have integrated SAML with Spring Security, and recently upgraded to spring 3.0.6. After upgrading the SAML integration is broken. Below is the problem description.
After successful authentication, redirecting to "https://example.com/contextPath/login/saml2/sso/app", and this request is getting success in spring 5, and getting fail in Spring 6. After debugging spring internals found below code difference.
In Spring 5 : While executing the redirected request, requiresAuthentication() method always returns false and executes successfully. Below is the code snippet in Spring 5.
package org.springframework.security.saml2.provider.service.servlet.filter;
public class Saml2WebSsoAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
@Override
protected boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response) {
return (super.requiresAuthentication(request, response) && StringUtils.hasText(request.getParameter(Saml2ParameterNames.SAML_RESPONSE)));
}
}
In Spring 6 : While executing the redirected request, requiresAuthentication() method returns true and getting the error response. Below is the code snippet in Spring 6.
package org.springframework.security.saml2.provider.service.web.authentication;
public class Saml2WebSsoAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
@Override
protected boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response) {
return super.requiresAuthentication(request, response);
}
}
Please suggest how to proceed with Spring 6.
Below is the SAML configuration.
http.saml2Login(saml2 -> { saml2.relyingPartyRegistrationRepository(relyingPartyRegistrations());
saml2.defaultSuccessUrl("https://example.com/contextPath/login/saml2/sso/app");
saml2.authenticationManager(new ProviderManager(authenticationProvider));
saml2.successHandler(new SAMLLoginSuccessHandler());
});
I have added cookie to the response like below
Cookie cookie = new Cookie("auth", jwtToken);
cookie.setHttpOnly(true);
cookie.setSecure(true);
cookie.setPath("/contextPath");
response.addCookie(cookie);
When its redirected, its inspected in the browser and below is the image Image1
when the redirected request is sent below is the image. Image2
Comment From: jzheaux
Thanks for reaching out, @maareddy. In Spring Security 6, if /login/saml2/sso/app is requested, but no SAMLResponse is present in the request, the filter will respond with an error.
While this could be the issue in your application, it is tricky to tell without a sample. Can you produce a minimal sample that shows how it acts with a sample SAML Response?
Comment From: maareddy
Hi @jzheaux Thanks for your response Below is the request and response flow
- Using post request to get the idp page.
It uses
sendPost()method ofSaml2WebSsoAuthenticationRequestFilter.java - Submit the login credentials to the idp.
- idp validates the credentials and sends back the response to our app.
- Our app could able to get the
SAMLResponse, and could able to call success handler configured insaml2.successHandler(new SAMLLoginSuccessHandler());
public class SAMLLoginSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {
@Override
public void onAuthenticationSuccess(final HttpServletRequest request,
final HttpServletResponse response, final Authentication authentication)
throws IOException, ServletException {
.
.
.
String redirectUri = ""https://example.com/contextPath/login/saml2/sso/app"
response.sendRedirect(redirectUri);
}
}
- In the success handler(i.e.
onAuthenticationSuccess()), we are redirecting to/login/saml2/sso/app, to show our application. But we are getting error asSAMLResponseis not present. I think we are not able to getSAMLResponsefrom request as we are redirecting. I am not sure how to get our application page from this point.
Please suggest how to proceed.
Comment From: annabackiyam
I'm currently grappling with an issue and was wondering if there have been any updates on a similar situation. The problem arises when the post request data (specifically SAMLResponse) appears to be null behind an nginx proxy. Consequently, this triggers the following error message: "org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException: No relying party registration found." It's worth noting that this functionality was functioning as expected in a prior version of SpringBoot.
Any insights or assistance would be greatly appreciated. Thank you.
Comment From: jzheaux
@maareddy, sorry for the delay in responding.
If authentication has already succeeded, then I imagine you'd redirect to something like a home page or whatever is stored as the saved request. The endpoint you are referring to is one for processing a SAML response, which I don't think is what you intend to do at this point in the flow.
If that doesn't help, please consider opening a StackOverflow question where I'd be happy to support you further.
Comment From: jzheaux
@annabackiyam, please open a separate ticket that includes a minimal sample. It sounds like your situation is different in that it cannot derive the relying party registration from the request.
Comment From: annabackiyam
@jzheaux Thank you for your response. As it turns out, the issue was caused by the request body size being extremely large, which exceeded the maximum allowable limit set by the emissary-ingress for the auth service. This limitation prevented the proper transmission of the SAML response, resulting in the error message stating "no relying party." In hindsight, a more helpful error message would have been "Request body is empty”.
Comment From: jzheaux
Thanks, @annabackiyam, I'll go head and close this issue, then. When you have a moment, will you please log a ticket to detail the changes to error handling improvements you found?