Spring Security SAML with PingIdentity/ PingFederation, InResponseToField of the Response doesn't correspond to sent message

Question

After 1 week of Spring Security SAML Sample App to Ping (PingIdentity) integration effort, I am almost done... now I have an "InResponseToField of the Response doesn't correspond to sent message" error (below). Here are the request and response as you can see the ID and response to do match, no?

Request *** 

2017-09-20 11:02:07 DEBUG PROTOCOL_MESSAGE:74 - 
<?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://hostwithapp:8443/app1/saml/SSO" Destination="https://hostwithping:9031/idp/SSO.saml2" ForceAuthn="false" ID="a1je2ba47j27cdid2h74507gii19bgj" IsPassive="false" IssueInstant="2017-09-20T09:02:07.956Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
   <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">app1</saml2:Issuer>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
         <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
         <ds:Reference URI="#a1je2ba47j27cdid2h74507gii19bgj">
            <ds:Transforms>
               <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>rnJ2+WxLofXdY71JMpCyzvxjeI8=</ds:DigestValue>
         </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>EHlnvY+rGsrq/KjFo7nhAjkirmy+HXpfPLSBr+FuCCm85fr3Z+yJupvYJlMXtwl/PM6NN3kXEecGA1oanUjnshb5o85QNY1v/PucZccGUr+kxWRc2F3YnDOazAjt8WXV5R1QJIPlf8Hank/7nqgylt35cftWitmcFuth0SSaT9N/gWXj7FvhwvEyO38Hh5W9OEQrZlPBimI6g2LdhM8IjuzXQYdmP5rADu0WQbIx48oRnVMKpaiG/7D7GxVDtT+5F/0Jr/cDo/slhAv3LjhGbuqoX0tUIngdUM+egODW6KnHHj9GAYdTM7XGBlLuIgGPeOQUpbPrf0WtzswzHVqXpw==</ds:SignatureValue>
      <ds:KeyInfo>
         <ds:X509Data>
            <ds:X509Certificate>MIIDQDCCAiigAwIBAgIGAVzUOBXsMA0GCSqGSIb3DQEBCwUAMGExCzAJBgNVBAYTAkFUMSgwJgYD
VQQKEx9ldzd1aXB3bTA3LmludGVncmF0aW9uLnVuaXFhLmF0MSgwJgYDVQQDEx9ldzd1aXB3bTA3
LmludGVncmF0aW9uLnVuaXFhLmF0MB4XDTE3MDYyMzA5MTEwNFoXDTE4MDYyMzA5MTEwNFowYTEL
MAkGA1UEBhMCQVQxKDAmBgNVBAoTH2V3N3VpcHdtMDcuaW50ZWdyYXRpb24udW5pcWEuYXQxKDAm
BgNVBAMTH2V3N3VpcHdtMDcuaW50ZWdyYXRpb24udW5pcWEuYXQwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCdJmnFfxRHfQvhT1nHRnR2E9k6BUOCChFh0LbtCqOW4DNgpCJMA61RhoAp
4Ao5uWBkOUkf15NCM2sYmrEZtV4AM5X4XBmwkvukwdoTDXPrL7HHpJi96L8+NUeKtw3Hq36x8mF/
jUvzuCzDOmwz0EhUgkSGy8GeKHY74NuhivXnPNo+EiD15oH+m/BotSQnTd6yUd++ZstNqjcyH0kV
VECm0HmxMDQ1P+lGJnGRmzgu0uvYPriv5weP2zF3QxFbR+vs/CtJQtPNbcvOxtFVR+x8qKR/Bc2L
KszFpGJM7rv6LeMusZAVk3m4W5ONrKeplCvPtuhp0iBd0snz6hVzH0/7AgMBAAEwDQYJKoZIhvcN
AQELBQADggEBAHOZdhv8DybvI14C0cwyxH2Eq9z+aeoa7LzZF/wclh5jgZUuWIcCMTEuEMzPc1rD
Ga10Ex3Z8t8qrhAcs7u8OytiLpvZi1+csQFb7O7fRP8xmrkGAytRNNppYtAzue9hnR1W8UkJLzFT
d+iYZ6rE6MwoF6ASR83T8Mk9/EeWh/llDZOJPIH8qR391PaEphDiLCMxPenMce8IKTkFx+ytSbx/
6T2Gjyx9NStV66dgs/h7v0qPr5EKdE+vBMrpnqdi1+4B5HYzk9eT5WI1aZZOd5BRi2clLi8l/d5z
S0elU8bWfMjpk01XbgAFYIizYRpjMZ01X40zGpBNW6rEwq9kMuY=</ds:X509Certificate>
         </ds:X509Data>
      </ds:KeyInfo>
   </ds:Signature>
</saml2p:AuthnRequest>



Response ***
2017-09-20 11:02:09 DEBUG BaseSAML2MessageDecoder:115 - Extracting ID, issuer and issue instant from status response
2017-09-20 11:02:09 INFO  stdout:71 - 2017-09-20 11:02:09 DEBUG PROTOCOL_MESSAGE:113 - 
2017-09-20 11:02:09 INFO  stdout:71 - <?xml version="1.0" encoding="UTF-8"?><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="vr.9BGHJqgMjrb_LZuq261qE9M8" InResponseTo="a1je2ba47j27cdid2h74507gii19bgj" IssueInstant="2017-09-20T09:02:01.717Z" Version="2.0">
2017-09-20 11:02:09 INFO  stdout:71 -    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">app1</saml:Issuer>
2017-09-20 11:02:09 INFO  stdout:71 -    <samlp:Status>
2017-09-20 11:02:09 INFO  stdout:71 -       <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
2017-09-20 11:02:09 INFO  stdout:71 -    </samlp:Status>
2017-09-20 11:02:09 INFO  stdout:71 -    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="mbPkcKjMO1j2AuxzPEbK-5DY73T" IssueInstant="2017-09-20T09:02:01.748Z" Version="2.0">
2017-09-20 11:02:09 INFO  stdout:71 -       <saml:Issuer>app1</saml:Issuer>
2017-09-20 11:02:09 INFO  stdout:71 -       <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
2017-09-20 11:02:09 INFO  stdout:71 - <ds:SignedInfo>
2017-09-20 11:02:09 INFO  stdout:71 - <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
2017-09-20 11:02:09 INFO  stdout:71 - <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
2017-09-20 11:02:09 INFO  stdout:71 - <ds:Reference URI="#mbPkcKjMO1j2AuxzPEbK-5DY73T">
2017-09-20 11:02:09 INFO  stdout:71 - <ds:Transforms>
2017-09-20 11:02:09 INFO  stdout:71 - <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
2017-09-20 11:02:09 INFO  stdout:71 - <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
2017-09-20 11:02:09 INFO  stdout:71 - </ds:Transforms>
2017-09-20 11:02:09 INFO  stdout:71 - <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
2017-09-20 11:02:09 INFO  stdout:71 - <ds:DigestValue>EBqN6ZmIBFy69PsA3vxAMhvKPdSLiwUykRPlMnsxrnU=</ds:DigestValue>
2017-09-20 11:02:09 INFO  stdout:71 - </ds:Reference>
2017-09-20 11:02:09 INFO  stdout:71 - </ds:SignedInfo>
2017-09-20 11:02:09 INFO  stdout:71 - <ds:SignatureValue>
2017-09-20 11:02:09 INFO  stdout:71 - lEDbj7QYOpoAF6Zf6g7mD1J1i01iGHJZiSeZ5EmAvH+yyylrtZDzwvpikrXTiBrTjoJzYm0a6qSC
2017-09-20 11:02:09 INFO  stdout:71 - SupHKG5gviH3HA2Ghcmz/pneF6lqtcIW1WpznyBPYzNsRZreDT4ZCkJBNmh1vRS8VNkgPtXHYIp6
2017-09-20 11:02:09 INFO  stdout:71 - SaDvvUOnIjBRaDcbsaIzsCetek+0uDI456I3z+FfT9lIXMEqbfkeUxXSdwqK3BPA4a1GkUCYNG7K
2017-09-20 11:02:09 INFO  stdout:71 - ens068ul0GxbXNFYgdLN/NOG3m+rCIJaVzhgbBNGHtMxVTxnyPyvz6exAUYHJAGv5aYCDVYfFber
2017-09-20 11:02:09 INFO  stdout:71 - YXKG5dZldhUO2yoxOVCaPgCd7MZjAwA0uN3U3g==
2017-09-20 11:02:09 INFO  stdout:71 - </ds:SignatureValue>
2017-09-20 11:02:09 INFO  stdout:71 - </ds:Signature>
2017-09-20 11:02:09 INFO  stdout:71 -       <saml:Subject>
2017-09-20 11:02:09 INFO  stdout:71 -          <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">userid</saml:NameID>
2017-09-20 11:02:09 INFO  stdout:71 -          <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
2017-09-20 11:02:09 INFO  stdout:71 -             <saml:SubjectConfirmationData InResponseTo="a1je2ba47j27cdid2h74507gii19bgj" NotOnOrAfter="2017-09-20T09:52:01.748Z" Recipient="https://hostwithapp:8443/app1/saml/SSO"/>
2017-09-20 11:02:09 INFO  stdout:71 -          </saml:SubjectConfirmation>
2017-09-20 11:02:09 INFO  stdout:71 -       </saml:Subject>
2017-09-20 11:02:09 INFO  stdout:71 -       <saml:Conditions NotBefore="2017-09-20T08:12:01.748Z" NotOnOrAfter="2017-09-20T09:52:01.748Z">
2017-09-20 11:02:09 INFO  stdout:71 -          <saml:AudienceRestriction>
2017-09-20 11:02:09 INFO  stdout:71 -             <saml:Audience>app1</saml:Audience>
2017-09-20 11:02:09 INFO  stdout:71 -          </saml:AudienceRestriction>
2017-09-20 11:02:09 INFO  stdout:71 -       </saml:Conditions>
2017-09-20 11:02:09 INFO  stdout:71 -       <saml:AuthnStatement AuthnInstant="2017-09-20T09:02:01.748Z" SessionIndex="mbPkcKjMO1j2AuxzPEbK-5DY73T">
2017-09-20 11:02:09 INFO  stdout:71 -          <saml:AuthnContext>
2017-09-20 11:02:09 INFO  stdout:71 -             <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
2017-09-20 11:02:09 INFO  stdout:71 -          </saml:AuthnContext>
2017-09-20 11:02:09 INFO  stdout:71 -       </saml:AuthnStatement>
2017-09-20 11:02:09 INFO  stdout:71 -       <saml:AttributeStatement>
2017-09-20 11:02:09 INFO  stdout:71 -          <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
2017-09-20 11:02:09 INFO  stdout:71 -             <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">APP-ESB-UIP-ADMIN</saml:AttributeValue>
..
2017-09-20 11:02:09 INFO  stdout:71 -             <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">CN=APP-BM,C</saml:AttributeValue>
2017-09-20 11:02:09 INFO  stdout:71 -             <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">all-authenticated</saml:AttributeValue>
2017-09-20 11:02:09 INFO  stdout:71 -          </saml:Attribute>
2017-09-20 11:02:09 INFO  stdout:71 -       </saml:AttributeStatement>
2017-09-20 11:02:09 INFO  stdout:71 -    </saml:Assertion>
2017-09-20 11:02:09 INFO  stdout:71 - </samlp:Response>

Per Vladimirs suggestions I have tried putting ping and app1 on seperate hosts. And I tried the Spring Cookie rename injection. But that seemed not to change any cookie names in my HAR file. I did it like this, correct? No idea how sessionRepository should be initialized....

<bean id="sessionRepository"             
      class="org.springframework.session.MapSessionRepository">

</bean>


<!-- avoid spring ping cookie conflict to run poc spring app and ping on same host -->

<bean id="sessionRepositoryFilter"             
      class="org.springframework.session.web.http.SessionRepositoryFilter">
  <constructor-arg ref="sessionRepository"/>
  <property name="httpSessionStrategy">
    <bean class="org.springframework.session.web.http.CookieHttpSessionStrategy">
      <property name="cookieName" value="myCookieName" />
    </bean>
  </property>
</bean>

HAR file is here: http://jmp.sh/nmJhefs

Cookies I see are ping1
"name": "PF",
"value": "8dq7R8jflRT2lMbeOkYK34tHdGUwOS50Ncl4r74qH4QM"

ping2:
"name": "PF",
"value": "8dq7R8jflRT2lMbeOkYK34"

Wildfly Web Session
"name": "JSESSIONID",
"value": "Z9HSNymqBc6SXLnn68CZcdT2",

score 1 · Accepted Answer · answered Sep 19 '17 at 13:52

1

This problem is usually caused when JSESSIONID cookie stored when request is generated differs from JSESSIONID found during reception of response. Reason for this is usage of different hostname to send the request and receive the response.

Any chance both Ping Identity and your application are deployed on localhost? If not, make sure that the hostname you open to initialize the request (e.g. http://localhost:8080/saml/login) is the same where PingIdentity sends the response.

Past issues with the same error:

answered Sep 19 '17 at 13:52

Vladimír Schäfer

15,375
2
51
71

all on localhost (ping server and sample app on wildfly/eclipse, jdk7). searched idp.xml and sp.xml and all ping config (idp sp connection and sp idp connection) for "localhost" and found only the fully qualified host name. so i am confident that i am no mixing the likes of 127.0.0.1, localhost and or fq host name. also deleted all cookies and tried again, same error. – tom Sep 19 '17 at 14:10
Sounds like this one https://stackoverflow.com/questions/27778889/spring-saml-integration-with-wso2-identity-server-saml-message-id-not-reconised - make sure your "localhost" applications are not overwriting each others cookies. – Vladimír Schäfer Sep 19 '17 at 18:27
spring security saml 1.0.2, line 96 of WebSSOProfileConsumerImpl.java, if I call ((org.springframework.security.saml.storage.HttpSessionStorage) context.getMessageStorage()).getAllMessages().size(), i get 0. So somehow my cache in HttpSessionStorage is getting flushed, right? – tom Sep 20 '17 at 13:25
on the other hand, if i go to where the messages cache is loaded, WebSSOProfileImpl.java line 109, i see ((org.springframework.security.saml.storage.HttpSessionStorage) context.getMessageStorage()).getAllMessages().iterator().next() <<3 times>> (java.lang.String) a549ghi0dggb530827ccjg3bi9igg46 (java.lang.String) a549ghi0dggb530827ccjg3bi9igg46 (java.lang.String) a549ghi0dggb530827ccjg3bi9igg46 and authRequest.getID() (java.lang.String) a549ghi0dggb530827ccjg3bi9igg46 – tom Sep 20 '17 at 13:38
so assuming that you and others are right that either a cookie is overwritten or a URL is mis-associated with a SAML flow, where could I debug that in the spring security saml2 code base? ...fyi, i am adding a link above to my HAR file (from chrome) with the securityContext.xml Spring session interceptor configured... – tom Sep 20 '17 at 13:45
If the JSESSIONID cookie changes between SAML request and received response - due to overwriting, or wrong domain, you'll be able to see it in the HAR you sent. Does it change? The sequence you posted to the question does not tell what the cookie stored during initialization of SAML request in SP was. – Vladimír Schäfer Sep 20 '17 at 14:51
hm... so maybe, i am missing that first cookie because there is some session initialization that i am missing? the sample app starts with accessing the web root.: "Sample application demonstrates usage of IDP discovery which is automatically invoked on access to the application root. Discovery presents selection of all available Identity Providers and initiates SAML 2.0 single sign-on with the selected IDP after clicking on the "Start single sign-on" button." i have "false" for the idp discovery, so i never see that page. could that be the problem? – tom Sep 21 '17 at 13:58
my root cause was a bad bookmark to localhost:port/root, then the idp, ping returning me to fullyqname:port/root. thanks for the help. – tom Sep 21 '17 at 14:47

Spring Security SAML with PingIdentity/ PingFederation, InResponseToField of the Response doesn't correspond to sent message

1 Answers1

Linked