Previous Topic: Verify the STS Setup RequirementsNext Topic: Configure the SAML 2.0 Name ID Management Profile

Federation GuidesPartnership Federation GuideSingle Sign-on ConfigurationHow to Configure SAML 2.0 HTTP POST Binding

How to Configure SAML 2.0 HTTP POST Binding

For authentication and single log-out requests, you can enable SAML 2.0 HTTP POST binding as a method for exchanging requests and responses.

This procedure assumes that you are familiar with federated environments and have created and activated one or more of the following partnerships:

The following graphic describes how to enable SAML 2.0 HTTP POST binding:

This workflow shows How to Configure SAML 2.0 POST Binding in your partnerships

Follow these steps:

  1. Perform the appropriate task for your type of partnership:
Enable the HTTP POST Binding at the IdP

You can enable the HTTP POST binding on the IdP side (of an IdP to an SP partnership).

Follow these steps:

  1. Open the Administrative UI.
  2. If the partnership that you want to modify is active, deactivate it.
  3. Click Modify to open the partnership wizard.
  4. Navigate to the SSO and SLO tab in the partnership wizard.
  5. Click the HTTP POST check boxes next to the following items:
    Authentication Request Binding

    Specifies the types of bindings the IdP allows when it receives an authentication request from the SP.

    Options: HTTP-Redirect, HTTP-POST

    SSO Profile

    Determines which single sign-on profile the federation system uses for processing requests. You can select all bindings; the local entity determines the sequence in which the bindings are tried.

    Options: HTTP-Artifact, HTTP-POST, Enhanced Client and Proxy

    Note: Select the ECP profile if the entities in the partnership are communicating indirectly through an enhanced client. An enhanced client can be a browser or other user agent, or an enhanced proxy, such as a wireless proxy for a wireless device.

    Note: You can select multiple bindings for each item. For example, you can select HTTP-Redirect and HTTP-POST together. You also can select different bindings for each of these items. For example, you can select the HTTP-POST binding for one and the HTTP-Redirect binding for another.

  6. Create a remote assertion consumer service URL with a binding that matches the one in your SSO profile. For example, if you picked HTTP-Redirect and HTTP-POST bindings, create two remote assertion consumer service URLs. One URL for each binding.
  7. (Optional) In the SLO section, select the HTTP-POST check box.

    Note: You can select multiple bindings for this item. For example, you can select HTTP-POST and HTTP-Redirect together.

  8. Create a SLO service URL with a binding that matches the SLO binding. For example, if you picked HTTP-Redirect and HTTP-POST bindings, create two SLO service URLs. One service URL for each SLO binding.
  9. Complete any other partnership information as needed.
  10. At the confirm step, click Finish.

    SSO HTTP-POST binding is enabled.

Enable the HTTP POST Binding at the SP

You can enable the HTTP POST binding at the SP side (of an SP to an IdP partnership).

Follow these steps:

  1. Open the Administrative UI.
  2. If the partnership that you want to modify is active, deactivate it.
  3. Click Modify to open the partnership wizard.
  4. Navigate to the SSO and SLO tab in the partnership wizard.
  5. Click the HTTP POST check boxes next to the following items:
    Authentication Request Binding

    Specifies the types of bindings the SP uses when it sends an authentication request to the IdP.

    Limits: HTTP-Redirect, HTTP-POST

    SSO Profile

    Determines which single sign-on profile the federation system uses for processing requests. You can select all bindings; the local entity determines the sequence in which the bindings are tried.

    Options: HTTP-Artifact, HTTP-POST, Enhanced Client and Proxy

    Note: Select the ECP profile if the entities in the partnership are communicating indirectly through an enhanced client. An enhanced client can be a browser or other user agent, or an enhanced proxy, such as a wireless proxy for a wireless device.

    Note: You can select multiple bindings for each item. For example, you can select HTTP-Redirect and HTTP-POST together. You also can select different bindings for each of these items. For example, you can select the HTTP-POST binding for one and the HTTP-Redirect binding for another.

  6. Create a remote SSO service URL with a binding that matches the one in your SSO profile. For example, if you picked HTTP-Redirect and HTTP-POST bindings, create two remote assertion consumer service URLs. One URL for each binding.
  7. (Optional) In the SLO section, select the HTTP-POST check box.

    Note: You can select multiple bindings for this item. For example, you can select HTTP-POST and HTTP-Redirect together.

  8. Create an SLO Service URL with a binding that matches the SLO binding. For example, if you picked HTTP-Redirect and HTTP-POST bindings, create two SLO Service URLs. One URL for each SLO binding.
  9. Complete any other partnership information as needed.
  10. At the confirm step, click Finish.

    SSO HTTP-POST binding is enabled.