Announcement Announcement Module
Collapse
No announcement yet.
Incoming SAML message is invalid only in Internet Explorer Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Incoming SAML message is invalid only in Internet Explorer

    Hello,
    I'm dealing with an strange issue.

    I've integrated a Spring SAML SP into our application using Weblogic as an app server. The SSO is IDP initiated using HTTP POST. I've tested the SP using fake SAML requests sent by a test IDP within our network and everything works fine on both Chrome and IE.

    However when the client sends a SAML request from their IDP using IE I get the following error in our logs:

    Servlet failed with Exception
    org.opensaml.common.SAMLRuntimeException: Incoming SAML message is invalid

    ...
    Caused By: org.opensaml.common.SAMLException: Unsupported request
    at org.springframework.security.saml.processor.SAMLPr ocessorImpl.getBinding(SAMLProcessorImpl.java:268)

    The kicker here is that when the client tries the same request with Chrome everything works fine. The SAML request is decrypted and the signature verified and everything works like in our test environment.

    I've looked into the SAML source code and it appears that the exception is generated if the transport object cannot be processed by any of the available binding objects.

    So what could be the difference in the browsers that could cause this exception? The logs also indicate the SAML request is coming in as a http post.

    Just to add some more confusion, when the client uses fiddler(?) with IE to try examine the headers everything magically works.

    Any ideas or avenues of investigation would be appreciated.

  • #2
    Hello,

    The condition which needs to be valid for the incoming message to be recognized as using HTTP-POST is:

    Code:
    HTTPTransport t = (HTTPTransport) transport;
    return "POST".equalsIgnoreCase(t.getHTTPMethod()) && (t.getParameterValue("SAMLRequest") != null || t.getParameterValue("SAMLResponse") != null);
    Do you think you could debug the issue by checking breakpoint in org.springframework.security.saml.processor.HTTPPo stBinding in the supports(InTransport transport) method? Something in the condition must fail for some reason, debugging is probably the fastest way to tell what it is.

    Vladi

    Comment


    • #3
      I think we found the issue.

      It appears there is a bug with IE where the SAML response is dropped from the request after the user clicks the 'SSL cert is untrusted, click here to continue' button.

      The client was having trouble importing our SSL certs into IE which were signed by our company CA and not using a real third party CA like Versign in our dev environments. This caused EVERY request to our SP to drop the SAML response due to the IE prompting the user to trust the SSL cert everytime.

      Once we were able to correctly install our SSL certs in their IE browsers everything worked fine.

      By the way, the error above with 'Unsupported request' is what you see when a request is posted to the SP without a SAML response, which is exactly what was happening since IE was dropping the SAML response parameter.

      Comment


      • vsch
        vsch commented
        Editing a comment
        An interesting problem, good to know IE behaves this way. Thanks for sharing.
    Working...
    X