Multiple AssertionConsumerService in SP with differend 2nd level domains

Question

I am implementing a multitenant application with the spring security saml extention.

I have a Service Provider (SP) for each tenant. All SPs runs on the same server exposed with SP-specific 2nd level domain:

sp1.myapp.com/myapi/1/
sp1.myapp.com/myapi/2/

In each SP metadata file I have configured the tenant-specific AssertionConsumerService.

When I test the SSO Login, I get a KO on SP side when it gets the response of the Identity Provider (IDP). On Log side i see only:

ERROR [BaseSAMLMessageDecoder] SAML message intended destination endpoint 'https://sp1.myapp.com/myapi/saml/SSO' did not match the recipient endpoint 'https://default.myapp.com/myapi/saml/SSO'

Where the 'https://default.myapp.com/myapi/saml/SSO' is the URL set as serverName of the load balancer context provider:

<bean id="lbContextProvider" class="org.springframework.security.saml.context.SAMLContextProviderLB" init-method="afterPropertiesSet">
    <property name="metadata"    ref="metadata" />
    <property name="keyManager"  ref="keyManager" />
    <property name="scheme"      value="https" />
    <property name="serverName"  value="default.myapp.com" />
    <property name="contextPath" value="/myapi" />
    <property name="serverPort"  value="443" />
    <property name="includeServerPortInRequestURL" value="true" />
</bean>

Question

In the docs.spring.io/spring-security-saml I see that

Service provider can now define multiple assertion consumer endpoints with same binding

How can I configure it?
Does it conflict with load balancer context provider?
Can I provide multiple AssertionConsumerService with different 2nd level domains without reproduction this conflict?

I already tested:

This question seems to be fixed with the LB, but anyone knows if I can provide multiple serverName to load balancer context provider (maybe with a dynamic pick)?
Disable the checking of the InResponseToField as suggested at ch.13 docs.spring.io/spring-security-saml and for this and this question.
Configure the defaultTargetUrl of the successRedirectHandler (where I am using a custom superclass of org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler) as suggested for this question. In addition this solution is not multitenant.

<bean id="successRedirectHandler" class="org.MySamlAuthenticationSuccessHandler" 
                            init-method="afterPropertiesSet">
    <property name="contextPath" value="/myapi" />
    <property name="defaultTargetUrl" value="https://default.myapp.com/myapi/saml/SSO"/>
    <property name="requireProxyWrapping" value="false"/>
</bean>

SAML metadata for an SP lists its ACS urls https://stackoverflow.com/questions/39567112/more-than-one-acs-url — codebrane, Jan 18 '21 at 14:55
@codebrane , additional AssertionConsumerService in the SP configuration do not solve the conflict with the load balancer — effedici, Jan 18 '21 at 15:09

Vishal · Answer 1 · 2022-06-08T12:34:34.170

0

Customize SAMLContextProviderLB by extending SamlContextProviderLB.

In custom class, add constructor and initialize with default values.

Override getLocalAndPeerEntity/getLocalEntity/populateLocalEntityId. In each of this method set lbDomain based on domain in requestURL.

above approach worked for me.

edited Jun 08 '22 at 12:34

answered Jun 08 '22 at 10:03

Vishal

1
1

Multiple AssertionConsumerService in SP with differend 2nd level domains

Question

I already tested:

1 Answers1