Spring-SAML : Incoming SAML message is invalid

Question

I am facing an issue while integrating my app with SAML.

The following is my error:

org.springframework.security.saml.SAMLProcessingFilter.attemptAuthent         


        

Answer 1

A few problems I found in your securityContext.xml:

1. entityId entity id does not need to point ot metadata. This is not a serious problem, but it's better to have your entity id more consice. It should be something like com:mycompany:my app. It is only used by IDP to identify your application.

2. processUrl property of samlEntryPoint
   You have in your samlEntryPoint bean. samlEntryPoint is used when accessing /login, so you application can point you to your IDP's address. /SSO is used for when your IDP sends the message back to your application, and you application use this message to get authorization and information of the user from IDP.
   In the documentation, it says filterProcessesUrl is Url this filter should get activated on. But in your samlFilter bean you have already set samlEntryPoint on /login/**. So your setting is unnecessary and incorrect.

3. failureRedirectHandler missing defaultFailureUrl property
   See example securityContext.xml for reference

4. filter on pattern /saml/metadata should be metadataDisplayFilter
   You need to display your metadata when you access this page, and give this metadata to your IDP.

In all, I think it's the second point that causes the problem you have above, and it's the most sever problem you have. You should try to fix your securityContext.xml first and see if that works. If not, try use the example securityContext.xml with minimal modificaiton to make sure your applicatoin works, and then modify the file gradually to minimize risk of breaking.