The bug is default filter of saml2Login(with defaults) get missed configured .
using api :
.properties file :
server.port=8443 server.ssl.enabled=true server.ssl.key-alias=spring server.ssl.key-store=classpath:keystore.jks server.ssl.key-store-password=secret
spring.security.saml2.relyingparty.registration.okta.identityprovider.entity-id=http://www.okta.com/exk14r8a8uW5ETr0a5d7 spring.security.saml2.relyingparty.registration.okta.identityprovider.metadata-uri=https://dev-16869388.okta.com/app/exk14r8a8uW5ETr0a5d7/sso/saml/metadata spring.security.saml2.relyingparty.registration.okta.identityprovider.singlesignon.url=https://dev-16869388.okta.com/app/dev-16869388_testapp_1/exk14r8a8uW5ETr0a5d7/sso/saml spring.security.saml2.relyingparty.registration.okta.identityprovider.singlesignon.sign-request=false
Security Config : protected void configure(HttpSecurity http) { http .authorizeRequests(authorize -> authorize .anyRequest().authenticated() ) .saml2Login(withDefaults()); }
idp - values : Single Sign On URI - https://localhost:8443/saml/SSO Recipient URL - https://localhost:8443/saml/SSO Destination URL - https://localhost:8443/saml/SSO Audience Restriction - https://localhost:8443/saml/metadata
Probelm : When i am going to the url ,https://localhost:8443 , it will redirect to octa , and once i filled my correct credential , then it will going to the infinite loop .
Reason : Reason is saml2Login filter is not working , when i give Single Sign on Url : localhost:8444/saml , it's working .
the reason is ,once the request go to idp and then it is filtered with application , again requesting for the new request that time again saml authentication redirected and it get fullfilled automatically as we are already logged it into that already , and this process goes on ...
- that's why it takes to the infinte loop .
-
for each request it goes for the saml authentication , the after getting the response from the idp it's redirecting the url that also goes to saml authentication and the process is going on .
This is the bug I found and needed the solution .
Thank you
To Reproduce Steps to reproduce the behavior.
Expected behavior A clear and concise description of what you expected to happen.
Sample
A link to a GitHub repository with a minimal, reproducible sample.
Reports that include a sample will take priority over reports that do not. At times, we may require a sample, so it is good to try and include a sample up front.
Comment From: jzheaux
Hi, @gauravkhare-git, I'm not able to reproduce the issue you've described. Will you please share a minimal GitHub sample that demonstrates the problem?
Comment From: gauravkhare-git
Hi Josh , I have uploaded my project on git , Please check : https://github.com/gauravkhare-git/public/tree/master/SamlBasedAuthentication
Thank you
Comment From: jzheaux
Thanks for the sample, @gauravkhare-git. I'm afraid it's still unclear since I cannot log in to your Okta endpoint to complete the loop you describe.
I wonder if you are getting an infinite loop because Spring Security is trying to forward to the /error page to display an error.
Please change your application to:
http
.authorizeRequests((authorize) -> authorize
.mvcMatchers("/error").permitAll()
.anyRequest().authenticated()
)
// ...
This will allow Spring Boot's /error endpoint to display without requiring Spring Security to accept the SAML 2.0 response. Then, you should be able to see any error that Spring Security has to display regarding the SAML 2.0 response.
You may also consider changing your logging level to:
logging.level.org.springframework.security: TRACE
to see if this reveals additional important details.
Comment From: gauravkhare-git
thanks Josh , .mvcMatchers("error").permitAll() , it's worked .
After the succesfull login it says forbidden 403 to every request even in the sso receipient . Can you help me with this , yaa my testing account okta credential is email : stargaurav317@gmail.com pass : Nokia110 and i am using the test app of the same .
Comment From: DineshNO
Hi @gauravkhare-git I am facing the exact issue where i am getting 403. what have you done to resolve this ? please let know