Monday, October 12, 2015

Issue in setting up OAM as Service Provider (SP) HTTP-POST vs HTTP-Artifact

Typically, When we try to OAM as SP, the exported Metadata OOTB will have HTTP-Artifact binding as default.

This will be a problem if you haven't configured your IDP to communicate using Artifact.

If we deploy this OOTB SAML OAM SP Metadata on the IDP side, we are stating that IDP should post it SAML response as HTTP-Artifact.

If you Trace-32 and observe, you wont see anything meaningful in the Incoming SAML. OAM cannot understand what the IDP is posting and it will throw a generic Error.

If you are interested in having IDP post their SAML in HTTP-POST, then make is as default in the SAML SP Metadata and import it on the IDP side.

Now, If you Trace-32 and observe You can see all the SAML attributes in the incoming SAML.

Refer to the below OAM SP Metadata piece to understand better,

Before Change:
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="" index="0" isDefault="true"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="" index="1"/>

After Change:
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="" index="0"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="" index="1" isDefault="true"/>

No comments:

Post a Comment

Other Posts