Does Azure SAML IDP require that the service provider use “HTTP redirect” binding to verify signatures on authnrequest ?
Currently out application uses "HTTP POST" binding with the signature contained instide the authnrequest. In this configuration, when requiring signed requests Azure returns error AADSTS76021. If the signature is not required it works correctly.
We are trying to determine if the HTTP redirect is required to verify the signatures rather than allowing usage of HTTP Post.
We have received examples showing the usage of redirect however:
what we are trying to understand is
“Here is how it can work” versus “Here is how it must work”.
“The cloud service (the service provider) uses an HTTP Redirect binding”
Vs
“The cloud service (the service provider) must use an HTTP Redirect binding”