From 9eb5e32317c940b237dfb775fdfba09317410972 Mon Sep 17 00:00:00 2001
From: Wayne Woodfield <wayne@rainfocus.com>
Date: Sat, 10 Jun 2017 17:24:59 -0600
Subject: [PATCH 1/3] Added support for the http post binding at the IdP Single
 Signon Service

---
 .../src/main/java/com/onelogin/saml2/Auth.java  |  6 +++++-
 .../onelogin/saml2/servlet/ServletUtils.java    | 17 +++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/toolkit/src/main/java/com/onelogin/saml2/Auth.java b/toolkit/src/main/java/com/onelogin/saml2/Auth.java
index db03c967..67bacc7a 100644
--- a/toolkit/src/main/java/com/onelogin/saml2/Auth.java
+++ b/toolkit/src/main/java/com/onelogin/saml2/Auth.java
@@ -292,7 +292,11 @@ public String login(String returnTo, Boolean forceAuthn, Boolean isPassive, Bool
 		if (!stay) {
 			LOGGER.debug("AuthNRequest sent to " + ssoUrl + " --> " + samlRequest);
 		}
-		return ServletUtils.sendRedirect(response, ssoUrl, parameters, stay);
+
+		if (Constants.BINDING_HTTP_POST.equals(settings.getIdpSingleSignOnServiceBinding()))
+			return ServletUtils.sendPost(response, ssoUrl, parameters, stay);
+		else // Anything else is assumed to be a redirect
+			return ServletUtils.sendRedirect(response, ssoUrl, parameters, stay);
 	}
 
 	/**
diff --git a/toolkit/src/main/java/com/onelogin/saml2/servlet/ServletUtils.java b/toolkit/src/main/java/com/onelogin/saml2/servlet/ServletUtils.java
index c62bdd71..3ec074b8 100644
--- a/toolkit/src/main/java/com/onelogin/saml2/servlet/ServletUtils.java
+++ b/toolkit/src/main/java/com/onelogin/saml2/servlet/ServletUtils.java
@@ -9,6 +9,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang3.StringEscapeUtils;
 import org.apache.commons.lang3.StringUtils;
 
 import com.onelogin.saml2.http.HttpRequest;
@@ -180,6 +181,22 @@ public static String sendRedirect(HttpServletResponse response, String location,
         return target;
     }
 
+    public static String sendPost(HttpServletResponse response, String location, Map<String, String> parameters, Boolean stay) throws IOException {
+      StringBuilder html = new StringBuilder();
+      html.append("<html>\n<head>\n<title>SAML Post</title>\n</head>\n")
+          .append("<body onload=\"document.getElementById('theform').submit();\">\n")
+          .append("<form id=\"theform\" action=\"").append(location).append("\" method=\"post\">\n");
+      for (String name : parameters.keySet()) {
+        String value = parameters.get(name);
+        html.append("<input type=\"hidden\" name=\"").append(name).append("\" value=\"").append(StringEscapeUtils.escapeHtml4(value)).append("\"/>\n");
+      }
+      html.append("</form>\n</body>\n</html>");
+      if (!stay) {
+        response.getWriter().write(html.toString());
+      }
+      return html.toString();
+    }
+
     /**
      * Redirect to location url
      *

From 8bfe16cfeb018f6ea0d2c19afd848da7f3b284d1 Mon Sep 17 00:00:00 2001
From: Wayne Woodfield <wayne@rainfocus.com>
Date: Sat, 15 Jul 2017 16:11:22 -0600
Subject: [PATCH 2/3] Update the properties file to reflect support for the
 HTTP-POST binding

---
 .../src/main/resources/onelogin.saml.properties                 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/samples/java-saml-tookit-jspsample/src/main/resources/onelogin.saml.properties b/samples/java-saml-tookit-jspsample/src/main/resources/onelogin.saml.properties
index ac3b36da..6832bda9 100644
--- a/samples/java-saml-tookit-jspsample/src/main/resources/onelogin.saml.properties
+++ b/samples/java-saml-tookit-jspsample/src/main/resources/onelogin.saml.properties
@@ -58,7 +58,7 @@ onelogin.saml2.idp.single_sign_on_service.url =
 
 # SAML protocol binding to be used when returning the <Response>
 # message.  Onelogin Toolkit supports for this endpoint the
-# HTTP-Redirect binding only
+# HTTP-Redirect and HTTP-POST bindings
 onelogin.saml2.idp.single_sign_on_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
 
 # SLO endpoint info of the IdP.

From 94eb327ff872c31548a236f9fd59bc881ea412dd Mon Sep 17 00:00:00 2001
From: Wayne Woodfield <wayne@rainfocus.com>
Date: Mon, 6 Nov 2017 15:46:28 -0700
Subject: [PATCH 3/3] Add a content type and content length to this response. 
 If not specified, browsers might interpret arbitrarily as plain text.

---
 .../src/main/java/com/onelogin/saml2/servlet/ServletUtils.java  | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/toolkit/src/main/java/com/onelogin/saml2/servlet/ServletUtils.java b/toolkit/src/main/java/com/onelogin/saml2/servlet/ServletUtils.java
index 3ec074b8..6e8ec304 100644
--- a/toolkit/src/main/java/com/onelogin/saml2/servlet/ServletUtils.java
+++ b/toolkit/src/main/java/com/onelogin/saml2/servlet/ServletUtils.java
@@ -192,6 +192,8 @@ public static String sendPost(HttpServletResponse response, String location, Map
       }
       html.append("</form>\n</body>\n</html>");
       if (!stay) {
+        response.setContentType("text/html;charset=UTF-8");
+        response.setContentLength(html.toString().getBytes("UTF-8").length);
         response.getWriter().write(html.toString());
       }
       return html.toString();