Overview
This article explains why HTTP POST binding is recommended for transmitting Security Assertion Markup Language (SAML) Responses, in contrast to HTTP Redirect binding. The article also notes that SAML Requests can be sent using HTTP Redirect binding.
Applies To
- SAML Protocol Binding Options
Solution
SAML messages are transmitted using methods known as bindings. The primary standard bindings include:
- HTTP Redirect
- HTTP POST
- HTTP Artifact
- Simple Object Access Protocol (SOAP)
Within Auth0, the supported bindings are HTTP Redirect and HTTP POST.
HTTP Redirect Binding: This binding utilizes HTTP redirects for the transmission of SAML messages.
- Messages are embedded within URL parameters.
- A limitation is the maximum URL length, typically 2048 characters and subject to browser variations, which restricts the volume of data that can be transmitted.
- This characteristic makes it suitable for smaller messages, such as SAML authentication requests.
- Due to these size constraints, it is less suitable for larger messages, such as SAML responses.
HTTP POST Binding: This binding transmits the SAML message to a recipient, such as a Service Provider (SP) or an Identity Provider (IdP), using an HTML page that contains a form. This method addresses the limitations encountered with the HTTP Redirect binding when handling larger messages.
- The SAML message is encoded within an input field in this form.
- When the browser receives this HTML page, JavaScript or a meta tag typically instructs the browser to automatically submit the form to the SP or IdP.
- This method is capable of handling larger SAML messages, such as responses.