Problem statement
Why is it required in Auth0 that the SAML Response needs to be sent as a POST instead of Redirect? The SAML Request can be sent in a redirect without issue.
Steps to reproduce
- Configure SAML connection in Auth0 dashboard and complete a test login where Protocol Binding is set to ‘HTTP-Redirect’
- Record a .har file and observe the network requests which will show the difference in handling between a SAML Request and SAML Response
Solution
SAML messages can be sent using different methods, called bindings. There are four main standard bindings being used today, HTTP Redirect, HTTP POST, HTTP Artifact and SOAP. In the context of Auth0, only HTTP Redirect and HTTP POST are currently supported.
The Redirect binding is a popular method of sending messages which relies on HTTP Redirects. A problem with the redirect binding is that the message is sent inside URL parameters and URL parameters can not hold large amounts of data (a maximum supported length of a URL is 2048 characters and may vary based on browser). This makes it suitable for SAML authentication request, which are quite small, but less suitable for large messages like SAML responses. The POST binding gives a solution to this.
The POST binding, as opposed to using HTTP Redirects, will respond to an SP/IdP with an HTML page with the intended SAML message encoded in an input field in a form. When the browser receives this HTML page, typically a Javascript or meta tag makes the browser automatically submit the form to the recipient of the message.