1

I have the following setup: A Spring-Boot web server with ADFS Single Sign-on over SAML which I based on this project https://github.com/isaacgarza/saml-example instead of Maven I’m using Gradle if that matters.

The Login and normal functionality are working just fine. except a CORS Error with one of two Error messages in the Browser:

  • case one

enter image description here enter image description here

  • case two

enter image description here enter image description here enter image description here

  • if askt the url direktly enter image description here

and always the same Error in Spring

2021-09-02 09:48:25.042 DEBUG 80412 --- [io-10009-exec-5] o.a.tomcat.util.net.jsse.JSSESupport     : Error trying to obtain a certificate from the client
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
    at java.base/sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:556) ~[na:na]
    at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:106) ~[tomcat-embed-core-9.0.41.jar:9.0.41]

I have tried a dozen variants of CORS implementations with @CrossOrigin and Global CORS configutation but none of my implementations leads to the desired behavior.

I send a Get-Request to my Spring-Server and instead of processing this Get-Request the Spring-Server redirects this to the ADFS and now the error message occurs because ADFS can’t handle this – naturally.

Question: How can I prevent this redirecting of the Get-Request (of the Spring-Server) to the ADFS?

I appreciate any hints or code chunks and when any additional information is needed let me know – I will edit my post. Many thanks in advance!

Der Typ
  • 19
  • 3
  • Redirecting should not cause any CORS issue. why there are two different ports 10000 and 10009? – Bhushan Karmarkar Sep 02 '21 at 12:02
  • 10000 is the Frondend and 10009 is the backend – Der Typ Sep 02 '21 at 12:05
  • can you paste response headers for normal req-res without adfs or saml in picture. – Bhushan Karmarkar Sep 02 '21 at 12:07
  • if i use the url directly there is a normal response (hope it is the picture you wanted) – Der Typ Sep 02 '21 at 12:29
  • Just wondering - if you have ADFS 2019, did you enable CORS? - https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/customize-http-security-headers-ad-fs – rbrayb Sep 02 '21 at 21:36
  • Okay, that is weird. because in case1, it clearly mentions that it is blocking from localhost:10009 while the origin is localhost:10000 - two separate ports will be considered as different origins – Bhushan Karmarkar Sep 03 '21 at 04:54
  • A cross-origin redirect will cause the browser to set the value of the Origin request header to null. See https://stackoverflow.com/a/42242802/441757. So if the responding server is doing a check of the Origin value against a list of allowed origins, that check will fail. – sideshowbarker Sep 03 '21 at 07:14
  • @rbrayb yes we are using ADFS 2019 and haven’t enabled CORS till now I will try with the ADFS Admin on Monday. – Der Typ Sep 03 '21 at 08:45
  • @DerTyp, may i please know if you got a chance to enable CORS ? and if the issue is till there? – RahulKumarShaw Sep 13 '21 at 10:05
  • @RahulKumarShaw-MT the problem is still there but I am only allowed to look for a solution on the side. – Der Typ Sep 21 '21 at 14:09

0 Answers0