Merge pull request #103 from hashicorp/saml-lib-fixup-julz2

More SAML library fixes
hashicorp · Sep 10, 2023 · 6f5c72b · 6f5c72b
2 parents 3a603e1 + cb03a93
commit 6f5c72b
Show file tree

Hide file tree

Showing 4 changed files with 72 additions and 92 deletions.
diff --git a/saml/authn_request.go b/saml/authn_request.go
@@ -11,14 +11,17 @@ import (
 	"strings"
 	"text/template"
 
-	"github.com/hashicorp/cap/oidc"
 	"github.com/jonboulle/clockwork"
 
 	"github.com/hashicorp/cap/saml/models/core"
 )
 
 const (
-	postBindingScriptSha256 = "T8Q9GZiIVtYoNIdF6UW5hDNgJudFDijQM/usO+xUkes="
+	// postBindingScriptSha256 is a base64 encoded sha256 hash generated from the javascript within the script tag in ./authn_request.gohtml.
+	// The hash is set in the Content-Security-Policy header when using the SAML HTTP POST-Binding Authentication Request.
+	// You can read more about the header and how the hash is generated here: https://content-security-policy.com/hash/
+	// As the POST-Binding script is static, this value is static as well and shouldn't change.
+	postBindingScriptSha256 = "sha256-T8Q9GZiIVtYoNIdF6UW5hDNgJudFDijQM/usO+xUkes="
 )
 
 type authnRequestOptions struct {
@@ -59,7 +62,11 @@ func AllowCreate() Option {
 }
 
 // WithNameIDFormat will set an NameIDPolicy object with the
-// given NameIDFormat. It implies AllowCreate=true.
+// given NameIDFormat. It implies allowCreate=true as recommended by
+// the SAML 2.0 spec, which says:
+// "Requesters that do not make specific use of this (AllowCreate) attribute SHOULD generally set it to “true”
+// to maximize interoperability."
+// See https://www.oasis-open.org/committees/download.php/56776/sstc-saml-core-errata-2.0-wd-07.pdf
 func WithNameIDFormat(f core.NameIDFormat) Option {
 	return func(o interface{}) {
 		if o, ok := o.(*authnRequestOptions); ok {
@@ -155,11 +162,11 @@ func (sp *ServiceProvider) CreateAuthnRequest(
 	const op = "saml.ServiceProvider.CreateAuthnRequest"
 
 	if id == "" {
-		return nil, fmt.Errorf("%s: no ID provided: %w", op, oidc.ErrInvalidParameter)
+		return nil, fmt.Errorf("%s: no ID provided: %w", op, ErrInvalidParameter)
 	}
 
 	if binding == "" {
-		return nil, fmt.Errorf("%s: no binding provided: %w", op, oidc.ErrInvalidParameter)
+		return nil, fmt.Errorf("%s: no binding provided: %w", op, ErrInvalidParameter)
 	}
 
 	opts := getAuthnRequestOptions(opt...)
@@ -230,20 +237,34 @@ func (sp *ServiceProvider) CreateAuthnRequest(
 func (sp *ServiceProvider) AuthnRequestPost(
 	relayState string, opt ...Option,
 ) ([]byte, *core.AuthnRequest, error) {
+	const op = "saml.ServiceProvider.AuthnRequestPost"
+
 	requestID, err := sp.cfg.GenerateAuthRequestID()
 	if err != nil {
-		return nil, nil, err
+		return nil, nil, fmt.Errorf(
+			"%s: failed to generate authentication request ID: %w",
+			op,
+			ErrInternal,
+		)
 	}
 
 	authN, err := sp.CreateAuthnRequest(requestID, core.ServiceBindingHTTPPost)
 	if err != nil {
-		return nil, nil, err
+		return nil, nil, fmt.Errorf(
+			"%s: failed to create authentication request: %w",
+			op,
+			ErrInternal,
+		)
 	}
 
 	opts := getAuthnRequestOptions(opt...)
 	payload, err := authN.CreateXMLDocument(opts.indent)
 	if err != nil {
-		return nil, nil, err
+		return nil, nil, fmt.Errorf(
+			"%s: failed to create request XML: %w",
+			op,
+			ErrInternal,
+		)
 	}
 
 	b64Payload := base64.StdEncoding.EncodeToString(payload)
@@ -259,31 +280,53 @@ func (sp *ServiceProvider) AuthnRequestPost(
 		"SAMLRequest": b64Payload,
 		"RelayState":  relayState,
 	}); err != nil {
-		return nil, nil, err
+		return nil, nil, fmt.Errorf(
+			"%s: failed to execute POST binding template: %w",
+			op,
+			ErrInternal,
+		)
 	}
 
 	return buf.Bytes(), authN, nil
 }
 
-func WritePostBindingRequestHeader(w http.ResponseWriter) {
+// WritePostBindingRequestHeader writes recommended content headers when using the SAML HTTP POST binding.
+func WritePostBindingRequestHeader(w http.ResponseWriter) error {
+	const op = "saml.WritePostBindingHeader"
+
+	if w == nil {
+		return fmt.Errorf("%s: response writer is nil", op)
+	}
+
 	w.Header().
 		Add("Content-Security-Policy", fmt.Sprintf("script-src '%s'", postBindingScriptSha256))
 	w.Header().Add("Content-type", "text/html")
+
+	return nil
 }
 
+// AuthRequestRedirect creates a SAML authentication request with HTTP redirect binding.
 func (sp *ServiceProvider) AuthnRequestRedirect(
 	relayState string, opts ...Option,
 ) (*url.URL, *core.AuthnRequest, error) {
 	const op = "saml.ServiceProvider.AuthnRequestRedirect"
 
 	requestID, err := sp.cfg.GenerateAuthRequestID()
 	if err != nil {
-		return nil, nil, err
+		return nil, nil, fmt.Errorf(
+			"%s: failed to generate authentication request ID: %w",
+			op,
+			err,
+		)
 	}
 
 	authN, err := sp.CreateAuthnRequest(requestID, core.ServiceBindingHTTPRedirect, opts...)
 	if err != nil {
-		return nil, nil, err
+		return nil, nil, fmt.Errorf(
+			"%s: failed to create SAML auth request: %w",
+			op,
+			err,
+		)
 	}
 
 	payload, err := Deflate(authN, opts...)
@@ -325,24 +368,25 @@ func (sp *ServiceProvider) AuthnRequestRedirect(
 // Deflate returns an AuthnRequest in the Deflate file format, applying default
 // compression.
 func Deflate(authn *core.AuthnRequest, opt ...Option) ([]byte, error) {
+	const op = "saml.Deflate"
+
 	buf := bytes.Buffer{}
 	opts := getAuthnRequestOptions(opt...)
 
 	fw, err := flate.NewWriter(&buf, flate.DefaultCompression)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("%s: failed to create new flate writer: %w", op, err)
 	}
-	defer fw.Close()
 
 	encoder := xml.NewEncoder(fw)
 	encoder.Indent("", strings.Repeat(" ", opts.indent))
 	err = encoder.Encode(authn)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("%s: failed to XML encode SAML authn request: %w", op, err)
 	}
 
 	if err := fw.Close(); err != nil {
-		return nil, err
+		return nil, fmt.Errorf("%s: failed to close flate writer: %w", op, err)
 	}
 
 	return buf.Bytes(), nil

diff --git a/saml/go.mod b/saml/go.mod
@@ -5,7 +5,6 @@ go 1.19
 require (
 	github.com/beevik/etree v1.2.0
 	github.com/crewjam/go-xmlsec v0.0.0-20200414151428-d2b1a58f7262
-	github.com/hashicorp/cap v0.3.1
 	github.com/hashicorp/go-uuid v1.0.3
 	github.com/jonboulle/clockwork v0.4.0
 	github.com/russellhaering/gosaml2 v0.9.1
@@ -14,27 +13,13 @@ require (
 )
 
 require (
-	github.com/coreos/go-oidc/v3 v3.6.0 // indirect
 	github.com/crewjam/errset v0.0.0-20160219153700-f78d65de925c // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/fatih/color v1.15.0 // indirect
-	github.com/go-jose/go-jose/v3 v3.0.0 // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
-	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
-	github.com/hashicorp/go-hclog v1.5.0 // indirect
 	github.com/ma314smith/signedxml v1.1.1 // indirect
 	github.com/mattermost/xml-roundtrip-validator v0.1.0 // indirect
-	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.19 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	golang.org/x/crypto v0.10.0 // indirect
-	golang.org/x/net v0.11.0 // indirect
-	golang.org/x/oauth2 v0.9.0 // indirect
-	golang.org/x/sys v0.9.0 // indirect
-	golang.org/x/text v0.10.0 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/protobuf v1.30.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 

diff --git a/saml/go.sum b/saml/go.sum
@@ -1,8 +1,6 @@
 github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A=
 github.com/beevik/etree v1.2.0 h1:l7WETslUG/T+xOPs47dtd6jov2Ii/8/OjCldk5fYfQw=
 github.com/beevik/etree v1.2.0/go.mod h1:aiPf89g/1k3AShMVAzriilpcE4R/Vuor90y83zVZWFc=
-github.com/coreos/go-oidc/v3 v3.6.0 h1:AKVxfYw1Gmkn/w96z0DbT/B/xFnzTd3MkZvWLjF4n/o=
-github.com/coreos/go-oidc/v3 v3.6.0/go.mod h1:ZpHUsHBucTUj6WOkrP4E20UPynbLZzhTQ1XKCXkxyPc=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/crewjam/errset v0.0.0-20160219153700-f78d65de925c h1:dCJ9oZ0VgnzJHR5BjkSrwkXA1USu483qlxBd0u29P8s=
 github.com/crewjam/errset v0.0.0-20160219153700-f78d65de925c/go.mod h1:XhiWL7J86xoqJ8+x2OA+AM2l9skQP2DZ0UOXQYVg7uI=
@@ -11,24 +9,6 @@ github.com/crewjam/go-xmlsec v0.0.0-20200414151428-d2b1a58f7262/go.mod h1:M9eHnK
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
-github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs=
-github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw=
-github.com/go-jose/go-jose/v3 v3.0.0 h1:s6rrhirfEP/CGIoc6p+PZAeogN2SxKav6Wp7+dyMWVo=
-github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
-github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
-github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg=
-github.com/hashicorp/cap v0.3.1 h1:JwX2vg3KIl2+ka4VIPB0yWB9PoPvHL3ACmVrLJLCHDQ=
-github.com/hashicorp/cap v0.3.1/go.mod h1:dHTmyMIVbzT981XxRoci5G//dfWmd/HhuNiCH6J5+IA=
-github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
-github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
-github.com/hashicorp/go-hclog v1.5.0 h1:bI2ocEMgcVlz55Oj1xZNBsVi900c7II+fWDyV9o+13c=
-github.com/hashicorp/go-hclog v1.5.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
 github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
@@ -45,15 +25,6 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/mattermost/xml-roundtrip-validator v0.1.0 h1:RXbVD2UAl7A7nOTR4u7E3ILa4IbtvKBHw64LDsmu9hU=
 github.com/mattermost/xml-roundtrip-validator v0.1.0/go.mod h1:qccnGMcpgwcNaBnxqpJpWWUiPNr5H3O8eDgGV9gT5To=
-github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
-github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
-github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
-github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
-github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
-github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
-github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA=
-github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/moov-io/signedxml v1.1.1 h1:TQ2fK4DRCYv7agH+z6RjtnBTmEyYMAztFzuHIPtUJpg=
 github.com/moov-io/signedxml v1.1.1/go.mod h1:p+b4f/Wo/qKyew8fHW8VZOgsILWylyvvjdE68egzbwc=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
@@ -71,42 +42,10 @@ github.com/russellhaering/goxmldsig v1.4.0 h1:8UcDh/xGyQiyrW+Fq5t8f+l2DLB1+zlhYz
 github.com/russellhaering/goxmldsig v1.4.0/go.mod h1:gM4MDENBQf7M+V824SGfyIUVFWydB7n0KkEubVJl+Tw=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.10.0 h1:LKqV2xt9+kDzSTfOhx4FrkEBcMrAgHSYgzywV9zcGmM=
 golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
-golang.org/x/net v0.11.0 h1:Gi2tvZIJyBtO9SDr1q9h5hEQCp/4L2RQ+ar0qjx2oNU=
-golang.org/x/net v0.11.0/go.mod h1:2L/ixqYpgIVXmeoSA/4Lu7BzTG4KIyPIryS4IsOd1oQ=
-golang.org/x/oauth2 v0.9.0 h1:BPpt2kU7oMRq3kCHAA1tbSEshXRw1LpG2ztgDwrzuAs=
-golang.org/x/oauth2 v0.9.0/go.mod h1:qYgFZaFiu6Wg24azG8bdV52QJXJGbZzIIsRCdVKzbLw=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.9.0 h1:KS/R3tvhPqvJvwcKfnBHJwwthS11LRhmM5D59eEXa0s=
-golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/text v0.10.0 h1:UpjohKhiEgNc0CSauXmwYftY1+LlaC75SJwh0SgCX58=
-golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
-google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng=
-google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=

diff --git a/saml/handler/post_binding.go b/saml/handler/post_binding.go
@@ -26,6 +26,18 @@ func PostBindingHandlerFunc(sp *saml.ServiceProvider) (http.HandlerFunc, error)
 			return
 		}
 
+		err = saml.WritePostBindingRequestHeader(w)
+		if err != nil {
+			http.Error(
+				w,
+				fmt.Sprintf(
+					"failed to write content headers: %s",
+					err.Error(),
+				),
+				http.StatusInternalServerError,
+			)
+		}
+
 		_, err = w.Write(templ)
 		if err != nil {
 			http.Error(