Authentication

Supported Bindings

305 views August 15, 2017 August 15, 2017 0

The Signicat SAML 2.0 gateway supports the HTTP-Redirect, HTTP-POST, and Artifact bindings.

HTTP-Redirect

With this binding, the request or response is attached to the URL as a SAMLRequest or SAMLResponse parameter respectively, with standard encoding (deflated, base64 encoded, and URL encoded). It is protected by HTTPS if the URL provided in the metadata is HTTPS; however, it will still appear in client side logs, and also as HTTP referer in certain cases. Use of this binding is fine for requests that do not provide personal information as prefilled parameters, but not recommended for responses, both because of security and because of the limited assertion size that the query string allows.

HTTP-POST

The SAML request or response is still encoded in the standard way, but this time it appears in the message body rather than the header. In this way, it will not be logged by tools that log URLs. However, the assertion is still transferred to the client, and is therefore vulnerable to any malware that infects clients and extracts this kind of information.

Artifact

This binding has quite a bit of overhead, but is the binding of choice for maximum security. No meaningful information is transferred to the client; rather, an artifact (SAMLArt) is sent. The opposite endpoint then contacts the ArtifactResolutionService specified in the metadata and extracts the SAML request or response via a back channel.

Was this helpful?