Wednesday, 19 March 2025

SAML SP send request twice

 Yes, in most cases, the original request will be sent twice:

  1. First Request (Before Authentication)

    • The client sends a request to the Service Provider (SP) for a protected resource.
    • The SP detects no active session and redirects the client to the Identity Provider (IdP) for authentication.

  2. SAML Authentication Flow

    • The client logs in at the IdP.
    • The IdP sends a POST request to the SP’s Assertion Consumer Service (ACS) with the SAML Assertion.

  3. Second Request (After Authentication)

    • The SP validates the SAML assertion and creates a session.
    • The SP redirects the client back to the original resource.
    • The client sends a second request for the original resource.

Important Notes:

  • The first request is incomplete because the user isn't authenticated yet.
  • The SP does not process the first request immediately but instead remembers it (e.g., using RelayState or session storage).
  • After authentication, the SP triggers the second request via redirection.

Exception:

  • If the original request is a POST request with a payload, it might not be automatically retried unless the SP explicitly replays it.
  • In such cases, some SPs show an intermediate page asking the user to resubmit the form.

Would you like details on handling POST requests with payloads in SAML flows?

Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)