Summary
In the current SAML2 implementation to resolve the baseUrl the method Saml2ServletUtils#resolveUrlTemplate is used. The implementation is not considering the headers:
- X-Forwarded-Host
- X-Forwarded-Port
- X-Forwarded-Proto
Therefore the Saml2WebSsoAuthenticationRequestFilter#createRedirectAuthenticationRequestContext is setting a wrong value on assertionConsumerServiceUrl when the service is behind a proxy.
Unfortunatelly, the assertionConsumerServiceUrlTemplate is hardcoded in Saml2RelyingPartyRegistrationConfiguration#asRegistration. To make it configurable on the org.springframework.boot.autoconfigure.security.saml2.Registration would be very helpfull.
Notice that also Saml2WebSsoAuthenticationFilter#attemptAuthentication would need to support url transformation. This part of the issue can be solved by setting server.forward-headers-strategy: native.
Actual Behavior
Wrong {baseUrl} used for template urls.
Expected Behavior
X-forwarded- Headers are considered
Version
2.5.3
Comment From: jzheaux
@dkellenb thanks for the report, I will look into this.
In the meantime, note that you can publish your own RelyingPartyRegistrationRepository instead of relying on the Spring Boot properties.
@Bean
public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() {
RelyingPartyRegistration.Builder builder = RelyingPartyRegistration.withRegistrationId("my-id")
// ....
return new InMemoryRelyingPartyRegistrationRepository(builder.build());
}
TestRelyingPartyRegistrations contains an example of creating a RelyingPartyRegistration by hand.
Comment From: jzheaux
@dkellenb Are you able to apply this documentation to handle the x-forwarded headers?
Comment From: dkellenb
Hi @jzheaux . Actually i did not notice that server.forward-headers-strategy: native fixed also the wrong value in assertionConsumerServiceUrl. So the workaround with creating an Advice for it was not needed.
=> I can confirm that server.forward-headers-strategy option fixes it.