In PL 2.0.3.Final we have added the capabilities for the SP redirect authenticators to fallback to post.
Check it out https://community.jboss.org/wiki/PicketLink203Final
The reason is that even though your SP sends a redirect to IDP, the IDP may be performing strict post binding (web browser sso profile) and sending back a response via http/post.
We handled this via https://issues.jboss.org/browse/PLFED-271
Note the following statement:
Similarly for the SPRedirectFormAuthenticator, the change would be idpPostBinding to true
in jboss-web.xml of AS7 sales.war
or WEB-INF/context.xml of AS6 sales.war
So add the flag to the authenticator on the SP side.
Thanks for your answer. But i think, i haven't explained the problem clear enough. Picketlink creates the following line in the request:
This forces the IDP to use Http-Post-Binding. So Picketlink should know, that this binding is used for the response. Why do i have to tell it Picketlink with a parameter? I need a parameter to tell Picketlink not to create this line. Instead it should ask for Http-Redirect-Binding.
For me the bigger problem is the one with the parsing of the SAML-Token. Do you have any idea what is going wrong there?
Martin, can you create an PLFED (https://issues.jboss.org/jira/browse/PLFED) jira issue? Attach the payload that PL is not parsing properly. You can mask any company confidential things in the payload.