Edit SAML SP Initiated Response

Avatar

Avatar

jamiec4451712

Avatar

jamiec4451712

jamiec4451712

22-03-2017

Hey everyone,

I'm working on a site that uses SAML for SSO and have run into a small snag with the IDP. The IDP requires some additional configuration that is not available in the OOTB SamlAuthenticationHandler. Namely, I need to modify the form that is sent back to the browser. The form sent back has some JavaScript and a form in it that sets the request-path cookie and POSTs the SAML AuthnRequest to the IDP. An example is:

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'> <html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'> <head> <meta http-equiv='content-type' content='text/html; charset=utf-8' /> <title>POST data</title> <script> function setRequestPathCookies() { var requestPath = escape(document.location.pathname); var query = escape(document.location.search); if (query) requestPath += "?" + query; var hash = escape(document.location.hash.substring(1)); if (hash) document.cookie = "anchor_backup=" + hash + ";path=/;"; document.cookie = "saml_request_path=" + requestPath + ";path=/;"; } </script> </head> <body onload='setRequestPathCookies(); document.forms[0].submit();'> <noscript> <p><strong>Note:</strong> Since your browser does not support JavaScript, you must press the button below once to proceed.</p> </noscript> <form method='post' action='https://IDP_URL.com/sso'> <input type='hidden' name='SAMLRequest' value='BASE64_SAML_AUTHN' /> <noscript> <input type='submit' value='Submit' /> </noscript> </form> </body> </html>

I need to know how to modify this form. I cannot find a template or any documentation on the subject. I have read all the SAML documentation and understand quite well how it works, and am just looking for some direction into where I can find the code that generates this file exactly so I can modify it. Any direction here is appreciated.

Thank you!

View Entire Topic

Avatar

Avatar

jamiec4451712

Avatar

jamiec4451712

jamiec4451712

23-03-2017

Thanks for the reply. The problem is that the IDP does not have a session store, so loses SP context during SP initiated authentication and cannot properly redirect the user to the consume URL. The solution is to urlencode the AuthnRequest and other parameters and place them in the query string. The simplest way to do this is to change that form from a POST to a GET. That simple change will solve our problems. Essentially, the IDP does not currently support SP initiated via POST. AEM does not provide an option to configure the request method used in that form. It seems foolish to rewrite the bundle to change 4 characters - I was hoping there was a more deliberate way to approach that change.