issue in spring security saml extension with ADFS about the XML ID

1
votes

everyone~!recently I have built a project use spring security saml extension as SP and ADFS as idp,and the AuthnRequest xml created by the spring security saml extension is something like this:

<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    AssertionConsumerServiceURL="http://127.0.0.1:8080/sp"
    ForceAuthn="false" ID="9135430817744047388" IsPassive="false"
    IssueInstant="2016-11-17T06:20:05.912Z"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    Version="2.0">
    <samlp:Issuer xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">
        test
    </samlp:Issuer>
    <saml2p:NameIDPolicy
        xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AllowCreate="true"/>
</samlp:AuthnRequest>

when I sent this SAMLRequest to the ADFS server,the server response an error which like "urn:oasis:names:tc:SAML:2.0:status:Responder" and has no assertion content.For test , i wrote some java code with OpenSAML to create the AuthnRequest xml,and I change the attribute

ID="9135430817744047388"

to

ID="_9135430817744047388"

then everything works well.It seems that the character _ in the ID will effect the result. So my problem is ,how can I change the ID attribute in spring security saml extension to add _ in the front of the ID?

1
javaspringadfs

1 Answers

0
votes

I have made a mistake,there is no matter with the character _ but the sign type of the request,as the metadatagenerator’s attribute requestSigned is set to true as default,spring saml will add SigAlg and Signature parameter in the http post request,and then adfs server will check the SP’s cert registered in the IDP,while I don’t supply the client cert to the IDP. Resolution:set the attribute requestSigned to false,so spring saml won’t send the signature of the SAMLRequest and everything work correctly.