sources/saml: Set AuthnRequest ProtocolBinding to HTTP-POST instead of HTTP-Redirect

[ikob]

Details

This patch aligns authentik’s SAML Source implementation with the SAML 2.0 specification.

In the SAML Source configuration, the SP metadata always declares the
AssertionConsumerService (ACS) binding as HTTP-POST, regardless of the
SingleSignOnService (SSO) binding. However, the actual AuthnRequest message
used the SSO binding as its ProtocolBinding attribute, resulting in
HTTP-Redirect being sent.

According to the OASIS SAML 2.0 specification, the HTTP-Redirect binding
MUST NOT be used for delivering the from the IdP to the SP:

Either the HTTP POST or HTTP Artifact binding can be used to transfer
the message to the service provider through the user agent.
The HTTP Redirect binding MUST NOT be used.

While many IdPs will still prefer the ACS binding declared in the SP metadata,
this change aligns the AuthnRequest with the SAML 2.0 specification.

Hopefully close Hopefully close REDIRECT case issue at the step 1 of #16627

---

Checklist

• Local tests pass (ak test authentik/)
• The code has been formatted (make lint-fix)

If an API change has been made

• The API schema has been updated (make gen-build)

If changes to the frontend have been made

• The code has been formatted (make web)

If applicable

• The documentation has been updated
• The documentation has been formatted (make docs)

[netlify]

✅ Deploy Preview for authentik-docs canceled.

Name	Link
🔨 Latest commit	f56bbe0
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-docs/deploys/68e8ba3e8b361e0008ad00e3

[netlify]

✅ Deploy Preview for authentik-integrations canceled.

Name	Link
🔨 Latest commit	f56bbe0
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-integrations/deploys/68e8ba3e41a97c0008d4dc39

[netlify]

✅ Deploy Preview for authentik-storybook canceled.

Name	Link
🔨 Latest commit	f56bbe0
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-storybook/deploys/68e8ba3e18080f00083f5c0a

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.06%. Comparing base (4816dc4) to head (f56bbe0).
⚠️ Report is 1247 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #17378      +/-   ##
==========================================
+ Coverage   92.72%   93.06%   +0.33%     
==========================================
  Files         857      870      +13     
  Lines       46608    49538    +2930     
==========================================
+ Hits        43217    46102    +2885     
- Misses       3391     3436      +45     

Flag	Coverage Δ
e2e	46.20% <66.66%> (+1.26%)	⬆️
integration	23.58% <0.00%> (+0.45%)	⬆️
unit	91.19% <100.00%> (+0.14%)	⬆️
unit-migrate	91.24% <100.00%> (+0.14%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[tfc]

Hey @ikob is this here fixing #16627 ? If yes - what can I do to help push this further?

[ikob]

Sorry for late response.

Hey @ikob is this here fixing #16627 ? If yes - what can I do to help push this further?

Partially yes as mentioned other PR.

Also, there is a workaround to set BindingType to Post-* instead of Redirect binding, if the IdP supports POST binding.

[PeshekDotDev]

Awesome catch, thank you @ikob!

[authentik-automation]

🍒 Cherry-pick to version-2025.12 created: #19649