Use POST instead of Redirect after discovery to avoid big headers issues #970
Comments
|
Hi @pdesgarets , What version of SATOSA and pysaml2 are you running? Just wondering whether this might be caused by an issue reported in pysaml2 #819 and resolved in #380. Prior to this fix, the AuthnRequest included an XML signature (besides being also signed at the redirect binding level) and that caused the overall redirect URL to be quite large. If this still impacts you, removing the extra signature might be you below the threshold... Hope this helps. Cheers, |
|
I'm using the latest versions, SATOSA 8.4.0 and pysaml2 7.5.0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I am using SATOSA with Renater federation WAYF (SAML frontend / SAML backend with discovery).
The global nginx reverse proxy on our infra is sending 502 errors after the selection of the IDP on the WAYF, because the headers of the response contain the
Locationwith the SAMLRequest query param and is too big (upstream sent too big header while reading response header from upstream).I see the order of
bindings_to_tryin saml2.client.Saml2Client.prepare_for_negotiated_authenticate (called by satosa.backends.saml2.SAMLBackend.authn_request) is hardcoded. Could it be configurable, so that POST is preferred over Redirect ? (is there a reason to prefer Redirect ?)Should not
preferred_bindingbe used there ? (I don't understand fully all the types of services, so maybe a silly idea)The text was updated successfully, but these errors were encountered: