Spring SAML 2.0 behind Nginx

Question

I have a Spring-boot web app that uses SAML authentication provided by https://samltest.id/ .

It works fine on localhost but now I'm trying to put it on a server that has Nginx. Ngnix is configured so that any http request is redirected to https and https://myserver.company.com/myApp/ is sent to http://local_ip:local_port/ .

This cfg works fine if the application has no security but with SAML the result is: when I access the home page of the app I'm redirected to the login page (correct) and after successful login I'm redirected to https://myserver.company.com/saml/SSO/ instead of https://myserver.company.com/myApp/saml/SSO so Nginx gives a 404.

The metadata.xml contains:

<md:AssertionConsumerService Location="http://myserver.company.com:80/saml/SSO"
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" isDefault="true" index="0"/>
<md:AssertionConsumerService Location="http://myserver.company.com:80/saml/SSO"
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" index="1"/>

Note that URLs are http-based.

After a lot of Google search I have tried the following: I modified SAMLProcessingFilter configuration so that filterProcessesUrl property is "/myApp/saml/SSO" instead of the default value "/saml/SSO".

Now the metadata.xml contains:

<md:AssertionConsumerService Location="http://myserver.company.com:80/myApp/saml/SSO"
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" isDefault="true" index="0"/>
<md:AssertionConsumerService Location="http://myserver.company.com:80/myApp/saml/SSO"
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" index="1"/>

and after login I'm redirected to https://myserver.company.com/myApp/saml/SSO but this time I get a 404 from the web application instead of Nginx (the error page is different).

What am I missing?

UPDATE: the 3rd attempt

Restored SAMLProcessingFilter cfg to its default,
modified the context root of my app to be http://local_ip:local_port/myApp ,
modified Nginx cfg so that https://myserver.company.com/myApp/ maps to http://local_ip:local_port/myApp (same context root),
set entityBaseURL property of MetadataGenerator to https://myserver.company.com/myApp ,
uploaded the new metadata.xml to https://samltest.id/ (now it contains https URLs).

Now, after a successful login I'm redirected to https://myserver.company.com/myApp/saml/SSO as expected but I get a 401 from the application with message "Authentication Failed: Incoming SAML message is invalid" and in the application log there is "org.opensaml.common.SAMLException: Unsupported request".

The meta data has to reflect the URLs which the User-Agent can access. If you do a path mapping at the HTTP reverse-proxy you need adopt the SecurityConfig to reflect this. — Bernhard Thalmayr
@BernhardThalmayr Please, explain better with a full answer. With my 2nd attempt the metadata contains an URL that is accessible through Nginx and Nginx maps it to the usual /saml/SSO that, I supposed, is handled by my app. I also have http.authorizeRequests().antMatchers("/saml/**").permitAll() in my Java config. — Pino

Pino Pino · Accepted Answer · 2020-03-18T12:31:21

After several attempts I have found the solution. No need to modify SAMLProcessingFilter or the context root. The key is to use SAMLContextProviderLB instead of SAMLContextProviderImpl as described in the chapter "Advanced configuration" of the manual. Also the entityBaseURL change already described in my question is necessary (it is in the manual too).

Spring SAML 2.0 behind Nginx

UPDATE: the 3rd attempt

1 Answers