带有 OKTA 的 Spring SAML SSO - 更改 Web 应用程序上下文时的 InResponseTo
[英]Spring SAML SSO with OKTA - InResponseTo when changing web app context
问题描述
We're having a lot of trouble with OKTA SAML SSO integration with Spring Security.
我们在将 OKTA SAML SSO 与 Spring Security 集成时遇到了很多麻烦。 We're using the saml-dsl extension to Spring Security to configure the auth, and everything works fine on HTTP, however when we try to use HTTPS the authentication only works when the app is deployed on root ( / ) context.我们正在使用 Spring Security 的saml-dsl扩展来配置身份验证,并且在 HTTP 上一切正常,但是当我们尝试使用 HTTPS 时,身份验证仅在应用程序部署在根 ( / ) 上下文中时才有效。 When we change the context to anything else, it stops working and starts throwing InResponseTo field errors and sometimes with different configurations it comes to a redirect loop.当我们将上下文更改为其他任何内容时,它会停止工作并开始抛出InResponseTo字段错误,有时使用不同的配置会导致重定向循环。
Here's the configuration we're using:这是我们正在使用的配置:
http
.csrf()
.disable();
http
.sessionManagement().sessionFixation().none();
http
.logout()
.logoutSuccessUrl("/");
http
.authorizeRequests()
.antMatchers("/saml*").permitAll()
.anyRequest().authenticated()
.and()
.apply(samlConfigurer())
.serviceProvider()
.keyStore()
.storeFilePath(config.getKeystorePath())
.password(config.getKeystorePassword())
.keyname(config.getKeyAlias())
.keyPassword(config.getKeystorePassword())
.and()
.protocol("https")
.hostname(String.format("%s:%s", serverURL, config.getServerPort()))
.basePath("/"+contextRoot)
.and()
.identityProvider()
.metadataFilePath(config.getMetadataUrl());
And we should have our OKTA setup properly as well ( https://localhost:8443/ourappcontext/saml/SSO for testing, all the other stuff too )我们也应该正确设置 OKTA(https://localhost:8443/ourappcontext/saml/SSO 用于测试,所有其他内容也是如此)
We've tried most of the solutions proposed on here and the Spring documentation ( empty factory, spring session management and session fixation and so on ) and nothing seems to work.我们已经尝试了此处提出的大多数解决方案和 Spring 文档(空工厂、spring 会话管理和会话固定等),但似乎没有任何效果。 Are we doing something wrong?我们做错了什么吗? We're currently not generation any SP metadata, could it be that this is at fault and the request is somehow redirected to the wrong place or something?我们目前没有生成任何 SP 元数据,这可能是错误的,并且请求以某种方式重定向到错误的地方或其他什么? Really confused as of right now, first time using SAML and I'm not sure if it's the extension, the OKTA config or the Spring config...现在真的很困惑,第一次使用 SAML,我不确定它是扩展,OKTA 配置还是 Spring 配置......
We're deploying on Wildfly and you set the application context on there through a separate jboss-web.xml, if that matters at all.我们在 Wildfly 上进行部署,如果这很重要的话,您可以通过单独的 jboss-web.xml 在那里设置应用程序上下文。
1 个解决方案
解决方案1
0 2019-12-08 12:16:44
By default the HttpSessionStorageFactory is used and this provides HttpSessionStorage SAML message store.默认情况下使用HttpSessionStorageFactory并提供HttpSessionStorage SAML 消息存储。
--> The HTTP session cookie is the browser side key to the server side SAML message store. --> HTTP 会话 cookie 是服务器端 SAML 消息存储的浏览器端密钥。
When the HTTP session cookie is not sent by the browser when the SAML response is delivered to Spring Security SAML SP, it can not find the related SAML AuthNRequest and fails to compare 'InResponseTo' value with 'ID' value of matching AuthNRequest.当 SAML 响应传递给 Spring Security SAML SP 时浏览器未发送 HTTP 会话 cookie 时,它无法找到相关的 SAML AuthNRequest 并且无法将“InResponseTo”值与匹配 AuthNRequest 的“ID”值进行比较。
If you can not assure HTTP session cookie is delivered you may implement your own SAMLMessageStorageFactory and SAMLMessageStorage (as I did).如果你不能保证 HTTP 会话 cookie 被传递,你可以实现你自己的SAMLMessageStorageFactory和SAMLMessageStorage (就像我做的那样)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.