Closed shubhamwankh closed 4 weeks ago
jzheaux
commented
1 month ago Thanks for the report, @shubhamwankh. The reproducer is helpful, and it also generates a question.
To navigate to /login/saml2/sso/okta without a SAMLResponse is an error. Perhaps the error message needs improvement; however, can you elaborate on when you need to navigate to that URL in the way you described?
shubhamwankh
commented
1 month ago @jzheaux In our project we have multiple login options and SAML is one of them, we have configured above URL (/login/saml2/sso/okta) for SAML sso login if the user is not logged in already, for that we cannot change it as of now.
since the same url was working previously because the access was denied for the URL (/login/saml2/sso/okta) if the user was not authenticated and the user was redirected to the login page through ExceptionTranslationFilter and we are expecting to continue with it the same url.
jzheaux
commented
1 month ago I can see why you'd want things to stay working as they were for you, @shubhamwankh. Sometimes these things happen across a major release upgrade. Let me see what I can do to help here.
In reviewing the documentation, I found the following:
As configured earlier, the application processes any POST /login/saml2/sso/{registrationId} request containing a SAMLResponse parameter:
POST /login/saml2/sso/adfs HTTP/1.1
SAMLResponse=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZ...
While the above documentation is the most recent, the same is stated in [the 5.7 docs](https://docs.spring.io/spring-security/reference/5.7/servlet/saml2/login/overview.html#_runtime_expectations).
In other words, `/login/saml2/sso/okta` is the endpoint that Okta should POST to. Other uses of this endpoint aren't supported.
To induce login, the endpoint is [`/saml2/authenticate/okta`](https://docs.spring.io/spring-security/reference/servlet/saml2/login/authentication-requests.html).
The docs also contain a summary of all [the default SAML 2.0 URIs](https://docs.spring.io/spring-security/reference/5.7/servlet/saml2/login/overview.html#servlet-saml2login-rpr-uripatterns).
----
Are you able to correct your application to redirect unauthenticated users to `/saml2/authenticate/okta`? Note that when I do this with your sample, it redirects correctly to Okta.
If not, you can create a post-processor for the filter like so:
```java
@Component
public class Saml2WebSsoAuthenticationFilterPostProcessor
implements ObjectPostProcessor<Saml2WebSsoAuthenticationFilter> {
private final RelyingPartyRegistrationRepository registrations;
public Saml2WebSsoAuthenticationFilterPostProcessor(RelyingPartyRegistrationRepository registrations) {
this.registrations = registrations;
}
@Override
public Saml2WebSsoAuthenticationFilter postProcess(Saml2WebSsoAuthenticationFilter object) {
return new Saml2WebSsoAuthenticationFilter(this.registrations) {
@Override
protected boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response) {
// bypass filter if SAMLResponse not present
return super.requiresAuthentication(request, response) &&
request.getParameter(Saml2ParameterNames.SAML_RESPONSE) != null;
}
};
}
}And then provide that post-processor to your saml2Login configuration:
@Bean
- SecurityFilterChain configure(HttpSecurity http) throws Exception {
+ SecurityFilterChain configure(HttpSecurity http, Saml2WebSsoAuthenticationFilterPostProcessor p) throws Exception {
// ...
.saml2Login(saml2 -> saml2
.authenticationManager(new ProviderManager(authenticationProvider))
+ .addObjectPostProcessor(p)
)
// ...
}I've submitted a PR to your repo so that you can review this suggestion, though I hope that you will be able to update your application to point to /saml2/authenticate/okta instead.
I think that the error handling in Saml2WebSsoAuthenticationFilter can also be improved. Other Spring Security endpoints allow the request to pass through the rest of the filter chain when the needed request parameters (like SAMLResponse) aren't present. I've opened https://github.com/spring-projects/spring-security/issues/16000 to address this.
shubhamwankh
commented
4 weeks ago Thank you very much @jzheaux for the solution.
Describe the bug I've migrated from spring boot 2.7.18 to spring boot 3.3.4, I've a SAML 2.0 with OpenSaml in my project, previously I used to redirect to the SAML login page using
/login/saml2/sso/oktabut after migrating the URL is not working and is directly returning 404, I've checked and found that request is directly going toSaml2WebSsoAuthenticationRequestFilterand then to theOpenSamlAuthenticationRequestResolver.resolve(-,-)and using request matcher for\saml2\authenticate\{registrationId}and since the login url does not match the authentication is set as nullit's giving below page, no relying party defination found is because of favicon.icon call igonore it I've checked and relying party configs are already present
Here is stack trace
To Reproduce here is the saml github POC project, https://github.com/shubhamwankh/SamlPoc
to reproduce make 'http://localhost:8080/login/saml2/sso/okta'
Expected behavior after hitting above url it should redirect to okta login page
Sample
A link to a GitHub repository with a minimal, reproducible sample.
Reports that include a sample will take priority over reports that do not. At times, we may require a sample, so it is good to try and include a sample up front.