This one is probably obvious to the initiated, but had me scratching my head for a little while, so I thought it worth posting.
PingFederate when asked to perform an SP Initiated SSO Redirect-Redirect, fails with the following error in the logs.
2015-10-23 16:38:20,404 tid:rBZwfgxQg49EnZYKgLARHbPCQak ERROR [org.sourceid.saml20.profiles.idp.HandleAuthnRequest] Exception occurred during request processing org.sourceid.saml20.profiles.StatusResponseException: ProtocolBinding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect disallowed for transport of SSO response.
This functionality has been intentionally excluded from the product according to the very helpful support engineer I spoke with at Ping. The reasoning behind this is that the SAML response is typically quite long and whilst the HTTP/1.1 RFC states there is no limit to the length of a query string, there are practical limits implemented in browsers. Testing all browsers for their limits is simply not practical. Switching my app over to using SP Initiated SSO Redirect-POST resolved my issue.
There’s some info on the query string limitations on this (dated) stackoverflow answer
The supported list of supported profiles that PingFederate supports (which I obviously didn’t check) is listed here
At the time of writing, this is the list:
- SP-Initiated SSO–POST-POST
- SP-Initiated SSO–Redirect-POST
- SP-Initiated SSO–Artifact-POST
- SP-Initiated SSO–POST-Artifact
- SP-Initiated SSO–Redirect-Artifact
- SP-Initiated SSO–Artifact-Artifact
- IdP-Initiated SSO–POST
- IdP-Initiated SSO–Artifact