Send authnrequests conform HTTP-Redirect binding

[phavekes]

This issue is imported from pivotal - Originaly created at Aug 21, 2020 by Thijs Kinkhorst

The gateway sends its authentication requests to Engineblock via http GET, but includes the signature in the XML message. This is not a valid combination according to the protocol; it should be encoded in the get parameter Signature and the corresponding GET parameter SigAlg.

It does currently work with EB. However, in order to keep the complexity within the platform under control, all components should use the same, and valid bindings.

UPDATE from spring:
Support for customizing the AuthnRequest was added in 5.4.: https://docs.spring.io/spring-security/site/docs/5.4.0/reference/html5/#servlet-saml2login-sp-initiated-factory-custom-authnrequest . You can use OpanSamlAuthenticationRequestFactory#setAuthenticationRequestContextConverter to supply a converter creates the AuthnRequest you need, though it may be easier to register a custom AuthnRequestMarshaller with OpenSAML.

[phavekes]

This is not trivial. Currently OIDC-NG uses the spring-security-saml-core library which is currently being incorporated into spring-security. There is a related issue: spring-projects/spring-security#7711

If we want to resolve this we would have to migrate to spring-security and move away from spring-security-saml-core. Will investigate how feasible this is. There is a working example described in https://docs.spring.io/spring-security/site/docs/current/reference/html5/#servlet-saml2-login (Okke Harsta - Sep 6, 2020)

[phavekes]

spring-projects/spring-security#9003 (comment) (Okke Harsta - Sep 19, 2020)