Sun OpenSSO Enterprise 8.0 Administration Guide

POST Binding with Single Sign-on and Single Logout

HTTP POST binding is used for an identity provider response to a request from a service provider. To configure for POST binding, the following tags must be present in the identity provider standard metadata.

<IDPSSODescriptor
WantAuthnRequestsSigned="false"
protocolSupportEnumeration="urn:oasis:names:tc:
SAML:2.0:protocol">.
  <SingleLogoutService
   Binding="urn:oasis:names:tc:SAML:2.0:
   bindings:HTTP-POST"
   Location="http://isdev-3.red.com:
   58080/fam/IDPSloPOST/metaAlias/idp"
   ResponseLocation="http://isdev-3.red.com:
   58080/opensso/IDPSloPOST/metaAlias/idp"/>
  <SingleSignOnService
   Binding="urn:oasis:names:tc:SAML:2.0:bindings:
   HTTP-POST"
   Location="http://isdev-3.red.iplanet.com:58080/opensso/
   SSOPOST/metaAlias/idp"/>
</IDPSSODescriptor> 

To configure on the service provider side the standard metadata must include the following tags.

<SPSSODescriptor
 AuthnRequestsSigned="false"
 WantAssertionsSigned="false"
 protocolSupportEnumeration=
 "urn:oasis:names:tc:SAML:2.0:protocol">
.....
<SingleLogoutService
 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
 Location="http://mach1.red.com:58080/opensso/
 SPSloPOST/metaAlias/sp"
 ResponseLocation="http://mach1.red.com:58080/
 opensso/SPSloPOST/metaAlias/sp"/>
</SPSSODescriptor> 

idpSSOInit.jsp, spSSOInit.jsp, spSingleLogoutInit.jsp and idpSingleLogoutInit.jsp will initiate single sign-on or single logout using the proper binding. Supported values are urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect and urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST. An example URL for service provider initiated single logout might be http://mach1.red.com:58080/opensso/saml2/jsp/spSingleLogoutInit.jsp?metaAlias=/sp&idpEntityID=isdev-3.red.com&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST