Why is it required in Auth0 that the SAML Response needs to be sent as a POST instead of Redirect? The SAML Request can be sent in a redirect without issue.
- Configure SAML connection in Auth0 dashboard and complete a test login where Protocol Binding is set to ‘HTTP-Redirect’
- Record a .har file and observe the network requests which will show the difference in handling between a SAML Request and SAML Response
SAML messages can be sent using different methods, called bindings. There are four main standard bindings being used today, HTTP Redirect, HTTP POST, HTTP Artifact and SOAP. In the context of Auth0, only HTTP Redirect and HTTP POST are currently supported.
The Redirect binding is a popular method of sending messages which relies on HTTP Redirects. A problem with the redirect binding is that the message is sent inside URL parameters and URL parameters can not hold large amounts of data (a maximum supported length of a URL is 2048 characters and may vary based on browser). This makes it suitable for SAML authentication request, which are quite small, but less suitable for large messages like SAML responses. The POST binding gives a solution to this.