Spring SAML sending wrong AuthNRequest

0
votes

stuck with this problem since long, any help is appreciated.

I am implementing Spring SAML SSO authentication for my application. It's actually a huge security configuration file therefore I will attach only configuration part that I think could be important.

@Bean
    public MetadataGenerator metadataGenerator() {
        MetadataGenerator metadataGenerator = new MetadataGenerator();
        metadataGenerator.setEntityId(env.getProperty("saml.entity.id"));
        metadataGenerator.setExtendedMetadata(extendedMetadata());
        metadataGenerator.setIncludeDiscoveryExtension(false);
        metadataGenerator.setKeyManager(keyManager());
        return metadataGenerator;
    }

@Bean
    @Qualifier("idp-ssocircle")
    public ExtendedMetadataDelegate ssoCircleExtendedMetadataProvider() throws MetadataProviderException {
        String idpSSOCircleMetadataURL = env.getProperty("saml.provider.url");
        HTTPMetadataProvider httpMetadataProvider = new HTTPMetadataProvider(this.backgroundTaskTimer, httpClient(),
                idpSSOCircleMetadataURL);
        httpMetadataProvider.setParserPool(parserPool());
        ExtendedMetadataDelegate extendedMetadataDelegate = new ExtendedMetadataDelegate(httpMetadataProvider,
                extendedMetadata());
        extendedMetadataDelegate.setMetadataTrustCheck(true);
        extendedMetadataDelegate.setMetadataRequireSignature(false);
        backgroundTaskTimer.purge();
        return extendedMetadataDelegate;
    }

Values of the property file we have used in this bean is - 

saml.entity.id=urn:saml2:test:s
saml.provider.url=https://fedsvc-stage.pwc.com/ofiss/FederationMetadata/2007-06/FederationMetadata.xml

My spring application is hosted on local machine and IDP is publically available. I have added entry in my hosts file so my ip is mapped with mysso.com

Now I am trying to access a url that is behind SAML authentication - 

http://mysso.com:8080/sso-self/auth/login

User get's redirected to the IDP where he input credentials and after successfull authentication user get's redirected back to - http://localhost:8080/sso-self/saml/SSO, with saml response but I get 404 on the browser, and following error on console - 

org.opensaml.common.SAMLException: InResponseToField of the Response doesn't correspond to sent message a330ei589j3e99ee10d8a55bghc518i

The problem I can see is message is being stored and retrieved from 2 different session as first request came from domain name mysso.com but response is coming back to localhost

here is my AuthnRequest XML that is being sent to IDP

<?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://localhost:8080/madison-sso-self/saml/SSO" Destination="https://fedsvc-stage.pwc.com/ofiss/" ForceAuthn="false" ID="a345ia5236e6hc2g48ea13fcf4386h7" IsPassive="false" IssueInstant="2018-12-18T07:46:41.812Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
   <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:saml2:test:s</saml2:Issuer>
</saml2p:AuthnRequest>

All I could understand is AssertionConsumerServiceURL value in AuthnRequest is http://localhost:8080/madison-sso-self/saml/SSO and that's why it's coming back to this url. Now I don't understand why this value is localhost instead of my hostname which is http://mysso.com:8080/madison-sso-self/saml/SSO.

Please reply incase you need some more information to figure it out. Thanks in advance.

2
springsingle-sign-onsaml-2.0spring-saml

2 Answers

1
votes

Please see the following paragraph in "spring-security-saml" documentation: https://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x-SNAPSHOT/reference/htmlsingle/#chapter-troubleshooting Error 'InResponseToField doesn't correspond to sent message' during SSO

Make sure that application uses the same HttpSession during sending of the request and reception of the response. Typically, this problem arises when the authentication request is initialized from localhost address or http scheme, while response is received at a public host name or https scheme. E.g., when initializing authentication from URL https://host:port/app/saml/login, the response must be received at https://host:port/app/saml/SSO, not http://host:port/app/saml/SSO or https://localhost:port/app/saml/SSO.

See if you can access the application using same public DNS name instead of localhost

1
votes

You can use SAMLContextProviderLB to fix this issues. Please replace the values in below configuration with your server URL.

@Bean
public SAMLContextProviderLB contextProvider() {
  SAMLContextProviderLB samlContextProviderLB = new SAMLContextProviderLB();
  samlContextProviderLB.setScheme("https");
  samlContextProviderLB.setServerName("www.myserver.com");
  samlContextProviderLB.setServerPort(443);
  samlContextProviderLB.setContextPath("/spring-security-saml2-sample");
  samlContextProviderLB.setStorageFactory(new EmptyStorageFactory());
  return samlContextProviderLB;
}

The above configuration will use https://www.myserver.com/spring-security-saml2-sample/saml/SSO on redirecting from SAML service provider.

samlContextProviderLB.setStorageFactory(new EmptyStorageFactory());

The above line will help to fix the multiple sessions issue.