Add a SAML connector option to allows SAML request to be sent using RedirectBinding

connector/connector.go

@@ -81,7 +81,7 @@ type SAMLConnector interface {
 	//
 	// POSTData should encode the provided request ID in the returned serialized
 	// SAML request.
-	POSTData(s Scopes, requestID string) (ssoURL, samlRequest string, err error)
+	POSTData(s Scopes, requestID string) (ssoURL, samlRequest string, bindingType string, err error)
 
 	// HandlePOST decodes, verifies, and maps attributes from the SAML response.
 	// It passes the expected value of the "InResponseTo" response field, which

connector/saml/saml.go

@@ -24,6 +24,11 @@ import (
 	"github.com/dexidp/dex/pkg/groups"
 )
 
+const (
+	RedirectBinding = "redirect"
+	PostBinding = "post"
+)
+
 const (
 	bindingRedirect = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
 	bindingPOST     = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
@@ -107,6 +112,11 @@ type Config struct {
 	//		urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
 	//
 	NameIDPolicyFormat string `json:"nameIDPolicyFormat"`
+
+	// Specify the type of binding used to send SAML request, only supported values are
+	// "post" and "redirect"
+	// If no value is specified, this value defaults to: "post"
+	BindingType string `json:"bindingType"`
 }
 
 type certStore struct {
@@ -159,6 +169,7 @@ func (c *Config) openConnector(logger *slog.Logger) (*provider, error) {
 		allowedGroups: c.AllowedGroups,
 		filterGroups:  c.FilterGroups,
 		redirectURI:   c.RedirectURI,
+		bindingType:   c.BindingType,
 		logger:        logger,
 
 		nameIDPolicyFormat: c.NameIDPolicyFormat,
@@ -227,6 +238,13 @@ func (c *Config) openConnector(logger *slog.Logger) (*provider, error) {
 		}
 		p.validator = dsig.NewDefaultValidationContext(certStore{certs})
 	}
+
+	if p.bindingType == "" {
+		p.bindingType = PostBinding
+	}
+	if p.bindingType != PostBinding && p.bindingType != RedirectBinding {
+		return nil, fmt.Errorf("bindingType must be either 'redirect' or 'post', current: %s", p.bindingType)
+	}
 	return p, nil
 }
 
@@ -252,10 +270,12 @@ type provider struct {
 
 	nameIDPolicyFormat string
 
+	bindingType string
+
 	logger *slog.Logger
 }
 
-func (p *provider) POSTData(s connector.Scopes, id string) (action, value string, err error) {
+func (p *provider) POSTData(s connector.Scopes, id string) (action, value string, bindingType string, err error) {
 	r := &authnRequest{
 		ProtocolBinding: bindingPOST,
 		ID:              id,
@@ -275,12 +295,12 @@ func (p *provider) POSTData(s connector.Scopes, id string) (action, value string
 
 	data, err := xml.MarshalIndent(r, "", "  ")
 	if err != nil {
-		return "", "", fmt.Errorf("marshal authn request: %v", err)
+		return "", "", "",fmt.Errorf("marshal authn request: %v", err)
 	}
 
 	// See: https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf
 	// "3.5.4 Message Encoding"
-	return p.ssoURL, base64.StdEncoding.EncodeToString(data), nil
+	return p.ssoURL, base64.StdEncoding.EncodeToString(data), p.bindingType, nil
 }
 
 // HandlePOST interprets a request from a SAML provider attempting to verify a

server/handlers.go

@@ -22,6 +22,7 @@ import (
 	"github.com/gorilla/mux"
 
 	"github.com/dexidp/dex/connector"
+	"github.com/dexidp/dex/connector/saml"
 	"github.com/dexidp/dex/server/internal"
 	"github.com/dexidp/dex/storage"
 )
@@ -281,30 +282,38 @@ func (s *Server) handleConnectorLogin(w http.ResponseWriter, r *http.Request) {
 
 			http.Redirect(w, r, loginURL.String(), http.StatusFound)
 		case connector.SAMLConnector:
-			action, value, err := conn.POSTData(scopes, authReq.ID)
+			action, value, bindingType, err := conn.POSTData(scopes, authReq.ID)
 			if err != nil {
 				s.logger.ErrorContext(r.Context(), "creating SAML data", "err", err)
 				s.renderError(r, w, http.StatusInternalServerError, "Connector Login Error")
 				return
 			}
 
-			// TODO(ericchiang): Don't inline this.
-			fmt.Fprintf(w, `<!DOCTYPE html>
-			  <html lang="en">
-			  <head>
-			    <meta http-equiv="content-type" content="text/html; charset=utf-8">
-			    <title>SAML login</title>
-			  </head>
-			  <body>
-			    <form method="post" action="%s" >
-				    <input type="hidden" name="SAMLRequest" value="%s" />
-				    <input type="hidden" name="RelayState" value="%s" />
-			    </form>
+			if bindingType == saml.RedirectBinding {
+				escaped_saml_request := url.QueryEscape(value)
+				http.Redirect(w, r, action+"/saml?SAMLRequest="+escaped_saml_request+"&RelayState="+authReq.ID, http.StatusFound)
+			} else if bindingType == saml.PostBinding {
+				// TODO(ericchiang): Don't inline this.
+				fmt.Fprintf(w, `<!DOCTYPE html>
+				<html lang="en">
+				<head>
+				<meta http-equiv="content-type" content="text/html; charset=utf-8">
+				<title>SAML login</title>
+				</head>
+				<body>
+				<form method="post" action="%s" >
+					<input type="hidden" name="SAMLRequest" value="%s" />
+					<input type="hidden" name="RelayState" value="%s" />
+				</form>
 				<script>
-				    document.forms[0].submit();
+					document.forms[0].submit();
 				</script>
-			  </body>
-			  </html>`, action, value, authReq.ID)
+				</body>
+				</html>`, action, value, authReq.ID)
+			} else {
+				s.renderError(r, w, http.StatusInternalServerError, fmt.Sprintf("Invalid binding type: %s", bindingType))
+				return
+			}
 		default:
 			s.renderError(r, w, http.StatusBadRequest, "Requested resource does not exist.")
 		}