Announcement Announcement Module
Collapse
No announcement yet.
InResponseToField doesn't correspond to sent message Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Hi,

    Usage of the EmptyStorageFactory is described ealier in this thread, you might want to refer to it - shortly you use the factory as a property in the context provider, e.g.:

    Code:
    <bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl">
      <property name="storageFactory" value="org.springframework.security.saml.storage.EmptyStorageFactory"/>
    </bean>
    The InResponseTo field helps in preventing reply attacks (someone steals valid SAML response and sends it once again to the SP which creates a new session). There are also other mechanisms to prevent this in place (e.g. checking of assertion validity). I don't thank that disabling this has a high risk (provided SSL/TLS is used for all transport). In case the Artifact binding is used is should be completely safe to disable the InResponseTo checking altogether.

    Some solutions you can use:

    - stick to https for both request and response - the preferred solution
    - use the EmptyStorageFactory, ideally in combination with Artifact binding to disable checking of the field
    - disable the "secure" flag on your session cookie which will make it shared for both http and https requests, some advice e.g. here http://support.filecatalyst.com/inde...and-securetrue

    You can also check http://tinyurl.com/3f9s4rb for more information.

    Vladi

    Comment


    • #17
      I tried this case:
      Code:
      <bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl">
        <property name="storageFactory" value="org.springframework.security.saml.storage.EmptyStorageFactory"/>
      </bean>
      but appeared HTTP Status 404 and app doesn't start

      Comment


      • #18
        Then try this instead:

        Code:
        <bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl">
                <property name="storageFactory">
                    <bean class="org.springframework.security.saml.storage.EmptyStorageFactory"/>
                </property>
            </bean>

        Comment


        • #19
          Code:
          <bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl">
          <property name="storageFactory">
          <bean class="org.springframework.security.saml.storage.EmptyStorageFactory"/>
          </property>
          </bean>
          Yes it works on the test server with out https.
          But when I switched on https it have crashed.
          I use https via apache 2.2. The server listens 80 port and redirects request/response to the tomcat via http port 8080
          As I understood the EmptyStorageFactory has to solve this problem, but...(

          Also I have read in the documentation:
          In case you use automatically generated metadata make sure to configure entityBaseUrl matching the front-end URL in your metadataGeneratorFilter bean
          I tried to wrote in the metadataGeneratorFilter value like "https://testserver/crs", "http://testserver:80/crs" and "http://testserver/crs" but it also doesn't work. As I know I have to set endpoint where tomcat must receive saml message. And if I put entityBaseUrl = "http://testserver:80/crs" the saml message must come in that point and after that apache 2.2 which is listening 80 port must redirect this message to tomcat by 8080 port and http. Finally tomcat must process message. But it doesn't work. Instead this I received error HTTP Status 401 - Authentication Failed: Incoming SAML message is invalid and log looks like this (attached file)

          Actually I want to solve problem using one of two ways. Or using empty factory or write in the entityBaseUrl a correctly value
          Last edited by postullat; Aug 16th, 2013, 07:26 AM.

          Comment


          • #20
            I think that you haven't configured your system for load balancing/proxying as is described in chapter 4.14 in the manual. You need to tell the SAML extension that the public URL (at your Apache) is different from the local URL (in your Tomcat directly).

            The EmptyStorageFactory is not supposed to solved this, EmptyStorageFactory solves problem when user switches from http to https.

            Comment


            • #21
              Yes, I haven't configured correctly my app. I just forgot to add SAMLContextProviderLB instead of SAMLContextProviderImpl bean =)
              Now I have a piece of the next configuration

              Code:
              <bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderLB">
              		<property name="scheme" value="https"/>
              		<property name="serverName" value="10.25.11.139"/>
              		<property name="serverPort" value="443"/>
              		<property name="includeServerPortInRequestURL" value="false"/>
              		<property name="contextPath" value="/crs"/>
              </bean>
              
              <bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
                      <constructor-arg>
                          <bean class="org.springframework.security.saml.metadata.MetadataGenerator">
                            	<property name="bindingsSSO"><list><value>POST</value></list></property>
                          	<property name="bindingsSLO"><list><value>Redirect</value><value>POST</value></list>        </property>
                          	<property name="bindingsHoKSSO"><list/></property>
                          	<property name="includeDiscovery" value="false"/>
                          	<property name="keyManager" ref="keyManager"/>
                          	<property name="entityId" value="${saml-sp-name-id}"/>
                          	<property name="entityBaseURL" value="https://10.25.11.139/crs"/>
                          </bean>
                      </constructor-arg>
                  </bean>
              But never the less app doesn't work when I try authentificate on the first time. Log is here
              I think that problem related with ssl Security Profile which have to configure here
              Code:
                  <bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
                      <constructor-arg>
                          <list>
                              <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                                  <constructor-arg>
                                      <bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
                                  		<!-- URL containing the metadata -->
                                  		<constructor-arg type="java.lang.String" value="${saml-idp-metadata-url}"/>
                                  		<!-- Timeout for metadata loading in ms -->
                                  		<constructor-arg type="int" value="5000"/>
                                  		<property name="parserPool" ref="parserPool"/>
                                  		<property name="requireValidMetadata" value="false"/>
                              		</bean>
                                  </constructor-arg>
                                  <property name="requireValidMetadata" value="false"/>
                                  <property name="metadataTrustCheck" value="false"/>
                                  <constructor-arg>
                                      <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                                      	<property name="idpDiscoveryEnabled" value=false/>
                                      </bean>
                                  </constructor-arg>
                              </bean>
                          </list>
                      </constructor-arg>
                      <!-- OPTIONAL used when one of the metadata files contains information about this service provider -->
                      <!-- <property name="hostedSPName" value=""/> -->
                      <!-- OPTIONAL property: can tell the system which IDP should be used for authenticating user by default. -->
                      <!-- <property name="defaultIDP" value="http://localhost:8080/opensso"/> -->
                  </bean>
              But I didn't find example and explanation how it configure
              There are not a lot information for me in this chapters "A.1 Extended metadata", "4.6 Security profiles" and "4.3 Metadata configuration"

              Comment


              • #22
                The exception in the logs again says: "InResponseToField doesn't correspond to sent message". Are you sure the EmptyStorageFactory is properly configured in this instance? This exception cannot occur when it's in place.

                Vladi

                Comment


                • #23
                  Actually I removed empty storage factory because there is no field in SAMLContextProviderLB which is responsible for storageFactory
                  Last edited by postullat; Aug 19th, 2013, 02:12 AM.

                  Comment


                  • #24
                    The SAMLContextProviderLB extends SAMLContextProviderImpl, so it has all the superclass' public getters/setters available. You set the EmptyStorageFactory just like for the normal context provider:

                    Code:
                    <bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderLB">
                        <property name="storageFactory">
                            <bean class="org.springframework.security.saml.storage.EmptyStorageFactory"/>
                        </property>
                    </bean>
                    Vladi

                    Comment


                    • #25
                      Yes, It works. Thank you very much)

                      Comment

                      Working...
                      X