Does JBoss PicketLink support the Web Browser SSO profile?
Issue
- Does JBoss PicketLink support the Web Browser SSO profile?
- If so, how can I configure it to use HTTP-Redirect from the SP to the IDP and HTTP-POST from the IDP to the SP?
-
The SAML spec that discusses the Web Browser SSO profile is located here. Section 4.1.2 shows a sequence diagram for the web browswer sso profile. In the explanation of sequence diagram for web browser sso profile, I see the following:
412 3. <AuthnRequest> issued by Service Provider to Identity Provider 413 In step 3, the service provider issues an <AuthnRequest> message to be delivered by the user 414 agent to the identity provider. Either the HTTP Redirect, HTTP POST, or HTTP Artifact binding 415 can be used to transfer the message to the identity provider through the user agent.420 5. Identity Provider issues <Response> to Service Provider 421 In step 5, the identity provider issues a <Response> message to be delivered by the user agent 422 to the service provider. Either the HTTP POST, or HTTP Artifact binding can be used to transfer 423 the message to the service provider through the user agent. The message may indicate an error, 424 or will include (at least) an authentication assertion. The HTTP Redirect binding MUST NOT be 425 used, as the response will typically exceed the URL length permitted by most user agents.This seems to indicate that for the web based sso profile, that the SP to IDP request can use either HTTP Redirect or HTTP Post. But the IDP should respond to the SP with a HTTP Post.
Environment
- JBoss Enterprise Application Platform
- 5.1.2
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
