HTTP-Redirect disallowed for transport of SSO response

This one is probably obvious to the initiated, but had me scratching my head for a little while, so I thought it worth posting.

PingFederate when asked to perform an SP Initiated SSO Redirect-Redirect, fails with the following error in the logs.

2015-10-23 16:38:20,404 tid:rBZwfgxQg49EnZYKgLARHbPCQak ERROR [org.sourceid.saml20.profiles.idp.HandleAuthnRequest] Exception occurred during request processing
org.sourceid.saml20.profiles.StatusResponseException: ProtocolBinding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect disallowed for transport of SSO response.

This functionality has been intentionally excluded from the product according to the very helpful support engineer I spoke with at Ping. The reasoning behind this is that the SAML response is typically quite long and whilst the HTTP/1.1 RFC states there is no limit to the length of a query string, there are practical limits implemented in browsers. Testing all browsers for their limits is simply not practical. Switching my app over to using SP Initiated SSO Redirect-POST resolved my issue.

There’s some info on the query string limitations on this (dated) stackoverflow answer

The supported list of supported profiles that PingFederate supports (which I obviously didn’t check) is listed here

At the time of writing, this is the list:

  • SP-Initiated SSO–POST-POST
  • SP-Initiated SSO–Redirect-POST
  • SP-Initiated SSO–Artifact-POST
  • SP-Initiated SSO–POST-Artifact
  • SP-Initiated SSO–Redirect-Artifact
  • SP-Initiated SSO–Artifact-Artifact
  • IdP-Initiated SSO–POST
  • IdP-Initiated SSO–Artifact