发表新帖
发表新帖

Spring-SAML : Incoming SAML message is invalid

后端 未结
关注
2 614
庸人自扰
庸人自扰 2021-02-10 03:23

I am facing an issue while integrating my app with SAML.

The following is my error:

org.springframework.security.saml.SAMLProcessingFilter.attemptAuthent
相关标签:
2条回答
  • 被撕碎了的回忆
    2021-02-10 04:11

    A few problems I found in your securityContext.xml:

    1. entityId entity id does not need to point ot metadata. This is not a serious problem, but it's better to have your entity id more consice. It should be something like com:mycompany:my app. It is only used by IDP to identify your application.

    2. processUrl property of samlEntryPoint
      You have <property name="filterProcessesUrl" value="/saml/SSO"/> in your samlEntryPoint bean. samlEntryPoint is used when accessing /login, so you application can point you to your IDP's address. /SSO is used for when your IDP sends the message back to your application, and you application use this message to get authorization and information of the user from IDP.
      In the documentation, it says filterProcessesUrl is Url this filter should get activated on. But in your samlFilter bean you have already set samlEntryPoint on /login/**. So your setting is unnecessary and incorrect.

    3. failureRedirectHandler missing defaultFailureUrl property
      See example securityContext.xml for reference

    4. filter on pattern /saml/metadata should be metadataDisplayFilter
      You need to display your metadata when you access this page, and give this metadata to your IDP.

    In all, I think it's the second point that causes the problem you have above, and it's the most sever problem you have. You should try to fix your securityContext.xml first and see if that works. If not, try use the example securityContext.xml with minimal modificaiton to make sure your applicatoin works, and then modify the file gradually to minimize risk of breaking.

    0 讨论(0)
  • 谎友^
    2021-02-10 04:17

    To fix this issue, set the enityBaseURL property of MetadataGenerator inside metadataGeneratorFilter bean. Code looks like this : 

    <bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
        <constructor-arg>
            <bean class="org.springframework.security.saml.metadata.MetadataGenerator">
                <property name="entityId" value="http://myapp.com/myapp/saml/metadata"/>
                <property name="requestSigned" value="false"/>
                <property name="entityBaseURL" value="http://myapp.com/myapp"/>
            </bean>
        </constructor-arg>
    </bean>
    0 讨论(0)
 看不清?
提交回复
热议问题