Hello!

I have a problem using SAML, when I have only 1 kubernetes pod, I can work normally, when I have 2 pods, SAML cannot perform authentication, it is lost.

One of this component's changes makes the backend Statefull, which is problematic because each of the 2 enhanced pods in Kubernetes has a different state.

The situation is as follows:

Pod A receives an authentication request, stores the authentication request in memory, and makes the request to ADFS. The ADFS response is sent to pod B of the SATEBA backend, which does not have the request corresponding to the ADFS response.

What I try to do is:

Spring Security Cant use SAML with two stateless pods

Someone knows what I can do to solve this?

Thank you so much!

Comment From: marcusdacoregio

Hi @luissouza,

Based on the description, you are dealing with the problem of not having distributed sessions in a distributed environment.

By default, the SAML 2.0 Login support stores the SAMLRequest in the HttpSssion using HttpSessionSaml2AuthenticationRequestRepository. While the session exists in Pod A, it might not exist in Pod B because by default the session is handled by the servlet container and stored in memory.

You have a few options to solve this:

  • Use sticky sessions to route the same request to the same pod
  • Create a Saml2AuthenticationRequestRepository that stores the request in a shared place, but this is not scalable.
  • And the recommended option: Use Spring Session to support clustered sessions without being tied to any application container.

All that said, I think this is not an issue in Spring Security but rather a question, therefore I'm closing this as answered.

Comment From: luissouza

Hi @luissouza,

Based on the description, you are dealing with the problem of not having distributed sessions in a distributed environment.

By default, the SAML 2.0 Login support stores the SAMLRequest in the HttpSssion using HttpSessionSaml2AuthenticationRequestRepository. While the session exists in Pod A, it might not exist in Pod B because by default the session is handled by the servlet container and stored in memory.

You have a few options to solve this:

  • Use sticky sessions to route the same request to the same pod
  • Create a Saml2AuthenticationRequestRepository that stores the request in a shared place, but this is not scalable.
  • And the recommended option: Use Spring Session to support clustered sessions without being tied to any application container.

All that said, I think this is not an issue in Spring Security but rather a question, therefore I'm closing this as answered.

Hey @marcusdacoregio thanks for your quickly answer! I will test and give to you a feedback here, thank you so much!