search

ulisesbocchio / spring-boot-security-saml

spring-security-saml integration with Spring Boot
MIT License
158 stars 73 forks source link

org.opensaml.common.SAMLException: Unsupported request #33

Closed MardariG closed 7 years ago

MardariG commented 7 years ago

Not sure if its a configuration issue. If so feel free to close the issue. Below is the detailed log.

`2017-07-21 10:04:16.683 DEBUG 20992 --- [io-8080-exec-10] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. 2017-07-21 10:04:16.685 DEBUG 20992 --- [io-8080-exec-10] PROTOCOL_MESSAGE : <?xml version="1.0" encoding="UTF-8"?>

https://mgb.odimm.md G7u5raDtDCmCxfapw74wwRPKRlo= xxx xxx 2017-07-21 10:04:16.686 DEBUG 20992 --- [io-8080-exec-10] o.o.w.m.encoder.BaseMessageEncoder : Successfully encoded message. 2017-07-21 10:04:16.686 DEBUG 20992 --- [io-8080-exec-10] o.s.s.saml.storage.HttpSessionStorage : Storing message a1eeig54b8i8d3ie7c66f835g8af5e to session D8D8D3C4E4EAD3682E7FFAE94EF10AE8 2017-07-21 10:04:16.688 INFO 20992 --- [io-8080-exec-10] o.s.security.saml.log.SAMLDefaultLogger : AuthNRequest;SUCCESS;0:0:0:0:0:0:0:1;https://mgb.odimm.md;https://testmpass.gov.md;;; 2017-07-21 10:04:16.688 DEBUG 20992 --- [io-8080-exec-10] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed 2017-07-21 10:04:22.412 DEBUG 20992 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT 2017-07-21 10:04:22.412 DEBUG 20992 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@4babfbe8. A new one will be created. 2017-07-21 10:04:22.412 DEBUG 20992 --- [nio-8080-exec-1] o.s.security.saml.SAMLProcessingFilter : Request is to process authentication 2017-07-21 10:04:22.412 DEBUG 20992 --- [nio-8080-exec-1] o.s.security.saml.SAMLProcessingFilter : Attempting SAML2 authentication using profile urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser 2017-07-21 10:04:22.413 DEBUG 20992 --- [nio-8080-exec-1] o.o.s.m.p.ChainingMetadataProvider : Checking child metadata provider for entity descriptor with entity ID: https://mgb.odimm.md 2017-07-21 10:04:22.413 DEBUG 20992 --- [nio-8080-exec-1] o.o.s.m.p.AbstractMetadataProvider : Searching for entity descriptor with an entity ID of https://mgb.odimm.md 2017-07-21 10:04:22.413 DEBUG 20992 --- [nio-8080-exec-1] o.o.s.m.p.AbstractMetadataProvider : Metadata document did not contain a descriptor for entity https://mgb.odimm.md 2017-07-21 10:04:22.413 DEBUG 20992 --- [nio-8080-exec-1] o.o.s.m.p.AbstractMetadataProvider : Metadata document did not contain any role descriptors of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor for entity https://mgb.odimm.md 2017-07-21 10:04:22.413 DEBUG 20992 --- [nio-8080-exec-1] o.o.s.m.p.AbstractMetadataProvider : Metadata document does not contain a role of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor supporting protocol urn:oasis:names:tc:SAML:2.0:protocol for entity https://mgb.odimm.md 2017-07-21 10:04:22.413 DEBUG 20992 --- [nio-8080-exec-1] o.o.s.m.p.ChainingMetadataProvider : Checking child metadata provider for entity descriptor with entity ID: https://mgb.odimm.md 2017-07-21 10:04:22.413 DEBUG 20992 --- [nio-8080-exec-1] o.o.s.m.p.AbstractMetadataProvider : Searching for entity descriptor with an entity ID of https://mgb.odimm.md 2017-07-21 10:04:22.414 DEBUG 20992 --- [nio-8080-exec-1] o.o.x.s.c.KeyStoreCredentialResolver : Building credential from keystore entry for entityID 1, usage type UNSPECIFIED 2017-07-21 10:04:22.414 DEBUG 20992 --- [nio-8080-exec-1] o.o.x.s.c.KeyStoreCredentialResolver : Processing PrivateKeyEntry from keystore 2017-07-21 10:04:22.414 DEBUG 20992 --- [nio-8080-exec-1] .c.c.EvaluableCredentialCriteriaRegistry : Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria 2017-07-21 10:04:22.414 DEBUG 20992 --- [nio-8080-exec-1] o.o.x.s.c.KeyStoreCredentialResolver : Building credential from keystore entry for entityID 1, usage type UNSPECIFIED 2017-07-21 10:04:22.416 DEBUG 20992 --- [nio-8080-exec-1] o.o.x.s.c.KeyStoreCredentialResolver : Processing PrivateKeyEntry from keystore 2017-07-21 10:04:22.416 DEBUG 20992 --- [nio-8080-exec-1] .c.c.EvaluableCredentialCriteriaRegistry : Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria 2017-07-21 10:04:22.416 DEBUG 20992 --- [nio-8080-exec-1] o.o.xml.parse.StaticBasicParserPool : Setting DocumentBuilderFactory attribute 'http://javax.xml.XMLConstants/feature/secure-processing' 2017-07-21 10:04:22.416 DEBUG 20992 --- [nio-8080-exec-1] o.o.xml.parse.StaticBasicParserPool : Setting DocumentBuilderFactory attribute 'http://apache.org/xml/features/dom/defer-node-expansion' 2017-07-21 10:04:22.417 DEBUG 20992 --- [nio-8080-exec-1] o.o.xml.parse.StaticBasicParserPool : Setting DocumentBuilderFactory attribute 'http://apache.org/xml/features/disallow-doctype-decl' 2017-07-21 10:04:22.418 DEBUG 20992 --- [nio-8080-exec-1] o.s.s.saml.processor.SAMLProcessorImpl : Retrieving message using binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST 2017-07-21 10:04:22.422 DEBUG 20992 --- [nio-8080-exec-1] o.o.w.m.decoder.BaseMessageDecoder : Beginning to decode message from inbound transport of type: org.opensaml.ws.transport.http.HttpServletRequestAdapter 2017-07-21 10:04:22.422 DEBUG 20992 --- [nio-8080-exec-1] o.o.s.binding.decoding.HTTPPostDecoder : Decoded SAML relay state of: null 2017-07-21 10:04:22.422 DEBUG 20992 --- [nio-8080-exec-1] o.o.s.binding.decoding.HTTPPostDecoder : Getting Base64 encoded message from request 2017-07-21 10:04:22.423 DEBUG 20992 --- [nio-8080-exec-1] o.o.w.m.decoder.BaseMessageDecoder : Parsing message stream into DOM document 2017-07-21 10:04:22.424 DEBUG 20992 --- [nio-8080-exec-1] o.o.w.m.decoder.BaseMessageDecoder : Unmarshalling message DOM 2017-07-21 10:04:22.438 DEBUG 20992 --- [nio-8080-exec-1] o.o.x.s.impl.SignatureUnmarshaller : Starting to unmarshall Apache XML-Security-based SignatureImpl element 2017-07-21 10:04:22.438 DEBUG 20992 --- [nio-8080-exec-1] o.o.x.s.impl.SignatureUnmarshaller : Constructing Apache XMLSignature object 2017-07-21 10:04:22.439 DEBUG 20992 --- [nio-8080-exec-1] o.o.x.s.impl.SignatureUnmarshaller : Adding canonicalization and signing algorithms, and HMAC output length to Signature 2017-07-21 10:04:22.439 DEBUG 20992 --- [nio-8080-exec-1] o.o.x.s.impl.SignatureUnmarshaller : Adding KeyInfo to Signature 2017-07-21 10:04:22.454 DEBUG 20992 --- [nio-8080-exec-1] o.o.w.m.decoder.BaseMessageDecoder : Message succesfully unmarshalled 2017-07-21 10:04:22.454 DEBUG 20992 --- [nio-8080-exec-1] o.o.s.binding.decoding.HTTPPostDecoder : Decoded SAML message 2017-07-21 10:04:22.454 DEBUG 20992 --- [nio-8080-exec-1] o.o.s.b.d.BaseSAML2MessageDecoder : Extracting ID, issuer and issue instant from status response 2017-07-21 10:04:22.454 DEBUG 20992 --- [nio-8080-exec-1] PROTOCOL_MESSAGE : https://testmpass.gov.md https://testmpass.gov.md 2005020081394 https://mgb.odimm.md urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Grigore Mardari 2017-07-21 10:04:22.457 DEBUG 20992 --- [nio-8080-exec-1] o.o.w.m.decoder.BaseMessageDecoder : Evaluating security policy of type 'org.opensaml.ws.security.provider.BasicSecurityPolicy' for decoded message 2017-07-21 10:04:22.457 DEBUG 20992 --- [nio-8080-exec-1] aseSAMLSimpleSignatureSecurityPolicyRule : Evaluating simple signature rule of type: org.opensaml.saml2.binding.security.SAML2HTTPPostSimpleSignRule 2017-07-21 10:04:22.457 DEBUG 20992 --- [nio-8080-exec-1] aseSAMLSimpleSignatureSecurityPolicyRule : HTTP request was not signed via simple signature mechanism, skipping 2017-07-21 10:04:22.458 DEBUG 20992 --- [nio-8080-exec-1] o.o.s.SAMLSignatureProfileValidator : Saw Enveloped signature transform 2017-07-21 10:04:22.458 DEBUG 20992 --- [nio-8080-exec-1] o.o.s.SAMLSignatureProfileValidator : Saw Exclusive C14N signature transform 2017-07-21 10:04:22.458 DEBUG 20992 --- [nio-8080-exec-1] colMessageXMLSignatureSecurityPolicyRule : Attempting to verify signature on signed SAML protocol message using context issuer message type: {urn:oasis:names:tc:SAML:2.0:protocol}Response 2017-07-21 10:04:22.458 DEBUG 20992 --- [nio-8080-exec-1] o.o.security.MetadataCredentialResolver : Forcing on-demand metadata provider refresh if necessary 2017-07-21 10:04:22.460 DEBUG 20992 --- [nio-8080-exec-1] o.o.security.MetadataCredentialResolver : Attempting to retrieve credentials from cache using index: [https://testmpass.gov.md,{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,SIGNING] 2017-07-21 10:04:22.460 DEBUG 20992 --- [nio-8080-exec-1] o.o.security.MetadataCredentialResolver : Unable to retrieve credentials from cache using index: [https://testmpass.gov.md,{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,SIGNING] 2017-07-21 10:04:22.460 DEBUG 20992 --- [nio-8080-exec-1] o.o.security.MetadataCredentialResolver : Attempting to retrieve credentials from metadata for entity: https://testmpass.gov.md 2017-07-21 10:04:22.460 DEBUG 20992 --- [nio-8080-exec-1] o.o.security.MetadataCredentialResolver : Retrieving metadata for entity 'https://testmpass.gov.md' in role '{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor' for protocol 'urn:oasis:names:tc:SAML:2.0:protocol' 2017-07-21 10:04:22.460 DEBUG 20992 --- [nio-8080-exec-1] o.o.s.m.p.ChainingMetadataProvider : Checking child metadata provider for entity descriptor with entity ID: https://testmpass.gov.md 2017-07-21 10:04:22.460 DEBUG 20992 --- [nio-8080-exec-1] o.o.s.m.p.AbstractMetadataProvider : Searching for entity descriptor with an entity ID of https://testmpass.gov.md 2017-07-21 10:04:22.461 DEBUG 20992 --- [nio-8080-exec-1] k.BasicProviderKeyInfoCredentialResolver : Found 0 key names: [] 2017-07-21 10:04:22.461 DEBUG 20992 --- [nio-8080-exec-1] k.BasicProviderKeyInfoCredentialResolver : Processing KeyInfo child with qname: {http://www.w3.org/2000/09/xmldsig#}X509Data 2017-07-21 10:04:22.462 DEBUG 20992 --- [nio-8080-exec-1] k.BasicProviderKeyInfoCredentialResolver : Provider org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping 2017-07-21 10:04:22.462 DEBUG 20992 --- [nio-8080-exec-1] k.BasicProviderKeyInfoCredentialResolver : Provider org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping 2017-07-21 10:04:22.462 DEBUG 20992 --- [nio-8080-exec-1] k.BasicProviderKeyInfoCredentialResolver : Processing KeyInfo child {http://www.w3.org/2000/09/xmldsig#}X509Data with provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider 2017-07-21 10:04:22.462 DEBUG 20992 --- [nio-8080-exec-1] o.o.x.s.k.p.InlineX509DataProvider : Attempting to extract credential from an X509Data 2017-07-21 10:04:22.495 DEBUG 20992 --- [nio-8080-exec-1] o.o.x.s.k.p.InlineX509DataProvider : Found 1 X509Certificates 2017-07-21 10:04:22.495 DEBUG 20992 --- [nio-8080-exec-1] o.o.x.s.k.p.InlineX509DataProvider : Found 0 X509CRLs 2017-07-21 10:04:22.495 DEBUG 20992 --- [nio-8080-exec-1] o.o.x.s.k.p.InlineX509DataProvider : Single certificate was present, treating as end-entity certificate 2017-07-21 10:04:22.496 DEBUG 20992 --- [nio-8080-exec-1] k.BasicProviderKeyInfoCredentialResolver : Credentials successfully extracted from child {http://www.w3.org/2000/09/xmldsig#}X509Data by provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider 2017-07-21 10:04:22.496 DEBUG 20992 --- [nio-8080-exec-1] k.BasicProviderKeyInfoCredentialResolver : A total of 1 credentials were resolved 2017-07-21 10:04:22.496 DEBUG 20992 --- [nio-8080-exec-1] .c.c.EvaluableCredentialCriteriaRegistry : Registry could not locate evaluable criteria for criteria class org.opensaml.xml.security.keyinfo.KeyInfoCriteria 2017-07-21 10:04:22.496 DEBUG 20992 --- [nio-8080-exec-1] o.s.s.s.t.MetadataCredentialResolver : Added 1 credentials resolved from metadata of entity https://testmpass.gov.md 2017-07-21 10:04:22.496 DEBUG 20992 --- [nio-8080-exec-1] o.o.security.MetadataCredentialResolver : Added new credential collection to cache with key: [https://testmpass.gov.md,{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,SIGNING] 2017-07-21 10:04:22.497 DEBUG 20992 --- [nio-8080-exec-1] .c.c.EvaluableCredentialCriteriaRegistry : Registry could not locate evaluable criteria for criteria class org.opensaml.security.MetadataCriteria 2017-07-21 10:04:22.497 DEBUG 20992 --- [nio-8080-exec-1] .c.c.EvaluableCredentialCriteriaRegistry : Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria 2017-07-21 10:04:22.497 DEBUG 20992 --- [nio-8080-exec-1] .c.c.EvaluableCredentialCriteriaRegistry : Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableUsageCredentialCriteria for criteria class org.opensaml.xml.security.criteria.UsageCriteria 2017-07-21 10:04:22.497 DEBUG 20992 --- [nio-8080-exec-1] .c.c.EvaluableCredentialCriteriaRegistry : Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableKeyAlgorithmCredentialCriteria for criteria class org.opensaml.xml.security.criteria.KeyAlgorithmCriteria 2017-07-21 10:04:22.497 DEBUG 20992 --- [nio-8080-exec-1] o.o.x.s.impl.BaseSignatureTrustEngine : Attempting to verify signature and establish trust using KeyInfo-derived credentials 2017-07-21 10:04:22.497 DEBUG 20992 --- [nio-8080-exec-1] k.BasicProviderKeyInfoCredentialResolver : Found 0 key names: [] 2017-07-21 10:04:22.497 DEBUG 20992 --- [nio-8080-exec-1] k.BasicProviderKeyInfoCredentialResolver : Processing KeyInfo child with qname: {http://www.w3.org/2000/09/xmldsig#}X509Data 2017-07-21 10:04:22.497 DEBUG 20992 --- [nio-8080-exec-1] k.BasicProviderKeyInfoCredentialResolver : Provider org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping 2017-07-21 10:04:22.497 DEBUG 20992 --- [nio-8080-exec-1] k.BasicProviderKeyInfoCredentialResolver : Provider org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping 2017-07-21 10:04:22.497 DEBUG 20992 --- [nio-8080-exec-1] k.BasicProviderKeyInfoCredentialResolver : Processing KeyInfo child {http://www.w3.org/2000/09/xmldsig#}X509Data with provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider 2017-07-21 10:04:22.497 DEBUG 20992 --- [nio-8080-exec-1] o.o.x.s.k.p.InlineX509DataProvider : Attempting to extract credential from an X509Data 2017-07-21 10:04:22.499 DEBUG 20992 --- [nio-8080-exec-1] o.o.x.s.k.p.InlineX509DataProvider : Found 1 X509Certificates 2017-07-21 10:04:22.499 DEBUG 20992 --- [nio-8080-exec-1] o.o.x.s.k.p.InlineX509DataProvider : Found 0 X509CRLs 2017-07-21 10:04:22.499 DEBUG 20992 --- [nio-8080-exec-1] o.o.x.s.k.p.InlineX509DataProvider : Single certificate was present, treating as end-entity certificate 2017-07-21 10:04:22.499 DEBUG 20992 --- [nio-8080-exec-1] k.BasicProviderKeyInfoCredentialResolver : Credentials successfully extracted from child {http://www.w3.org/2000/09/xmldsig#}X509Data by provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider 2017-07-21 10:04:22.499 DEBUG 20992 --- [nio-8080-exec-1] k.BasicProviderKeyInfoCredentialResolver : A total of 1 credentials were resolved 2017-07-21 10:04:22.499 DEBUG 20992 --- [nio-8080-exec-1] .c.c.EvaluableCredentialCriteriaRegistry : Registry could not locate evaluable criteria for criteria class org.opensaml.xml.security.keyinfo.KeyInfoCriteria 2017-07-21 10:04:22.500 DEBUG 20992 --- [nio-8080-exec-1] o.o.xml.signature.SignatureValidator : Attempting to validate signature using key from supplied credential 2017-07-21 10:04:22.500 DEBUG 20992 --- [nio-8080-exec-1] o.o.xml.signature.SignatureValidator : Creating XMLSignature object 2017-07-21 10:04:22.500 DEBUG 20992 --- [nio-8080-exec-1] o.o.xml.signature.SignatureValidator : Validating signature with signature algorithm URI: http://www.w3.org/2000/09/xmldsig#rsa-sha1 2017-07-21 10:04:22.500 DEBUG 20992 --- [nio-8080-exec-1] o.o.xml.signature.SignatureValidator : Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl' 2017-07-21 10:04:22.502 DEBUG 20992 --- [nio-8080-exec-1] o.o.xml.signature.SignatureValidator : Signature validated with key from supplied credential 2017-07-21 10:04:22.502 DEBUG 20992 --- [nio-8080-exec-1] o.o.x.s.impl.BaseSignatureTrustEngine : Signature validation using candidate credential was successful 2017-07-21 10:04:22.502 DEBUG 20992 --- [nio-8080-exec-1] o.o.x.s.impl.BaseSignatureTrustEngine : Successfully verified signature using KeyInfo-derived credential 2017-07-21 10:04:22.502 DEBUG 20992 --- [nio-8080-exec-1] o.o.x.s.impl.BaseSignatureTrustEngine : Attempting to establish trust of KeyInfo-derived credential 2017-07-21 10:04:22.502 DEBUG 20992 --- [nio-8080-exec-1] o.o.x.s.trust.ExplicitKeyTrustEvaluator : Successfully validated untrusted credential against trusted key 2017-07-21 10:04:22.502 DEBUG 20992 --- [nio-8080-exec-1] o.o.x.s.impl.BaseSignatureTrustEngine : Successfully established trust of KeyInfo-derived credential 2017-07-21 10:04:22.502 INFO 20992 --- [nio-8080-exec-1] colMessageXMLSignatureSecurityPolicyRule : Validation of protocol message signature succeeded, message type: {urn:oasis:names:tc:SAML:2.0:protocol}Response 2017-07-21 10:04:22.504 DEBUG 20992 --- [nio-8080-exec-1] colMessageXMLSignatureSecurityPolicyRule : Authentication via protocol message signature succeeded for context issuer entity ID https://testmpass.gov.md 2017-07-21 10:04:22.504 DEBUG 20992 --- [nio-8080-exec-1] o.o.w.m.decoder.BaseMessageDecoder : Successfully decoded message. 2017-07-21 10:04:22.504 DEBUG 20992 --- [nio-8080-exec-1] o.o.c.b.decoding.BaseSAMLMessageDecoder : Checking SAML message intended destination endpoint against receiver endpoint 2017-07-21 10:04:22.504 DEBUG 20992 --- [nio-8080-exec-1] o.o.c.b.decoding.BaseSAMLMessageDecoder : Intended message destination endpoint: https://localhost:8080//saml/SSO 2017-07-21 10:04:22.504 DEBUG 20992 --- [nio-8080-exec-1] o.o.c.b.decoding.BaseSAMLMessageDecoder : Actual message receiver endpoint: https://localhost:8080//saml/SSO 2017-07-21 10:04:22.504 DEBUG 20992 --- [nio-8080-exec-1] o.o.c.b.decoding.BaseSAMLMessageDecoder : SAML message intended destination endpoint matched recipient endpoint 2017-07-21 10:04:22.505 DEBUG 20992 --- [nio-8080-exec-1] o.s.security.saml.util.SAMLUtil : Found endpoint org.opensaml.saml2.metadata.impl.AssertionConsumerServiceImpl@2049f845 for request URL https://localhost:8080//saml/SSO based on location attribute in metadata 2017-07-21 10:04:22.505 DEBUG 20992 --- [nio-8080-exec-1] o.s.s.saml.storage.HttpSessionStorage : Message a1eeig54b8i8d3ie7c66f835g8af5e found in session D8D8D3C4E4EAD3682E7FFAE94EF10AE8, clearing 2017-07-21 10:04:22.506 DEBUG 20992 --- [nio-8080-exec-1] o.s.s.s.w.WebSSOProfileConsumerImpl : Verifying issuer of the Response 2017-07-21 10:04:22.506 DEBUG 20992 --- [nio-8080-exec-1] o.s.s.s.w.WebSSOProfileConsumerImpl : Processing Bearer subject confirmation 2017-07-21 10:04:22.506 DEBUG 20992 --- [nio-8080-exec-1] o.s.s.s.w.WebSSOProfileConsumerImpl : Verifying received AuthnContext org.opensaml.saml2.core.impl.AuthnContextImpl@59e93ab1 against requested null 2017-07-21 10:04:22.506 DEBUG 20992 --- [nio-8080-exec-1] o.s.s.s.w.WebSSOProfileConsumerImpl : Validation of authentication statement in assertion _2358c5d3-e26d-e711-80d3-0050568b6854 was successful 2017-07-21 10:04:22.506 DEBUG 20992 --- [nio-8080-exec-1] o.s.s.s.w.WebSSOProfileConsumerImpl : Including attribute FirstName from assertion _2358c5d3-e26d-e711-80d3-0050568b6854 2017-07-21 10:04:22.506 DEBUG 20992 --- [nio-8080-exec-1] o.s.s.s.w.WebSSOProfileConsumerImpl : Including attribute LastName from assertion _2358c5d3-e26d-e711-80d3-0050568b6854 2017-07-21 10:04:22.508 INFO 20992 --- [nio-8080-exec-1] o.s.security.saml.log.SAMLDefaultLogger : AuthNResponse;SUCCESS;0:0:0:0:0:0:0:1;https://mgb.odimm.md;https://testmpass.gov.md;2005020081394;; 2017-07-21 10:04:22.508 DEBUG 20992 --- [nio-8080-exec-1] o.s.security.saml.SAMLProcessingFilter : Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.providers.ExpiringUsernameAuthenticationToken@5106910e: Principal: com.github.ulisesbocchio.demo.Auth0SSODemoApplication$1$1@67f44a27; Credentials: [PROTECTED]; Authenticated: true; Details: com.github.ulisesbocchio.demo.Auth0SSODemoApplication$1$1@67f44a27; Granted Authorities: ROLE_USER 2017-07-21 10:04:22.509 DEBUG 20992 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : SecurityContext 'org.springframework.security.core.context.SecurityContextImpl@5106910e: Authentication: org.springframework.security.providers.ExpiringUsernameAuthenticationToken@5106910e: Principal: com.github.ulisesbocchio.demo.Auth0SSODemoApplication$1$1@67f44a27; Credentials: [PROTECTED]; Authenticated: true; Details: com.github.ulisesbocchio.demo.Auth0SSODemoApplication$1$1@67f44a27; Granted Authorities: ROLE_USER' stored to HttpSession: 'org.apache.catalina.session.StandardSessionFacade@4babfbe8 2017-07-21 10:04:22.509 DEBUG 20992 --- [nio-8080-exec-1] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed 2017-07-21 10:04:22.515 DEBUG 20992 --- [nio-8080-exec-2] w.c.HttpSessionSecurityContextRepository : Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@5106910e: Authentication: org.springframework.security.providers.ExpiringUsernameAuthenticationToken@5106910e: Principal: com.github.ulisesbocchio.demo.Auth0SSODemoApplication$1$1@67f44a27; Credentials: [PROTECTED]; Authenticated: true; Details: com.github.ulisesbocchio.demo.Auth0SSODemoApplication$1$1@67f44a27; Granted Authorities: ROLE_USER' 2017-07-21 10:04:22.515 DEBUG 20992 --- [nio-8080-exec-2] o.s.security.saml.SAMLProcessingFilter : Request is to process authentication 2017-07-21 10:04:22.515 DEBUG 20992 --- [nio-8080-exec-2] o.s.security.saml.SAMLProcessingFilter : Attempting SAML2 authentication using profile urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser 2017-07-21 10:04:22.515 DEBUG 20992 --- [nio-8080-exec-2] o.o.s.m.p.ChainingMetadataProvider : Checking child metadata provider for entity descriptor with entity ID: https://mgb.odimm.md 2017-07-21 10:04:22.515 DEBUG 20992 --- [nio-8080-exec-2] o.o.s.m.p.AbstractMetadataProvider : Searching for entity descriptor with an entity ID of https://mgb.odimm.md 2017-07-21 10:04:22.515 DEBUG 20992 --- [nio-8080-exec-2] o.o.s.m.p.AbstractMetadataProvider : Metadata document did not contain a descriptor for entity https://mgb.odimm.md 2017-07-21 10:04:22.515 DEBUG 20992 --- [nio-8080-exec-2] o.o.s.m.p.AbstractMetadataProvider : Metadata document did not contain any role descriptors of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor for entity https://mgb.odimm.md 2017-07-21 10:04:22.515 DEBUG 20992 --- [nio-8080-exec-2] o.o.s.m.p.AbstractMetadataProvider : Metadata document does not contain a role of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor supporting protocol urn:oasis:names:tc:SAML:2.0:protocol for entity https://mgb.odimm.md 2017-07-21 10:04:22.515 DEBUG 20992 --- [nio-8080-exec-2] o.o.s.m.p.ChainingMetadataProvider : Checking child metadata provider for entity descriptor with entity ID: https://mgb.odimm.md 2017-07-21 10:04:22.516 DEBUG 20992 --- [nio-8080-exec-2] o.o.s.m.p.AbstractMetadataProvider : Searching for entity descriptor with an entity ID of https://mgb.odimm.md 2017-07-21 10:04:22.516 DEBUG 20992 --- [nio-8080-exec-2] o.o.x.s.c.KeyStoreCredentialResolver : Building credential from keystore entry for entityID 1, usage type UNSPECIFIED 2017-07-21 10:04:22.516 DEBUG 20992 --- [nio-8080-exec-2] o.o.x.s.c.KeyStoreCredentialResolver : Processing PrivateKeyEntry from keystore 2017-07-21 10:04:22.516 DEBUG 20992 --- [nio-8080-exec-2] .c.c.EvaluableCredentialCriteriaRegistry : Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria 2017-07-21 10:04:22.516 DEBUG 20992 --- [nio-8080-exec-2] o.o.x.s.c.KeyStoreCredentialResolver : Building credential from keystore entry for entityID 1, usage type UNSPECIFIED 2017-07-21 10:04:22.516 DEBUG 20992 --- [nio-8080-exec-2] o.o.x.s.c.KeyStoreCredentialResolver : Processing PrivateKeyEntry from keystore 2017-07-21 10:04:22.516 DEBUG 20992 --- [nio-8080-exec-2] .c.c.EvaluableCredentialCriteriaRegistry : Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria 2017-07-21 10:04:22.517 DEBUG 20992 --- [nio-8080-exec-2] o.o.xml.parse.StaticBasicParserPool : Setting DocumentBuilderFactory attribute 'http://javax.xml.XMLConstants/feature/secure-processing' 2017-07-21 10:04:22.517 DEBUG 20992 --- [nio-8080-exec-2] o.o.xml.parse.StaticBasicParserPool : Setting DocumentBuilderFactory attribute 'http://apache.org/xml/features/dom/defer-node-expansion' 2017-07-21 10:04:22.517 DEBUG 20992 --- [nio-8080-exec-2] o.o.xml.parse.StaticBasicParserPool : Setting DocumentBuilderFactory attribute 'http://apache.org/xml/features/disallow-doctype-decl' 2017-07-21 10:04:22.520 DEBUG 20992 --- [nio-8080-exec-2] o.s.security.saml.SAMLProcessingFilter : Incoming SAML message is invalid org.opensaml.common.SAMLException: Unsupported request at org.springframework.security.saml.processor.SAMLProcessorImpl.getBinding(SAMLProcessorImpl.java:265) at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172) at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:80) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.saml.SAMLEntryPoint.doFilter(SAMLEntryPoint.java:103) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.saml.metadata.MetadataDisplayFilter.doFilter(MetadataDisplayFilter.java:84) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:105) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) common frames omitted at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) 2017-07-21 10:04:22.525 DEBUG 20992 --- [nio-8080-exec-2] o.s.security.saml.SAMLProcessingFilter : Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Incoming SAML message is invalid org.springframework.security.authentication.AuthenticationServiceException: Incoming SAML message is invalid at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:91) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.saml.SAMLEntryPoint.doFilter(SAMLEntryPoint.java:103) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.saml.metadata.MetadataDisplayFilter.doFilter(MetadataDisplayFilter.java:84) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:105) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:799) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:861) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1455) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Caused by: org.opensaml.common.SAMLException: Unsupported request at org.springframework.security.saml.processor.SAMLProcessorImpl.getBinding(SAMLProcessorImpl.java:265) at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172) at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:80) ... 54 common frames omitted 2017-07-21 10:04:22.530 DEBUG 20992 --- [nio-8080-exec-2] o.s.security.saml.SAMLProcessingFilter : Updated SecurityContextHolder to contain null Authentication 2017-07-21 10:04:22.530 DEBUG 20992 --- [nio-8080-exec-2] o.s.security.saml.SAMLProcessingFilter : Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@13cce2d8 2017-07-21 10:04:22.531 DEBUG 20992 --- [nio-8080-exec-2] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. 2017-07-21 10:04:22.531 DEBUG 20992 --- [nio-8080-exec-2] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed` And this are my configurations: WebSSOProfileOptions profileOptions = new WebSSOProfileOptions(); profileOptions.setIncludeScoping(false); profileOptions.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); profileOptions.setAssertionConsumerIndex(0); serviceProvider .metadataGenerator() .entityBaseURL("https://localhost:8080/") .entityId("https://mgb.odimm.md") .includeDiscoveryExtension(false) .bindingsSSO("post") .and() .sso() .profileOptions(profileOptions) .defaultSuccessURL("/saml/SSO") .and() .metadataManager() .metadataLocations("https://testmpass.gov.md/meta/saml") .refreshCheckInterval(0) .and() .extendedMetadata() .and() .keyManager() .storeLocation("classpath:/alice.jks") .storePass("123456") .defaultKey("1") .keyPassword("1", "123456") .and() .authenticationProvider() .userDetailsService(userDetailsService);
ulisesbocchio commented 7 years ago

is this the legit response you're getting? 

<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://mgb.odimm.md</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
ds:SignedInfo
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#a1eeig54b8i8d3ie7c66f835g8af5e">
ds:Transforms
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
ds:DigestValueG7u5raDtDCmCxfapw74wwRPKRlo=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
ds:SignatureValuexxx</ds:SignatureValue>
ds:KeyInfo
ds:X509Data
ds:X509Certificatexxx</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</saml2p:AuthnRequest>

doesn't look right...

MardariG commented 7 years ago

I think in copy paste process data was changed. The error was because I've used wrong url for 'defaultSuccessURL'. I removed this line in configurations and it worked.