Spring saml redirects the request to http

Question

I am using the spring saml extension with Apache 2.2 + Tomcat 7.0 + OKTA(IdP). The securityContext.xml looks as follows:

MetadataGeneratorFilter:

<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
    <constructor-arg>
        <bean class="org.springframework.security.saml.metadata.MetadataGenerator">
            <property name="entityBaseURL" value="https://myapp.com/api"/>
        </bean>
    </constructor-arg>
</bean>

ContextProvider:

<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderLB">
    <property name="scheme" value="https"/>
    <property name="serverName" value="myapp.com"/>
    <property name="serverPort" value="443"/>
    <property name="includeServerPortInRequestURL" value="false"/>
    <property name="contextPath" value="/api"/>
    <property name="storageFactory">
        <bean class="org.springframework.security.saml.storage.EmptyStorageFactory"/>
    </property>
</bean>

I use the following URL which triggers the SP initiated login.

https://myapp.com/api/welcome.html

After authentication is complete, the browser gets redirected to HTTP instead of HTTPS.

 http://myapp.com/api/welcome.html

I don't know why the request gets redirected to HTTP. Please help.

Thanks

Nara

HTTP Requests Dump:

https://docs.google.com/document/d/1mYh-EhDjxMixzZ8krhOg_2fjpTaTu7fuST_nIXAMeVY/edit?usp=sharing

In OKTA, created a SAML 2.0 app with following metadata:


    Single Sign On URL => https://myapp.com/api/saml/SSO
    Recipient URL => https://myapp.com/api/saml/SSO
    Destination URL => https://myapp.com/api/saml/SSO
    Audience Restriction => https://myapp.com/api/saml/metadata
    Default Relay State => https://myapp.com/dashboard.html
    Name ID Format => Unspecified
    Response => Signed
    Assertion Signature => Signed
    Signature Algorithm => RSA_SHA256
    Digest Algorithm => SHA256
    Assertion Encryption => Unencrypted
    SAML Single Logout => Disabled
    authnContextClassRef => PasswordProtectedTransport
    Request Compression => Uncompressed
    Honor Force Authentication => Yes
    SAML Issuer ID => http://www.okta.com/${org.externalKey}

Spring Config:

https://docs.google.com/document/d/16iDLcBuwvQ23-mKMFybPfxdIyvqCBi5sbYePgUjl0p4/edit?usp=sharing

Please make a dump of HTTP requests between IDP and SP + metadata you imported to IDP and add it to the question. — Vladimír Schäfer, Jul 09 '15 at 05:13
Vladimir: Appreciate your repose. Please find above the additional data as requested. — s_v_2, Jul 09 '15 at 06:44
Okta is responding to the correct address "https://myapp.com/api/saml/SSO", so the issue is somewhere in Spring configuration. Could you please post complete Spring configs? — Vladimír Schäfer, Jul 09 '15 at 08:04

score 1 · Answer 1 · answered Jul 11 '15 at 07:14

1

I still don't see the real reason, your configuration looks ok, but please try replacing the current successRedirectHandler with the following (replace URL with your own of course) and see if the issue goes away:

<bean id="successRedirectHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
    <property name="defaultTargetUrl" value="https://yourapp.com/welcome.jsp"/>
</bean>

answered Jul 11 '15 at 07:14

Vladimír Schäfer

15,375
2
51
71

Thanks Vladimir. 1) Set the defaultTargetUrl as above. Tried the /saml/login. After authentication, the browser goes into a redirect loop between /welcome.jsp, https://myokta.com/app/dev400736_devserver_1/exk4e58o6u7P4jjrh0h7/sso/saml, and /saml/SSO. 2) Start with /welcome.jsp(instead of /saml/login). The redirect goes to http://.../welcome.jsp and browser shows a connection reset error. After that, I change the scheme to https . Then, I can open the page normally. – s_v_2 Jul 12 '15 at 19:33
Vladimir, One more question...the tomcat's server.xml has the following connector. . Can it be source of the redirection problem? – s_v_2 Jul 12 '15 at 19:35
After adding the secure attribute to connector, the redirection happens correctly. – s_v_2 Jul 14 '15 at 15:44
Just to add for those still having issues. In addition to this fix, I also had to set the `setAlwaysUseDefaultTargetUrl` to true for it to work. – Nick K. Dec 11 '18 at 22:14

score 0 · Answer 2 · edited Sep 15 '15 at 18:50

0

Make sure that your IDP is configured with proper metadata XML with https assertion end points.

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="**https**://../saml/SSO" index="0" isDefault="true" />
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="**https**://.../saml/SSO" index="1" />

edited Sep 15 '15 at 18:50

durron597

31,968
17
99
158

answered Sep 15 '15 at 18:12

prabhu.palanisamy

1

1

Welcome to Stack Overflow! Please make sure that your answer is phrased *as an answer*, not as a question. Also, XML tags are invisible unless you put them in a code block, as I've done here. – durron597 Sep 15 '15 at 18:50

Spring saml redirects the request to http

2 Answers2

Linked