The SAML specification defines a number of bindings (ie transports) including HTTP-Post, where the SAML message is sent in an HTTP Post, and HTTP-Redirect where the SAML message is sent as a query string parameter. Not all SAML message types are supported by all SAML bindings. The "Conformance Requirements for the OASIS Security Assertion Markup Language (SAML) V2.0" document specifies which bindings may be used to send the various message types. According to the specification, a SAML response must be sent using HTTP-Post. HTTP-Redirect is not supported. One of the reasons for this is that a SAML response as a query string parameter may be too long for some browsers to support. If the service provider is expecting the SAML response to be sent as a query string parameter, their SAML implementation is non-conforming. I suggest checking with them as this would be highly unusual. You should call SAMLIdentityProvider.InitiateSSO to have the SAML response sent over HTTP Post. The service provider should expect to receive an HTTP Post at their assertion consumer service.
Regards ComponentSpace Development
|