0

I am using Spring Security SAML to have my application act as an SP. I was able to have the end-to-end solution done. However, I am facing a problem when the user wants to access the application using more than one URL. I have configured my SP metadata with the Assertion Consumer Service URL to be mywebsite:8080/myapp/saml/SSO.

The user can also access the application through the full domain name mywebsite.fulldomainname:8080/myapp/

If the user accesses the second URL, The SP application will redirect to the IDP which will return the first URL which will fail giving this message: InResponseToField of the Response doesn't correspond to sent message

Even if I used the EmptyStorageFactory, it will still fail in the AbstractProfileBase.verifyEndpoint

How can I fix that?

Omar Azzam
  • 114
  • 2
  • 8

1 Answers1

1

Part of the SAML's security model is verification of the intended endpoint - where IDP wants to deliver a SAML message - and endpoint where SP actually received the message - the two need to match. Therefore your SP metadata needs to include correct information about the URL where it expects SAML messages to be delivered. You will encounter errors in the verifyEndpoint in case the SP metadata has different URL than where your IDP delivers the message.

Spring SAML allows you to define multiple different metadata (with different URLs) for the same deployment. So you can solve your problem by generating one metadata for mywebsite:8080/myapp, the other for mywebsite.fulldomainname:8080/myapp/ and importing both to your configuration. Each of those will have to have a different entityId and will also need to be separately imported to your IDP.

You can find more details in chapter 7.2 of the Spring SAML manual - pre-configured metadata.

Vladimír Schäfer
  • 15,375
  • 2
  • 51
  • 71