I am trying to generate the in SP side using OPENSAML-java in saml
While on the process noticed that Limitations Of URL Length.
So Is it mandatory to use any compression technique to SAML message ,Before I am sending it to TestIdP.?
If we use any compression technique , How can the IdP will know that that SP has used this compression technique to de-compress the Request message.?
Is there any provision in the metadata for this?
Sample codes are appreciated.Thank you.
As Wiki states:
SAML protocol messages are often carried directly in the URL query string of an HTTP GET request. Since the length of URLs is limited in practice, the HTTP Redirect binding is suitable for short messages, such as the message. Longer messages (e.g., those containing signed SAML assertions) should be transmitted via other bindings such as the HTTP POST Binding.
SAML requests or responses transmitted via HTTP Redirect have a SAMLRequest or SAMLResponse query string parameter, respectively. Before it’s sent, the message is deflated, base64-encoded, and URL-encoded, in that order. Upon receipt, the process is reversed to recover the original message.
the HTTP GET example is less than 600 characters long:
If you are using HTTP POST, the parameters of the Request go to the body. So no problem at all.
But you should really check, if the message SAMLRequest is not too long.
Security Note: Since with HTTP GET the whole Request and its parameters get logged in any http access log, you should really use POST.