Recipient endpoint doesn't match with SAML response

vdenotaris picture vdenotaris · Jul 17, 2014 · Viewed 17k times · Source

Usually my Spring SAML-based Service Provider (SP) implementation works fine, but sometimes it returns this error:

[2014-07-17 16:00:58.767] boot - 1078 DEBUG [http-bio-80-exec-1] --- BaseMessageDecoder:     Successfully decoded message.
[2014-07-17 16:00:58.767] boot - 1078 DEBUG [http-bio-80-exec-1] --- BaseSAMLMessageDecoder: Checking SAML message intended destination endpoint against receiver endpoint
[2014-07-17 16:00:58.768] boot - 1078 DEBUG [http-bio-80-exec-1] --- BaseSAMLMessageDecoder: Intended message destination endpoint: https://prismasp.cloud.reply.eu:443/MIUR_PRISMA-2.1-WEBUI/saml/SSO/alias/defaultAlias
[2014-07-17 16:00:58.768] boot - 1078 DEBUG [http-bio-80-exec-1] --- BaseSAMLMessageDecoder: Actual message receiver endpoint: http://prismasp.cloud.reply.eu:443/MIUR_PRISMA-2.1-WEBUI/saml/SSO/alias/defaultAlias
[2014-07-17 16:00:58.768] boot - 1078 ERROR [http-bio-80-exec-1] --- BaseSAMLMessageDecoder: SAML message intended destination endpoint 'https://prismasp.cloud.reply.eu:443/MIUR_PRISMA-2.1-WEBUI/saml/SSO/alias/defaultAlias' did not match the recipient endpoint 'http://prismasp.cloud.reply.eu:443/MIUR_PRISMA-2.1-WEBUI/saml/SSO/alias/defaultAlias'
[2014-07-17 16:00:58.782] boot - 1078 DEBUG [http-bio-80-exec-1] --- SAMLProcessingFilter: Incoming SAML message is invalid
org.opensaml.xml.security.SecurityException: SAML message intended destination endpoint did not match recipient endpoint
...

I'm using (as default setting of Spring Security) the HTTP Strict Transport Security (HSTS) on Tomcat 7 with SSL enabled.

Is there a way to fix this error?


Note: sample source code is on Github: vdenotaris/spring-boot-security-saml-sample.

Answer

Vladimír Schäfer picture Vladimír Schäfer · Jul 17, 2014

I don't know why is your problem occurring randomly, but at least one way to fix it is by configuring SAMLContextProviderLB instead of your current SAMLContextProviderImpl.

The SAMLContextProviderLB is typically used to tell Spring SAML public about the public URL used on a reverse proxy or load balancer, but in this case you can use to force Spring SAML to think it's using HTTPS. You can find details in chapter 10.1 Advanced Configuration of the Spring SAML manual.

You should also make sure to properly set property entityBaseURL on your MetadataGenerator bean, because without doing so the generated metadata will depend on whether you made first request to your application using http or https. Again, all of this is documented.