Anyone familiar with SAML1.1 and 2.0?

Soldato
Joined
1 Mar 2003
Posts
5,508
Location
Cotham, Bristol
Perhaps a long shot but I have a couple of questions on both versions.

First of for SAML 1.1

I am integrating into a legacy SAML 1.1 application and I am trying to determine if the TARGET query parameter is required in the initial request for the intersite transfer service.

Reading the specs https://www.oasis-open.org/committees/download.php/3405/oasis-sstc-saml-bindings-1.1.pdf. Section 4.1.2.3 says

It is RECOMMENDED that the HTTP request take the following form:
GET path?...TARGET=Target...

Section 4.1.2.4 then seems to contradict this and says

This MUST include an HTML form with the following form body

Code:
    <Body>
    <FORM Method=”Post” Action=”https://<assertion consumer host name and path>” …>
    <INPUT TYPE=”hidden” NAME=”SAMLResponse” Value=”B64(<response>)”>
     …
    <INPUT TYPE=”hidden” NAME=”TARGET” Value=”<Target>”>
    </Body>

So if TARGET is only RECOMMENDED then where would the form get the value of TARGET from?

And another query for SAML 2.0

For SAML 1.1 the TARGET query parameter set in the initial request for the intersite transfer service, is used by the assertion consumer service to redirect the user to the protected resource once the assertions have been validated. So a user could request page 1, 2 or 3 at a protected site and be directed to the correct location after the SAML flow is complete.

How is the same achieved for SAML 2.0? From what I've read the SAML 2.0 ACS processes the SAML response and redirects to the target resource. How would it deal with the page 1, 2 or 3 scenario? Or does it always direct back to a pre defined location? Or is the RelayState used for custom flows like this?
 
Permabanned
Joined
9 Aug 2009
Posts
12,236
Location
UK
That spec is garbage.
So yeah it's gonna depend on how it's been implemented by whichever system you're logging in to. You'd have to ask them.
We don't allow the target on purpose coz people can put dodgy stuff in there and it's a pita to validate the input.
 
Soldato
OP
Joined
1 Mar 2003
Posts
5,508
Location
Cotham, Bristol
Yeah they are a touch ambiguous! So are you saying your interpretation is that the target isn't required in the initial request but IS required as a form parameter for the SAML response? If so I assume you have a pre defined configurable single location for where the ACS will redirect to after the response has been processed?
 
Back
Top Bottom