SAML2 can't open internal redirect page in case clickjacking prevention is enabled

[evgusha80]

Describe the bug When clickjacking prevention is enabled, it is impossible to redirect SAML2 request to IdP.

To Reproduce

1. Enable clickjacking prevention.
2. Define SAML2 IdP provider as Okta in spring boot application
3. Try to run the authentication flow by pointing the browser to the URL: https:///saml2/authenticate/
4. Browser will show blank screen and console will present error message: "Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'self' https://*.ruckuswireless.com https://cdnjs.cloudflare.com/ajax https://*.pendo.io https://fonts.googleapis.com https://maps.googleapis.com https://*.storage.googleapis.com https://*.lpsnmedia.net https://fonts.gstatic.com https://maps.gstatic.com https://lptag.liveperson.net https://*.ruckuswireless.com https://va.v.liveperson.net https://ajax.googleapis.com https://www.google-analytics.com https://static.dialogflow.com https://www.gstatic.com https://unpkg.com 'nonce-pendo-inline-script' 'nonce-fetchbot-inline-script' 'nonce-day-one-otp-form' 'nonce-login-page' 'nonce-auth-timeout' 'nonce-auth-form' 'nonce-auth-util' 'nonce-ga-inline-script' 'nonce-analytics-inline-script' 'nonce-google-map-inline-script' 'nonce-google-api-inline-script' 'nonce-sloader-inline-script' 'nonce-rc-inline-script' 'nonce-options-inline-script' 'nonce-durga-auth-error' 'nonce-durga-dynamic-chunk' 'nonce-guest-wifi4eu-inline-script' 'nonce-google-instruction-inline-script' 'nonce-guest-legacy-init-inline-script' 'nonce-guest-legacy-app-inline-script' 'nonce-guest-legacy-validator-inline-script' 'nonce-unpkg-inline-script' 'nonce-ra-inline-script'". Either the 'unsafe-inline' keyword, a hash ('sha256-oZhLbc2kO8b8oaYLrUc7uye1MgVKMyLtPqWR4WtKF+c='), or a nonce ('nonce-...') is required to enable inline execution."

After investigation it looks like the issue is related to metadata returned from Okta: " "

and the issue is in org.springframework.security.saml2.provider.service.web.Saml2WebSsoAuthenticationRequestFilter that produces this page as part of this method: private String createSamlPostRequestFormData(Saml2PostAuthenticationRequest authenticationRequest)

Expected behavior Redirect to IdP login page should happen without issues described above.

Sample I cant provide our enterprise application but the issue can be also reproduced in demo application here: https://github.com/oktadev/okta-spring-boot-saml-example if changing the domain and enable the clickjacking prevention

[marcusdacoregio]

Hi, @evgusha80.

If you take a look at the class that you mentioned, you can see that it includes the required Content-Security-Policy meta tag in the generated HTML. It might be possible that the tag is being replaced in your production environment? The hash even matches the hash that the error message provides.

[evgusha80]

Hello @marcusdacoregio , Thanks for the quick reply and pointing to the root cause. I've applied the suggestion in our production and the fix is working fine You can resolve the ticket. Thanks, Evgeny