Correct me if I'm wrong, but it appears the :embed_sign parameter is redundant with the IdP URL Binding. In other words:
- if the
Binding is urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST, then you MUST have embed_sign: true
- else if the
Binding is urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect, then you MUST have embed_sign: false
(Otherwise, your requests won't be signed, e.g. a POST with embed_sign: false will simply have no signature.)
Assuming this is the case, since embed_sign is a single value, it's not possible to mix SSO POST with SLO Redirect. Although not common in practice, it is theoretically possible that an IdP could require it that way in their metadata.
If this is the case, I wonder if there might be a better way to do this. For example, we could get rid of :embed_sign and introduce Settings.idp_sso_binding and Settings.idp_slo_binding parameters which would allow you to control which bindings you want to use for each endpoint.
Correct me if I'm wrong, but it appears the
:embed_signparameter is redundant with the IdP URLBinding. In other words:Bindingisurn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST, then you MUST haveembed_sign: trueBindingisurn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect, then you MUST haveembed_sign: false(Otherwise, your requests won't be signed, e.g. a
POSTwithembed_sign: falsewill simply have no signature.)Assuming this is the case, since
embed_signis a single value, it's not possible to mix SSOPOSTwith SLORedirect. Although not common in practice, it is theoretically possible that an IdP could require it that way in their metadata.If this is the case, I wonder if there might be a better way to do this. For example, we could get rid of
:embed_signand introduceSettings.idp_sso_bindingandSettings.idp_slo_bindingparameters which would allow you to control which bindings you want to use for each endpoint.