POST binding should not use compression by default

Question

POST binding should not use compression by default

Closed this issue 3 months ago · 2 comments

Background

According to SAML spec, deflate compression should only be used in Redirect binding, because we want to reduce length of URL string. For POST binding, there's no need to use compression (your server request should probably be gzipped anyway.)

This is important, because some SAML IdP providers like PingFederate don't support compression on POST binding: https://support.pingidentity.com/s/topic/0TO1W000000IESfWAO/deflate

Current Spec

Currently, there are two parameters which control compression:

compress_request - Applies to AuthN request and SLO request
compress_response - Applies to SLO response

Proposed Change

I think these parameters should be removed, and instead we should simply control compression based whether the binding is redirect (if so, enable) or POST (if so disable).

Answer 1 · 2024-07-07T11:52:01.000Z

Not sure if the refactor will take more headache than the benefits we gonna have at the end.
Agree to add some warning or fix scenarios that should not be working in the right way.

Answer 2 · 2024-07-07T12:01:23.000Z

Suggest to look to do this as part the V2 major upgrade. I imagine people who are actually using the POST have already worked-around it in their app, as I have.