SAMLException: InResponseToField of the Response doesn't correspond to sent message

Ogod picture Ogod · Jul 20, 2017 · Viewed 11.5k times · Source

We are working on an application, which is protected with spring security saml.

Authentication works fine, but there is one problem with the following workflow in production environment.

  1. user requests the unprotected address www.server.com
  2. response is a html page with an inline script that changes window.location.href to the saml protected page (service provider) www.server.com/app/action?param1=value1&param2=value2
  3. spring saml detects that authentication is needed and redirects the user to the login form (identity provider) on www.login-server.com
  4. at this point the login form is the first page that is displayed to the user
  5. user adds this login page as bookmark (including saml related url params for this http session) www.login-server.com/adfs/ls/?SAMLRequest=xxx&SigAlg=xxx&Signature=arGdsZwJtHzTDjQP1oYqbjNO
  6. user works with the application...
  7. at the next day the user opens this bookmark and login
  8. IdP redirects to the SP but the belonging http session has already expired

Now we get the following exception in our application:

org.opensaml.common.SAMLException: InResponseToField of the Response doesn't correspond to sent message arGdsZwJtHzTDjQP1oYqbjNO

Any ideas how to handle this workflow so the user can use the application after successful login? Thanks for your answers!

Answer

Ogod picture Ogod · Nov 17, 2017

We have solved our issue with following changes to the spring saml configuration:

  1. In bean with id successRedirectHandler (org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler) we set the defaultTargetUrl to the init-Action of our application (including all request parameters). This url will be automatically used in case of IdP initiated SSO.
  2. In Bean with id contextProvider (org.springframework.security.saml.context.SAMLContextProviderLB) we set storageFactory to org.springframework.security.saml.storage.EmptyStorageFactory. This disables the check of the InResponseToField.