Skip to content

Route bindings do not match metadataΒ #500

New issue
New issue
Open
Open
Route bindings do not match metadata#500
@johanib

Description

@johanib
johanib
opened on Dec 8, 2025

Summary

After some discussion in #493, @MKodde and I took a look at the bindings in Gateway. It seems gateway could accept POST requests, where only GET requests should be supported.
Using the POST in those scenario's is unsupported, and if it works, it might break as it has no test coverage.

Proposal: Remove POST from /authentication/single-sign-on and /second-factor-only/single-sign-on.
Let's refine. If the POST cannot be removed, add test coverage.

Details

Taking a look at the bindings specified in the various metadata endpoints:
https://sa-gw.surfconext.nl/authentication/metadata

🟒 /authentication/consume-assertion

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sa-gw.surfconext.nl/authentication/consume-assertion" index="0"/>

root@gateway:/var/www/html# ./bin/console debug:route | grep consume-assertion
  gateway_serviceprovider_consume_assertion           POST       /authentication/consume-assertion

Issue: None

πŸ”΄ /authentication/single-sign-on

<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sa-gw.surfconext.nl/authentication/single-sign-on"/>

root@gateway:/var/www/html# ./bin/console debug:route | grep single-sign-on   
  gateway_identityprovider_sso                        GET|POST   /authentication/single-sign-on                      
  gateway_identityprovider_sso_proxy                  POST       /authentication/single-sign-on/{idpKey}
...

Issue: The api route accepts both POST and GET requests. The metadata only accepts the HTTP-Redirect (GET) binding. If POST requests were to be sent to this endpoint, the behavior is unsupported.

https://sa-gw.surfconext.nl/second-factor-only/metadata

πŸ”΄ /second-factor-only/single-sign-on

<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sa-gw.surfconext.nl/second-factor-only/single-sign-on"/>

root@gateway:/var/www/html# ./bin/console debug:route | grep single-sign-on   
...                 
  gateway_second_factor_only_identityprovider_sso     GET|POST   /second-factor-only/single-sign-on

Issue: The api route accepts both POST and GET requests. The metadata only accepts the HTTP-Redirect (GET) binding.

https://sa-gw.surfconext.nl/gssp/tiqr/metadata

🟒 /gssp/tiqr/single-sign-on

<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sa-gw.surfconext.nl/gssp/tiqr/single-sign-on"/>

root@gateway:/var/www/html# ./bin/console debug:route | grep gssp             
  gssp_verify                                         GET        /gssp/{provider}/single-sign-on

🟒 /gssp/tiqr/consume-assertion

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sa-gw.surfconext.nl/gssp/tiqr/consume-assertion" index="0"/>

root@gateway:/var/www/html# ./bin/console debug:route | grep gssp             
  gssp_consume_assertion                              POST       /gssp/{provider}/consume-assertion

Issue: None.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions