Where to get more information to implement "Custom POST form" for SAML ?

Document ID : KB000071353
Last Modified Date : 19/02/2018
Show Technical Document Details
Question:
I'd like to implement partnership where we act as IdP. I want
that by the SAML response the IdP gives to the SP as a query parameter
to redirect the User to a specific page on SP side instead of the initial target.

To implement this, I have chosen to implement "Custom POST
form". I'd like to get some documentation and sample on how to
implement it.

Ā 
Answer:
From the documentation :

Customize the Auto-POST form for HTTP-POST SSO

You can customize the auto-POST form sent to the relying party in a
SAML response to improve the user experience.

To use a customized form, enter the name of the form in the Custom
Post Form field of the SSO section of the SSO and SLO step of the
wizard. The system uses the form you specify in the response. The
product includes a form named defaultpostform.html.

https://docops.ca.com/ca-siteminder-federation-standalone/12-52-sp1/en/configuring/single-sign-on-configuration

I've search internally, and I discovered that out of an out of the box
Web Agent installation, this sample can be found here :

/opt/CA/webagent/customization

ca_defaultpostform.html

"<html>
<head>
<title>Custom Auto-POST Form</title>
</head>
<body onLoad="document.forms[0].submit()">
<noscript>
Your browser does not support JavaScript. Please click the 'Continue' button below
to proceed.
</noscript>
<form method="POST" action="$$target$$">
$$fedparams$$
<noscript>
<input type="submit" value="Continue"/>
</noscript>
</form>
</body>
"</html>

So, you need to install Web Agent (even if you don't use it) and the
Web Agent Option Pack with the same installation path as the Web
Agent.

More, you'll find the typic use case of using Auto-Post forms in this
page :

Account Linking Solution SAML 2.0 POST Profile

In this example, smcompany.com is the Identity Provider. The
administrator at smcompany.com configures an IdP-to-SP
partnership. The partnership uses SAML 2.0 HTTP-POST profile for
single sign-on.

The partnership configuration has the following information:

The location of the assertion consumer service at ahealthco.com.
The unique Name ID.
The assertion attributes to be added to the assertion.
An employee of smcompany.com logs in to the employee portal site.

After a successful initial authentication, the following sequence occurs:

Web Agent or CA Access Gateway at smcompany.com initially
authenticates the user. The employee clicks a link to ahealthco.com
to view health benefits. The Policy Server reads the SAML 2.0 SP
configuration.

The Identity Provider initiates the request, which triggers an
unsolicited response. A request is sent to the Single Sign-on (SSO)
service at smcompany.com. The SSO service makes a request to policy
server to generate a SAML 2.0 assertion or artifact based on the
selected profile. For HTTP-POST, the Policy Server generates a SAML
assertion. The SSO service receives the assertion response for the
selected profile. The signed response is placed in an auto-POST HTML
form and sent to the browser. The browser POSTs the response to the
Assertion Consumer Service at ahealthco.com. ahealthco.com is the
Service Provider. The administrator at ahealthco.com configures an
SP-to-IdP partnership with smcompany.com. The configuration uses the
SAML 2.0 HTTP-POST profile for single sign-on.

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/implementing/implementing-federation-in-your-enterprise/federation-use-cases-and-solutions-common-to-saml-and-ws-federation