Description
I am using SATOSA with Renater federation WAYF (SAML frontend / SAML backend with discovery).
The global nginx reverse proxy on our infra is sending 502 errors after the selection of the IDP on the WAYF, because the headers of the response contain the Location with the SAMLRequest query param and is too big (upstream sent too big header while reading response header from upstream).
I see the order of bindings_to_try in saml2.client.Saml2Client.prepare_for_negotiated_authenticate (called by satosa.backends.saml2.SAMLBackend.authn_request) is hardcoded. Could it be configurable, so that POST is preferred over Redirect ? (is there a reason to prefer Redirect ?)
Should not preferred_binding be used there ? (I don't understand fully all the types of services, so maybe a silly idea)