ゆるテックノート

Understanding SAML Binding Methods

SAML supports multiple binding methods to transfer messages between IdP and SP. This page outlines the differences between the major types and when to use each.

🔗 What is a Binding?

A binding in SAML refers to the transport mechanism used to send SAML messages like requests and responses between parties, typically over HTTP.

Common Types

  • 📌 HTTP-Redirect: Encodes the message in the URL query string via a GET request.
  • 📌 HTTP-POST: Sends the message in a form field via POST.
  • 📌 HTTP-Artifact: Sends only a reference ID, then retrieves the actual message via a separate back-channel request.

🚀 HTTP-Redirect Binding

Often used for sending SAMLRequest or LogoutRequest. It is lightweight but has limitations due to URL length.

Features & Considerations

  • ⚠️ Sends data as a GET request in the URL query string.
  • ⚠️ Message is Deflate-compressed and Base64-encoded.
  • ⚠️ URL length limitations can cause issues with large messages.
  • ⚠️ Digital signatures are included as query parameters.

📮 HTTP-POST Binding

The most common method, used for larger messages and SAML Responses. Relies on HTML form submissions.

Features & Considerations

  • Message is sent in an HTML form via POST.
  • Base64-encoded SAML data goes in a hidden form field.
  • No significant size limit; suitable for signed responses.
  • Requires JavaScript auto-submit to trigger POST.

🧩 HTTP-Artifact Binding

The Artifact method only sends a reference (artifact) via the browser, and the full message is retrieved later using back-channel communication.

Features & Usage

  • 🔍 Browser sends a short “artifact” ID to the SP.
  • 🔍 SP uses SOAP-based ArtifactResolve to get the full assertion from the IdP.
  • 🔍 ArtifactResolve/Response should be protected with TLS and message signing (per the Artifact Resolution Protocol).
  • 🔍 Offers better control over message delivery but is more complex.
  • 🔍 Used in high-security environments that require strict transmission control.

📊 Comparison & Use Cases

それぞれの得意領域を押さえ、RequestとResponseで使い分けるのが定番です。

Summary Table

  • 📋 Redirect: Lightweight and simple; good for SAMLRequest.
  • 📋 POST: Most commonly used for SAMLResponse and signed data.
  • 📋 Artifact: Highly secure but complex to implement (requires SOAP support).

🛡️ Signature Requirements by Binding

署名の付け方と検証箇所はBindingごとに異なります。OASISのBinding仕様を踏まえて整理します。

要点

  • HTTP-Redirect: 署名計算はクエリパラメータ(SAMLRequest/SAMLResponse + RelayState + SigAlg)の順序を厳守。順序が変わると検証失敗。
  • HTTP-POST: 署名はXML内部(通常はAssertionかResponse)に付与。POST本体はBase64エンコードされた署名付きXML。
  • Artifact: ArtifactResolve/Response はSOAPでやり取りし、TLSとメッセージ署名で保護する。
  • AuthnRequest署名の要否はIdP/ポリシー次第。要求される場合はSPが署名し、IdPが検証する。
< SAML Specs and Structure SAML Signature Basics >
← Back to the SAML analysis tool