HowTo send a SAML Request?

java http azure saml-2.0 opensaml
Gobliins picture Gobliins · Nov 10, 2016 · Viewed 11.6k times · Source

i want to send a SAML request to my IDP (Azure AD) but ia m not sure how to send the request at all.

First i used OpenSAML to build an AuthRequest. Which i encoded as a String.

Now i wanted to use ApacheHttpClient to send the request and read the response and i am not sure if OpenSAML provides http sending methods at all so my idea was to use Apaches HttpClient for this for now.

String encodedAuthRequest = generateAuthRequest();
String url = "http://myidp/samlendpoint";
CloseableHttpClient client = HttpClientBuilder.create().build();
HttpGet request = new HttpGet(url);

// add request header
request.addHeader("User-Agent", USER_AGENT);

// what is to add else?

HttpResponse response = client.execute(request);

I am stuck now since i am not sure how to setup the request, does it need to be a query parameter like ?saml=.... in GET or do i have to put the encoded saml response in the body as POST..

Can someone help or clarify these issue?

Update from Guillaumes answer:

I have this from the IDPs MetaData:

<IDPSSODescriptor>
    <SingleSignOnService
        Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
        Location="https://myidp/saml2" />
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
        Location="https://myidp/saml2" />

Answer

Guillaume picture Guillaume · Nov 10, 2016

Depends on which binding you are supposed to use. The IdP documentation or metadata should mention that. There are several:

  • Redirect Binding (using a GET), by far the most common for Requests
  • POST Binding
  • Artifact Binding (more complex, but I have never seen it used for Requests)
  • ...

I suppose that Redirect Binding will be used in your case (EDIT: you added the metadata from your IdP, it mentions that you can use both Redirect and POST bindings). It is described here: https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf page 15.

Short version: your must first use the DEFLATE algorithm to compress your XML Request, encode it using base64, encode it using URL encoding, then pass it as a query parameter named SAMLRequest

?SAMLRequest=<your url-encoded base64-encoded deflated authnrequest>

https://en.wikipedia.org/wiki/SAML_2.0#SP_Redirect_Request.3B_IdP_POST_Response

Related questions

How to use java.net.URLConnection to fire and handle HTTP requests?

Use of java.net.URLConnection is asked about pretty often here, and the Oracle tutorial is too concise about it. That tutorial basically only shows how to fire a GET request and read the response. It doesn't explain anywhere how …

Read More
How to send HTTP request in java?

In Java, How to compose a HTTP request message and send it to a HTTP WebServer?

Read More
Java URL encoding of query string parameters

Say I have a URL http://example.com/query?q= and I have a query entered by the user such as: random word £500 bank $ I want the result to be a properly encoded URL: http://example.com/query?q=random%20…

Read More