Spring saml redirects the request to http

2
votes

I am using the spring saml extension with Apache 2.2 + Tomcat 7.0 + OKTA(IdP). The securityContext.xml looks as follows:

MetadataGeneratorFilter:

<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
    <constructor-arg>
        <bean class="org.springframework.security.saml.metadata.MetadataGenerator">
            <property name="entityBaseURL" value="https://myapp.com/api"/>
        </bean>
    </constructor-arg>
</bean>

ContextProvider:

<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderLB">
    <property name="scheme" value="https"/>
    <property name="serverName" value="myapp.com"/>
    <property name="serverPort" value="443"/>
    <property name="includeServerPortInRequestURL" value="false"/>
    <property name="contextPath" value="/api"/>
    <property name="storageFactory">
        <bean class="org.springframework.security.saml.storage.EmptyStorageFactory"/>
    </property>
</bean>

I use the following URL which triggers the SP initiated login.

https://myapp.com/api/welcome.html

After authentication is complete, the browser gets redirected to HTTP instead of HTTPS.

 http://myapp.com/api/welcome.html

I don't know why the request gets redirected to HTTP. Please help.

Thanks

Nara

HTTP Requests Dump:

https://docs.google.com/document/d/1mYh-EhDjxMixzZ8krhOg_2fjpTaTu7fuST_nIXAMeVY/edit?usp=sharing

In OKTA, created a SAML 2.0 app with following metadata:

    Single Sign On URL => https://myapp.com/api/saml/SSO
    Recipient URL => https://myapp.com/api/saml/SSO
    Destination URL => https://myapp.com/api/saml/SSO
    Audience Restriction => https://myapp.com/api/saml/metadata
    Default Relay State => https://myapp.com/dashboard.html
    Name ID Format => Unspecified
    Response => Signed
    Assertion Signature => Signed
    Signature Algorithm => RSA_SHA256
    Digest Algorithm => SHA256
    Assertion Encryption => Unencrypted
    SAML Single Logout => Disabled
    authnContextClassRef => PasswordProtectedTransport
    Request Compression => Uncompressed
    Honor Force Authentication => Yes
    SAML Issuer ID => http://www.okta.com/${org.externalKey}

Spring Config:

https://docs.google.com/document/d/16iDLcBuwvQ23-mKMFybPfxdIyvqCBi5sbYePgUjl0p4/edit?usp=sharing
2
spring-saml
Please make a dump of HTTP requests between IDP and SP + metadata you imported to IDP and add it to the question.Vladimír Schäfer
Vladimir: Appreciate your repose. Please find above the additional data as requested.s_v_2
Okta is responding to the correct address "myapp.com/api/saml/SSO", so the issue is somewhere in Spring configuration. Could you please post complete Spring configs?Vladimír Schäfer
Thanks Vladimir. Please find the link for spring config.s_v_2

2 Answers

1
votes

I still don't see the real reason, your configuration looks ok, but please try replacing the current successRedirectHandler with the following (replace URL with your own of course) and see if the issue goes away:

<bean id="successRedirectHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
    <property name="defaultTargetUrl" value="https://yourapp.com/welcome.jsp"/>
</bean>
0
votes

Make sure that your IDP is configured with proper metadata XML with https assertion end points.

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="**https**://../saml/SSO" index="0" isDefault="true" />
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="**https**://.../saml/SSO" index="1" />