-
Notifications
You must be signed in to change notification settings - Fork 6.1k
Add proxy/load-balancer/ssl termination support, like SAMLContextProviderLB #8977
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
Maybe this is a bug and not an enhancement request. |
I've patched Saml2WebSsoAuthenticationFilter locally with
This works for me. |
@jdzijlstra, I believe this is resolved by #8887, which was released as part of If after you try |
I'm using 5.5.2 and can't get my providers SAML working. Works fine in lower envs, but the higher envs have an nginx proxy. The provider sends to URL with context, nginx removes context, now the SAML data doesn't match with what Spring thinks is the full URL. This is apparently not supported in any way? Updated nginx to proxy full URL and added Both the top-level Destination and the SubjectConfirmationData > Recipient have identical values. And they match the public URL exactly. I assume the proxy sending it to I can't (or don't know how) to take advantage of DefaultRelyingPartyRegistrationResolver, since I am using:
We have ansible download the metadata and deploy it on the server, the [It's also standard, when asserting, to log both the actual and the expected on failure. Your log messages only show one of these and they don't even make it clear which it is (the actual or expected). This is not helpful.] |
In Spring Boot, you can use
This sounds like what Spring Boot already does, so it might be worth it to log an issue in Spring Boot with a sample demonstrating what's not working for you.
I think the logging could be improved. The logs are defensive because these are user-specified values. To add values to the logs, the values would ideally be escaped or only logged when signature validation has passed. You are welcome to file an issue. |
I'm sorry, I thought I deleted this. We were able to solve it by modifying the ACS during our registration setup by passing in a property for the base url part: Although, your solution of Apologies for the trouble and the necro. |
Uh oh!
There was an error while loading. Please reload this page.
Current Behavior
I have a springboot application using SAML2 (using spring-security-saml2-service-provider). My application (the SP) needs to work with Microsoft Azure (the IDP) and is running in a docker image behind a proxy with SSL termination.
Azure (rightfully) requires my 'service-url' ( assertionConsumerServiceUrlTemplate) to use https.
This means that for Azure, my application is accessible via https only, where the proxy proxies to my application via http, so my application receives an http-request. Therefore my 'service-url' is set to an https-address, otherwise Azure cannot access my application via the proxy, but the application reconstructs the URL, via the request, to an http-address.
The problem now is that the response from Azure is not accepted. I get the error: "An error occurred while validating the assertion: No subject confirmation methods were met for assertion with ID '_90d4b4e4-ba9f-44ee-9fa2-4cbf4f951f00'".
Debug-logging shows
(of course myhost and myapp are replaced)
The SubjectConfirmationData@Recipient ('https://myhost/login/saml2/sso/myapp') is received from the IDP, but is actually the value set via
The supplied valid recipients ('http://myhost/login/saml2/sso/myapp') is deducted from the http-request (in Saml2WebSsoAuth.attemptAuthentication: request.getRequestURL().toString()):
Expected Behavior
I'd like to be able to overrule the URL (valid recipients), and not always deduct it from the request.
In my case I would like to overrule the scheme, but I can image that also the hostname, port and path may be necessary to be overruled.
Actually, while thinking it over again, shouldn't the URL as received from the IDP not be compared to the value as configured in RelyingPartyRegistration.assertionConsumerServiceUrlTemplate(String)? So, we tell the IDP to contact us at a certain URL and in the message says it is meant for that URL and we check if that URL is indeed the URL we have configured.
Thus, i.s.o. passing request.getRequestURL().toString() to Saml2WebSsoAuth.attemptAuthentication, pass in the value based on rp.getAssertionConsumerServiceUrlTemplate() (and the request to compute {baseUrl} if it is in there)
Context
At this moment I don't see a workaround, other than let my application (Tomcat) handle the HTTPS itself, but this is not allowed by my company.
Another workaround is not to use spring-security-saml2-service-provider, but the 'old' spring-security-saml. This requires of course a rewrite of my code get that to work again.
The text was updated successfully, but these errors were encountered: