indigo-iam/iam

Incorrect fail match for `InResponseto` SAML field with redis HTTP session store

Closed this issue · 2 comments

DonaldChung-HK commented

Description

When using redis as storage HttpSession

  1. The indigoiam container POST a SAML request to SAML Idp
  2. It stores the ID to a HttpSession
01:48:46.551 DEBUG 6 --- o.s.s.saml.storage.HttpSessionStorage    : Storing message {ID} to session c5336582-6039-49a9-b052-5b9b45079651
  1. The container receives SAML response from Idp
  2. The container tries to retrieve the ID from the wrong session causing it to fail the InResponseto check
01:48:50.849 DEBUG 6 --- [nio-8080-exec-9] o.s.s.saml.storage.HttpSessionStorage    : Message {ID} not found in session 20b60cf8-1c32-4084-b060-a0205dea2949
org.opensaml.common.SAMLException: InResponseToField of the Response doesn't correspond to sent message {ID}

To Reproduce

This doesn't happen when using internal session storage.
Set up IAM SAML with Redis as HttpSession Store and nginx reverse proxy using native forward header strategy and running on host network mode.
Try to use SAML login.
See the above description.

Possible reason for the issue

  • Spring Session incompatibility to SAMLContextProviderLB
  • Same site cookies rules to cause it to generate the wrong HttpSessions?
  • Could also be the reverse proxy since both the application looks like it is from localhost?
  1. Spring SAML creates an HTTP session
  2. SAML Idp accepts the request and authenticates the user, but creates its own session and redirects the user back to Spring SAML
  3. The container running Spring SAML receives the cookie but as it doesn't recognize such session it creates a new one
  4. Spring SAML tries to verify the received SAML message based on the original request, but it cannot be found because the original session is now gone

Task or fixes

  • Option to use EmptyStorageFactory for SAMLContextProvider/SAMLContextProviderLB to disable the InResponseTo check
    DonaldChung-HK@59559a3
  • set a custom cookie name / name strategy for spring session with SAML so that the session name is consistent.
  • Updating SpringSAML / SpringSession packages if this issue is fixed in a later version
federicaagostini commented

Thank you very much for the detailed issue!
We will look soon into this.

DonaldChung-HK commented

Hi INDIGO IAM team,

I am closing this issue. I discovered that this is caused by my organisation's test SAML IDP enforcing SameSite=Strict cookie which caused it to go wrong.

Thanks.

  • 👍1