SAMLException: Response has invalid status code status message is null

Omri Shneor picture Omri Shneor · Oct 3, 2017 · Viewed 9.3k times · Source

Im trying to implement spring-securtiy-saml integration as a SP with an adfs system, and im bumping my head for some days now with this exception happening when SAMLResponnse is sent back from the ADFS after successful authentication and the following exception is thrown. this is the DEBUG log:

2017-10-02 18:05:09,246 - DEBUG [http-apr-443-exec-9] BaseMessageEncoder - Successfully encoded message.
2017-10-02 18:05:09,246 - INFO  [http-apr-443-exec-9] SAMLDefaultLogger - AuthNRequest;SUCCESS;208.95.100.30;saml2.glassboxdigital.com;http://this/is/a/valid/url;;;
2017-10-02 18:05:09,859 - DEBUG [http-apr-443-exec-3] SAMLProcessingFilter - Request is to process authentication
2017-10-02 18:05:09,860 - DEBUG [http-apr-443-exec-3] SAMLProcessingFilter - Attempting SAML2 authentication using profile urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser
2017-10-02 18:05:09,860 - DEBUG [http-apr-443-exec-3] ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: saml2.glassboxdigital.com
2017-10-02 18:05:09,860 - DEBUG [http-apr-443-exec-3] AbstractMetadataProvider - Searching for entity descriptor with an entity ID of saml2.glassboxdigital.com
2017-10-02 18:05:09,860 - DEBUG [http-apr-443-exec-3] AbstractMetadataProvider - Metadata document did not contain a descriptor for entity saml2.glassboxdigital.com
2017-10-02 18:05:09,860 - DEBUG [http-apr-443-exec-3] AbstractMetadataProvider - Metadata document did not contain any role descriptors of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor for entity saml2.glassboxdigital.com
2017-10-02 18:05:09,860 - DEBUG [http-apr-443-exec-3] AbstractMetadataProvider - Metadata document does not contain a role of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor supporting protocol urn:oasis:names:tc:SAML:2.0:protocol for entity saml2.glassboxdigital.com
2017-10-02 18:05:09,860 - DEBUG [http-apr-443-exec-3] ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: saml2.glassboxdigital.com
2017-10-02 18:05:09,860 - DEBUG [http-apr-443-exec-3] AbstractMetadataProvider - Searching for entity descriptor with an entity ID of saml2.glassboxdigital.com
2017-10-02 18:05:09,861 - DEBUG [http-apr-443-exec-3] KeyStoreCredentialResolver - Building credential from keystore entry for entityID apollo, usage type UNSPECIFIED
2017-10-02 18:05:09,861 - DEBUG [http-apr-443-exec-3] KeyStoreCredentialResolver - Processing PrivateKeyEntry from keystore
2017-10-02 18:05:09,861 - DEBUG [http-apr-443-exec-3] EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
2017-10-02 18:05:09,861 - DEBUG [http-apr-443-exec-3] KeyStoreCredentialResolver - Building credential from keystore entry for entityID apollo, usage type UNSPECIFIED
2017-10-02 18:05:09,861 - DEBUG [http-apr-443-exec-3] KeyStoreCredentialResolver - Processing PrivateKeyEntry from keystore
2017-10-02 18:05:09,861 - DEBUG [http-apr-443-exec-3] EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
2017-10-02 18:05:09,861 - DEBUG [http-apr-443-exec-3] StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://javax.xml.XMLConstants/feature/secure-processing'
2017-10-02 18:05:09,861 - DEBUG [http-apr-443-exec-3] StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://apache.org/xml/features/dom/defer-node-expansion'
2017-10-02 18:05:09,862 - DEBUG [http-apr-443-exec-3] StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://apache.org/xml/features/disallow-doctype-decl'
2017-10-02 18:05:09,863 - DEBUG [http-apr-443-exec-3] SAMLProcessorImpl - Retrieving message using binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
2017-10-02 18:05:09,864 - DEBUG [http-apr-443-exec-3] BaseMessageDecoder - Beginning to decode message from inbound transport of type: org.opensaml.ws.transport.http.HttpServletRequestAdapter
2017-10-02 18:05:09,865 - DEBUG [http-apr-443-exec-3] HTTPPostDecoder - Decoded SAML relay state of: https://console-ex-saml.glassboxcloud.com/webinterface/webui/
2017-10-02 18:05:09,865 - DEBUG [http-apr-443-exec-3] HTTPPostDecoder - Getting Base64 encoded message from request
2017-10-02 18:05:09,866 - DEBUG [http-apr-443-exec-3] BaseMessageDecoder - Parsing message stream into DOM document
2017-10-02 18:05:09,866 - DEBUG [http-apr-443-exec-3] BaseMessageDecoder - Unmarshalling message DOM
2017-10-02 18:05:09,866 - DEBUG [http-apr-443-exec-3] SignatureUnmarshaller - Starting to unmarshall Apache XML-Security-based SignatureImpl element
2017-10-02 18:05:09,867 - DEBUG [http-apr-443-exec-3] SignatureUnmarshaller - Constructing Apache XMLSignature object
2017-10-02 18:05:09,867 - DEBUG [http-apr-443-exec-3] SignatureUnmarshaller - Adding canonicalization and signing algorithms, and HMAC output length to Signature
2017-10-02 18:05:09,867 - DEBUG [http-apr-443-exec-3] SignatureUnmarshaller - Adding KeyInfo to Signature
2017-10-02 18:05:09,867 - DEBUG [http-apr-443-exec-3] BaseMessageDecoder - Message succesfully unmarshalled
2017-10-02 18:05:09,867 - DEBUG [http-apr-443-exec-3] HTTPPostDecoder - Decoded SAML message
2017-10-02 18:05:09,867 - DEBUG [http-apr-443-exec-3] BaseSAML2MessageDecoder - Extracting ID, issuer and issue instant from status response
2017-10-02 18:05:09,872 - DEBUG [http-apr-443-exec-3] PROTOCOL_MESSAGE - 
<?xml version="1.0" encoding="UTF-8"?><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://console-ex-saml.glassboxcloud.com/webinterface/saml/SSO" ID="_f33a822d-ca9c-4f55-92fd-325454f92f66" InResponseTo="a2g8hci4d0e1aa891bcj1d03ci51c29" IssueInstant="2017-10-02T18:05:12.972Z" Version="2.0">
   <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">valid.issuer</Issuer>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
         <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
         <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
         <ds:Reference URI="#_f33a822d-ca9c-4f55-92fd-325454f92f66">
            <ds:Transforms>
               <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
            <ds:DigestValue>XC9VCfj8MgDg/c5PaT/KPIWoAHn67SI2gHU937SILbc=</ds:DigestValue>
         </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>wfvDzv0cONrCjWi7k02oyISk16ABYY8UdG2CuP8Dg4jHcWL64Lp5lO3wvmNkcNX87tXN41ndqIIHupuKkqcLvqQs07fprxrIhkmDrScEkJObWD1pkNahUp24ERlOGt+fDWMcfWNpERpgHGU2O/FlH7kRUsj+LCxD3o1FQAHhXJeBVA1lbI6B+dOfyT2zLgpmS1jkaKLX/AKsc/56dvzDIUP5ElF5eMQdwuNmapmvCynSDSalP/v1KVn9pf12ShjiQh/oku4CtAXSgnjFbrg752EtGoaT80foIkooMjJQMSjC/CjHIGAMVEuTJraXUVdvgKPao5rC85OkFdOOoDYtOg==</ds:SignatureValue>
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
         <ds:X509Data>
            <ds:X509Certificate>MIIFFzCCA/+gAwIBAgIETCPgRjANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMWKGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxQzAeFw0xNDA4MTIxODE5MTJaFw0xODEwMTMwMjI0MTlaMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMREwDwYDVQQHEwhCZWxsZXZ1ZTEWMBQGA1UEChMNRXhwZWRpYSwgSW5jLjEYMBYGA1UEAxMPc3NvLmV4cGVkaWEuYml6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz2nGjBS3eZkuPHyjIFsMT8Ex19ywmOUXxDI051/ZVFcCmbNFlKJrfbhxO0PpX1mOv3REC0SC22bwdQGDH35JVSmPq7NR52S0Q/RwVDUb9mXs86d6q/BACm5KfHavsXXbMKrCQSQzHBeMoMS6cQIvUgtmvfjnpJ6tYp+OF2MK6sa568cy34C3m63O66Kt/tFOZwGg8qmJCXdEpCtHR3TEiqmtoHc/A4XbhSg9BR/6+Z8kZb8T7AeKh69BPy5U7SuaW0ifOpS4TigONkqn3vPQkxjtosYL3X0/+WBaHDbA642H4wMBa9cWrMBp6u9u2NBulK82HVrdJB6iC8rZLsD7twIDAQABo4IBfjCCAXowCwYDVR0PBAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmVudHJ1c3QubmV0L2xldmVsMWMuY3JsMGQGCCsGAQUFBwEBBFgwVjAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZW50cnVzdC5uZXQwLwYIKwYBBQUHMAKGI2h0dHA6Ly9haWEuZW50cnVzdC5uZXQvMjA0OC1sMWMuY2VyMEoGA1UdIARDMEEwNQYJKoZIhvZ9B0sCMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuZW50cnVzdC5uZXQvcnBhMAgGBmeBDAECAjAaBgNVHREEEzARgg9zc28uZXhwZWRpYS5iaXowHwYDVR0jBBgwFoAUHvGriQb4SQ8BM3fuFHruGXyTKE0wHQYDVR0OBBYEFDsc7/1fpNaaFgJ1jKZfWmBD9WJ4MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQEFBQADggEBAH97BdZzQIHGzyONbs1uLw71HJhWp3PtubbJ4aBRtmfopgJV/X/u4MfkKO8MokDY/oqN+PQLc0NwT6hfSWiclpOjWSW3u35IFQZTU+stT41/T41gvRHmnfCL3QuB+qNeQdWiDtWKAsJUUlx1Qn90BC23fbyiJptbppP3MDLbbf09grfifW0tJ4ThYOv4JkC/W3rtCiu6XryUWtFtz+RtwWtlSL5dxJnEE7VDvUcOSC+6dywb4dO/bSfYA1/gdbWXImsU+4124eC4DztWChDIMqCVqQObkNYdb9MsRr7itC+ezXVorKXzWhwG2FlNV8TjcCRgTKgdVFyw9+KMPXzFX+Q=</ds:X509Certificate>
         </ds:X509Data>
      </KeyInfo>
   </ds:Signature>
   <samlp:Status>
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
   </samlp:Status>
</samlp:Response>

2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BaseMessageDecoder - Evaluating security policy of type 'org.opensaml.ws.security.provider.BasicSecurityPolicy' for decoded message
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BaseSAMLSimpleSignatureSecurityPolicyRule - Evaluating simple signature rule of type: org.opensaml.saml2.binding.security.SAML2HTTPPostSimpleSignRule
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BaseSAMLSimpleSignatureSecurityPolicyRule - HTTP request was not signed via simple signature mechanism, skipping
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] SAMLSignatureProfileValidator - Saw Enveloped signature transform
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] SAMLSignatureProfileValidator - Saw Exclusive C14N signature transform
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] SAMLProtocolMessageXMLSignatureSecurityPolicyRule - Attempting to verify signature on signed SAML protocol message using context issuer message type: {urn:oasis:names:tc:SAML:2.0:protocol}Response
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] MetadataCredentialResolver - Forcing on-demand metadata provider refresh if necessary
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] MetadataCredentialResolver - Attempting to retrieve credentials from cache using index: [blabla,{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,SIGNING]
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] MetadataCredentialResolver - Retrieved credentials from cache using index: [blabla,{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,SIGNING]
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] EvaluableCredentialCriteriaRegistry - Registry could not locate evaluable criteria for criteria class org.opensaml.security.MetadataCriteria
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableKeyAlgorithmCredentialCriteria for criteria class org.opensaml.xml.security.criteria.KeyAlgorithmCriteria
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableUsageCredentialCriteria for criteria class org.opensaml.xml.security.criteria.UsageCriteria
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BaseSignatureTrustEngine - Attempting to verify signature and establish trust using KeyInfo-derived credentials
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BasicProviderKeyInfoCredentialResolver - Found 0 key names: []
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BasicProviderKeyInfoCredentialResolver - Processing KeyInfo child with qname: {http://www.w3.org/2000/09/xmldsig#}X509Data
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BasicProviderKeyInfoCredentialResolver - Provider org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BasicProviderKeyInfoCredentialResolver - Provider org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BasicProviderKeyInfoCredentialResolver - Processing KeyInfo child {http://www.w3.org/2000/09/xmldsig#}X509Data with provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] InlineX509DataProvider - Attempting to extract credential from an X509Data
2017-10-02 18:05:09,874 - DEBUG [http-apr-443-exec-3] InlineX509DataProvider - Found 1 X509Certificates
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] InlineX509DataProvider - Found 0 X509CRLs
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] InlineX509DataProvider - Single certificate was present, treating as end-entity certificate
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BasicProviderKeyInfoCredentialResolver - Credentials successfully extracted from child {http://www.w3.org/2000/09/xmldsig#}X509Data by provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BasicProviderKeyInfoCredentialResolver - A total of 1 credentials were resolved
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] EvaluableCredentialCriteriaRegistry - Registry could not locate evaluable criteria for criteria class org.opensaml.xml.security.keyinfo.KeyInfoCriteria
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] SignatureValidator - Attempting to validate signature using key from supplied credential
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] SignatureValidator - Creating XMLSignature object
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] SignatureValidator - Validating signature with signature algorithm URI: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] SignatureValidator - Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] SignatureValidator - Signature validated with key from supplied credential
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseSignatureTrustEngine - Signature validation using candidate credential was successful
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseSignatureTrustEngine - Successfully verified signature using KeyInfo-derived credential
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseSignatureTrustEngine - Attempting to establish trust of KeyInfo-derived credential
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] ExplicitKeyTrustEvaluator - Successfully validated untrusted credential against trusted key
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseSignatureTrustEngine - Successfully established trust of KeyInfo-derived credential
2017-10-02 18:05:09,875 - INFO  [http-apr-443-exec-3] SAMLProtocolMessageXMLSignatureSecurityPolicyRule - Validation of protocol message signature succeeded, message type: {urn:oasis:names:tc:SAML:2.0:protocol}Response
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] SAMLProtocolMessageXMLSignatureSecurityPolicyRule - Authentication via protocol message signature succeeded for context issuer entity ID blabla
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseMessageDecoder - Successfully decoded message.
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseSAMLMessageDecoder - Checking SAML message intended destination endpoint against receiver endpoint
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseSAMLMessageDecoder - Intended message destination endpoint: https://console-ex-saml.glassboxcloud.com/webinterface/saml/SSO
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseSAMLMessageDecoder - Actual message receiver endpoint: https://console-ex-saml.glassboxcloud.com/webinterface/saml/SSO
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseSAMLMessageDecoder - SAML message intended destination endpoint matched recipient endpoint
2017-10-02 18:05:09,876 - DEBUG [http-apr-443-exec-3] SAMLUtil - Found endpoint org.opensaml.saml2.metadata.impl.AssertionConsumerServiceImpl@41fbfcbf for request URL https://console-ex-saml.glassboxcloud.com/webinterface/saml/SSO based on location attribute in metadata
2017-10-02 18:05:09,876 - DEBUG [http-apr-443-exec-3] SAMLAuthenticationProvider - Error validating SAML message
org.opensaml.common.SAMLException: Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Responder, status message is null
    at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:113)
    at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:87)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
    at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:87)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
    at com.clarisite.container.web.WebExceptionHandler.doFilter(WebExceptionHandler.java:33)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:616)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
    at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2521)
    at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2510)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:745)
2017-10-02 18:05:09,876 - INFO  [http-apr-443-exec-3] SAMLDefaultLogger - AuthNResponse;FAILURE;208.95.100.30;saml2.glassboxdigital.com;blabla;;;org.opensaml.common.SAMLException: Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Responder, status message is null
    at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:113)
    at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:87)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
    at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:87)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
    at com.clarisite.container.web.WebExceptionHandler.doFilter(WebExceptionHandler.java:33)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:616)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
    at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2521)
    at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2510)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:745)

Ive been going over some questions in SO:

  1. org.opensaml.common.SAMLException: Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Responder, status message is null
  2. Issues while integrating ADFS with Spring SAML Extension
  3. Setting the ExtendedMetadata 'signingAlgorithm' field

and more, allmost all of them seem to deem this issue as a problem with outdated keys in the keystore or a problem with the the signing of the message. initially I thought that the problem was with the signing of the message(adfs expects RSA-SHA256 and the default by open saml is RSA-SHA1). but Ive fixed it as seen here:

SignatureValidator - Validating signature with signature algorithm URI: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

the keystore dosent seem to be a problem aswell since the idp certificate is hardcoded in the metadata imported from the idp. the problem seems to be originated from line 113 from WebSSOProfileConsumerImpl.java the method processAuthenticationResponse is checking in line 107 if the statusCode value is equal to urn:oasis:names:tc:SAML:2.0:status:Success however in the repsone we receive from the idp the status code is equal to urn:oasis:names:tc:SAML:2.0:status:Responder im wondering if this a problem on our side in the SAMLRequest or something else, or if this is a problem from the adfs side. any ideas why is this happening?

Answer

Vladim&#237;r Sch&#228;fer picture Vladimír Schäfer · Oct 21, 2017

My guess the issue is about signature algorithm. Spring SAML uses SHA-1 by default and ADFS expects SHA-256. Mismatch between the two manifests itself in the way you are experiencing.

You can verify this hypothesis, or find another reason for this behavior, by looking at ADFS's event log.