OpenAM + Spring Security SAML getting SAML Request is invalid response

2
votes

I'm facing a problem when using OpenAM with Spring security saml2 example.

I have followed this tutorial to configure the Spring saml2 sample as well as OpenAM. Now I'm getting error after selecting http://localhost:8080/OpenAM-12.0.0 and click login , but the browser return the "HTTP Status 500 - The SAML Request is invalid.".

Both example project and OpenAM is deployed in same tomcat server, but I didn't get any exception in any logs.

I have attached below the decoded SAML request extracted from URL.

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
    AssertionConsumerServiceURL="http://localhost:8080/sso/saml/SSO"
    Destination="http://localhost:8080/OpenAM-12.0.0/SSORedirect/metaAlias/idp"
    ForceAuthn="false" ID="a436bg49hb19hhe73i2c450iadb7c8d" IsPassive="false"
    IssueInstant="2015-03-16T12:14:31.468Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8080/sso/saml/metadata</saml2:Issuer>
</saml2p:AuthnRequest>
1
javaspring-securityopenam
Have you turned on the debug logs for OpenAM, if not, do and see if you get something usefullStefan Rasmusson

1 Answers

1
votes

"The SAML Request is invalid" error message usually means some sort of a trust issue, I think you should check the Circle of Trusts configured in OpenAM to see if it contains all the relevant entities, and if it does, then make sure that the SP uses the correct entityID as well when making the request (within the Issuer field).

In any case though, you shouldn't deploy OpenAM using "localhost" (otherwise you'll see problems with cookies later on).