REDIRECT binding used for exchanging {{SAMLArt}} parameter then there is the artifact resolution.

  • In this case, the {{Force POST Binding}} flag was used because the {{SAMLArt}} was returned using POST binding (if not that would be a bug). However, RHSSO responds with {{SAMLArt}} instead of sending the assertion directly because SP requested it to do in the {{AuthnRequest}} - {{ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"}}.

There are two possible workaround to this.

  • Option 1: SP will not use {{urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact}} within {{ProtocolBinding}}

  • Option 2: Introduce a new flag in the client configuration, something like {{Never use ARTIFACT binding}} for the client

    As per the option 1, as RHSSO is behaving correctly when responding with Artifact if it is requested to do in {{AuthnRequest}}.

    For option 2 , filed a feature request which is currently in-progress status.

    Note: RFE (Request for Feature Enhancement) has been accepted Engineering team might consider it in 8.x (with no guarantee and subject to change))

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments