Menu
▾
▴
[Unity-idm-discuss] SAML message intended destination (required by binding) was not present
|
From: D B. <ba...@aw...> - 2017-11-16 14:55:41
|
Hi, after having set up Unity as a SAML SP, I'm now also trying to configure it as a SAML IDP for my Spring-based webapp. The webapp uses Spring Security SAML (https://projects.spring.io/spring-security-saml/), which is based on OpenSAML. If I try to log in to the webapp, I get redirected to Unity. There I can log in (with password auth) and have to confirm a form, then I get redirected back to the webapp. The webapp then reports a SAML error: Caused by: org.opensaml.xml.security.SecurityException: SAML message intended destination (required by binding) was not present at org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder.checkEndpointURI(BaseSAMLMessageDecoder.java:201) ~[opensaml-2.6.1.jar:?] at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:72) ~[opensaml-2.6.1.jar:?] at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:105) ~[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE] at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172) ~[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE] at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:80) ~[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE] The response written to the logs indeed doesn't have a Destination tag or attribute (see attachment). Also, it's signed because the webapp is configured as <md:SPSSODescriptor WantAssertionsSigned="true" ... The binding mentioned in the error message seems to be urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST. Unity's autogenerated IDP metadata xml has two bindings: <urn:SingleSignOnService Location="https://192.168.2.2:2443/saml-idp/saml2idp-web" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" /> <urn:SingleSignOnService Location="https://192.168.2.2:2443/saml-idp/saml2idp-web" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" /> If I remove first one (HTTP-POST) and thus force the webapp to use HTTP-Redirect, the error above vanishes. Is this a bug or a misconfiguration issue or something else? In addition, I'm getting a security warning from my browser once I confirm the "A remote service has requested your authentication" dialog: "The information you have entered on this page will be sent over an insecure connection and could be read by a third party. Are you sure you want to send this information?" I'm assuming that the second problem is cause by some SSL/TLS issue - any hints on how to debug or remove it? Thanks! D. |
