SingleSignOnService Binding HTTP-POST


(Everson Silva) #1

We are configuring x-pack to integrates with an SSO provider, but unfortunately, this SSO Service exposes only HTTP-POST binding. I saw on X-Pack documentation that it only supports Redirect binding but I would want to know if anyone had this problem and how to solved that.

Elasticsearch SAML integration while using HTTP-Redirect
(Tim Vernum) #2

Our SAML integration only supports HTTP-Redirect to the IdP (it does support HTTP-Post on return from the Idp to Kibana), and I don't think you'll be able to work around that. What IdP do you have that only supports HTTP-Post?

If this is an issue for you, and you have a support or sales contact, then please ask them to raise an Enhancement Request to support HTTP-Post (and include details about the IdP).

(Everson Silva) #3

Hi Tim!

Thanks for your answer.

The IdP is provided to us by our customer and had developed by themselves.
Only for clarification purposes, is a recommendation (best practice) that the IdP needs to support HTTP-Redirect binding?

(Ioannis Kakavas) #4

Hi Everson,

It is actually more than a recommendation:

Conformance Requirements for theOASIS Security Assertion Markup Language (SAML) V2.0, page 9, all Identity Providers MUST support the HTTP-Redirect binding.

Furthermore, the use of HTTP-Redirect binding is preferred in pretty much all interoperability profiles published, i.e.:

saml2int (now driven by Kantara) in progress version here, current version here

(Everson Silva) #5

Thanks for your answer!

It was very enlightening.

(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.