IDP: http-redirect


I’m learning about how zpa product works. when should I consider enabling “http-redirect” when setting up IDP?


ZPA supports two binding modes to the IDP - POST and REDIRECT.
REDIRECT will send the AuthN request as a query string of a GET request, which is bounded by the URL length limit and by the IDP webserver.
POST will send the AuthN request as POST data stream - this is bounded by the data limit on the IDP webserver, but typically there isn’t a large limit.
Some IDP’s only support Redirect, and some support both Redirect and POST.
If you use SAML Request Signing, the data from Zscaler to IDP will be quite large (the signature + signing cert are in the data). So - you could exceed the size limit of the URL and of the webserver.

My recommendation is to use POST binding (or disable HTTP-Redirect) in every case - unless the IDP only supports Redirect. If you’re using HTTP-Redirect, I’d recommend disabling request signing because of the data size.