Issue with SSO between SAML SP and ADFS IdP

3
votes

we are developing a web application which offers multiple login mechanisms such as LDAP, Kerberos, SAP Logon Ticket as well as SAML.

For this we use the Spring Security Framework which works (mostly) fantastic!

A few months ago we added SAML support to our application and tested this with an external IdP (SSOcircle). We also worked closely with CEO of SSOcircle to get us up and running.

Everything worked just fine and we thought we could enroll SAML with our first real life customer.

So we setup a test server (SP) on a linux machine, and configured our part (we used this doc: http://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-idp-guide.html) and waited for our customer to do their part.

But when they tried to SSO into our application (they use ADFS), we ran into an issue.

Because right now, we get one out of two error messages. Either this one

Authentication request failed: org.springframework.security.core.userdetails.UsernameNotFoundException: Empty username not allowed!

or this one

Error validating SAML message org.opensaml.common.SAMLException: NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration

During the troubleshooting I came across these other threads here on StackOverflow:

SAMLException: NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration

Configuring ADFS 3.0 / SAML 2.0 to work with Spring Security for SSO integration

NameID element must be present as part of the Subject

The odd thing is, that the second error message (regarding the nameid) element comes up only if we change the adfs claim rule from "Outgoing claim type" to "Pass Through claim type".

Right now, I have no idea where to continue my troubleshooting. Any ideas or thoughts on this issue?

Best regards René

EDIT1: I attatched a link to the debug logfile and our saml security config

EDIT2: Does someone know if there is a way to specify a timezone which SAML should use? Right now, Zulu time seems to be the time zone used although our OS is configured to use CET/CEST. Therefore we had to use responseSkew parameters for login/logout.

EDIT3: Debug & Config removed because we solved the problem

1
springspring-securitysaml-2.0adfsspring-saml
A wild guess for that "odd thing": it might be that when you changed the claim rule type, the claim that was issued to map to NameId was filtered out which stopped nameid from being issued.Thuan
Thanks, that is a good idea. I'll keep that in mind during debugging. :)hlpinform

1 Answers

2
votes

Okay, we solved the problem.

During a live debugging we noticed that NameID was not send as a SAML assertion attribute key/value pair but as a "standalone" key/value pair in the SAML assertion "header".

So we modified our code to cover both possible positions within the SAML assertion and now it works just fine. :D