0

I have the below structure for my spring boot 2.5.5 application where the client request reaches Server A which is then forwarded to Server B and then Server C.

I have implemented Spring Security and AD SAML Authentication using (spring-security-saml2-core)

  1. Nginx (Server A) -> nginx.conf as been configured for proxy pass to Server B
  2. Nginx (Server B) -> nginx.conf as been configured for proxy pass to Server C
  3. Tomcat (Server C) -> Actual Spring Boot App deployed here

Now in Azure AD we create the App and get the Entity Id, Metadata URL and Reply URL [https://serverA/appName] the same are configured in my Spring Boot Application.

After all this configuration when we access the app from the client I am able to get the SSO Login page and I can enter the credentials. Once I try to log in I get the below exception listed on the Server C logs

SAML message intended destination endpoint 'https://serverA/appName/saml/SSO' did not match the recipient endpoint 'https://serverB/appName/saml/SSO'

enter image description here

Tokyo
  • 201
  • 1
  • 5
  • 18

1 Answers1

0

SAML is very restrictive. When you send a SAML request to AD you also specify where you want to answer to go back to. You also configure on the AD side to where to send the response to. These MUST match. If the response end point does not match, then you will get this error. I guess your problem is that your request comes from SERVER A and AD is configured to return it to SERVER B. Check your metadata return endpoint match what is configured in AZURE, your problem is probably there.

Itamar Kerbel
  • 2,508
  • 1
  • 22
  • 29
  • I guessed it too but the reply URL in AD is Server A. – Tokyo Nov 14 '21 at 09:23
  • That's right. The message says that the intended end point is SERVER A. but who really gets it and what is configured in the metadata. Check that they all match and if the answer should go to server B configure both the metadata and AD to server B. – Itamar Kerbel Nov 14 '21 at 09:34