Geek Answers Handbook

Recipient endpoint does not match SAML response

Usually my Spring SAML Service Provider (SP) implementation works fine, but sometimes it returns this error:

[2014-07-17 16:00:58.767] boot - 1078 DEBUG [http-bio-80-exec-1] --- BaseMessageDecoder: Successfully decoded message. [2014-07-17 16:00:58.767] boot - 1078 DEBUG [http-bio-80-exec-1] --- BaseSAMLMessageDecoder: Checking SAML message intended destination endpoint against receiver endpoint [2014-07-17 16:00:58.768] boot - 1078 DEBUG [http-bio-80-exec-1] --- BaseSAMLMessageDecoder: Intended message destination endpoint: https://prismasp.cloud.reply.eu:443/MIUR_PRISMA-2.1-WEBUI/saml/SSO/alias/defaultAlias [2014-07-17 16:00:58.768] boot - 1078 DEBUG [http-bio-80-exec-1] --- BaseSAMLMessageDecoder: Actual message receiver endpoint: http://prismasp.cloud.reply.eu:443/MIUR_PRISMA-2.1-WEBUI/saml/SSO/alias/defaultAlias [2014-07-17 16:00:58.768] boot - 1078 ERROR [http-bio-80-exec-1] --- BaseSAMLMessageDecoder: SAML message intended destination endpoint 'https://prismasp.cloud.reply.eu:443/MIUR_PRISMA-2.1-WEBUI/saml/SSO/alias/defaultAlias' did not match the recipient endpoint 'http://prismasp.cloud.reply.eu:443/MIUR_PRISMA-2.1-WEBUI/saml/SSO/alias/defaultAlias' [2014-07-17 16:00:58.782] boot - 1078 DEBUG [http-bio-80-exec-1] --- SAMLProcessingFilter: Incoming SAML message is invalid org.opensaml.xml.security.SecurityException: SAML message intended destination endpoint did not match recipient endpoint ...

I use (as the default Spring Security parameter) HTTP Strict Transport Security (HSTS) on Tomcat 7 with SSL .

Is there any way to fix this error?

Note: The source code for the sample is on Github: vdenotaris / spring-boot-security-saml-sample .

+11
spring spring-security spring-saml saml
source share
2 answers

I don’t know why your problem occurs by accident, but at least one of the ways to resolve it is to configure SAMLContextProviderLB instead of your current SAMLContextProviderImpl .

SAMLContextProviderLB usually used to tell Spring SAML public about the public URLs used on the reverse proxy or load balancer, but in this case you can use Spring SAML to think that it uses HTTPS. Details can be found in Chapter 10.1 Advanced Configuration of the Spring SAML manual.

You must also ensure that the entityBaseURL property is set entityBaseURL for your MetadataGenerator bean, as the generated metadata will depend on whether you made the first request to your application using http or https. Again, all of this is documented .

+23
source share

I think your application server is behind a load balancer!

For the Apache Tomcat server, which runs the AWS application load balancer, you must enable RemoteIPValue so that Tomcat overwrites the (https) & port (443) based on the x-forwarded-proto header.

In server.xml

 <Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="X-Forwarded-Proto" internalProxies="10\.\d+\.\d+\.\d+|192\.168\.\d+\.\d+|169\.254\.\d+\.\d+|127\.\d+\.\d+\.\d+|172\.(1[6-9]|2[0-9]|3[0-1])\.\d+\.\d+" />
0
source share

More articles:


All Articles