Menu
▾
▴
Re: [Unity-idm-discuss] SAML message intended destination (required by binding) was not present
|
From: Krzysztof B. <kb...@un...> - 2017-11-20 21:48:22
|
Hi, W dniu 16.11.2017 o 15:55, D Baum pisze: > Hi, > > after having set up Unity as a SAML SP, I'm now also trying to configure > it as a SAML IDP for my Spring-based webapp. The webapp uses Spring > Security SAML (https://projects.spring.io/spring-security-saml/), which > is based on OpenSAML. > > If I try to log in to the webapp, I get redirected to Unity. There I can > log in (with password auth) and have to confirm a form, then I get > redirected back to the webapp. The webapp then reports a SAML error[CUT] > > The response written to the logs indeed doesn't have a Destination tag > or attribute (see attachment). Also, it's signed because the webapp is > configured as <md:SPSSODescriptor WantAssertionsSigned="true" ... > > The binding mentioned in the error message seems to be > urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST. > > Unity's autogenerated IDP metadata xml has two bindings: > > <urn:SingleSignOnService > Location="https://192.168.2.2:2443/saml-idp/saml2idp-web" > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" /> > > <urn:SingleSignOnService > Location="https://192.168.2.2:2443/saml-idp/saml2idp-web" > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" /> > > If I remove first one (HTTP-POST) and thus force the webapp to use > HTTP-Redirect, the error above vanishes. > > Is this a bug or a misconfiguration issue or something else? Unfortunately a bug. After checking details of the SAML binding spec indeed there is a requirement to add Destination attribute whenever the response is signed. Went unnoticed as usually only assertions are signed, not as in your case both assertion and the wrapping response (was is probably an overkill unless you have sophisticated requirements) I'll open a ticket to cover this issue. As a workaround you have to use any setup not requiring signed saml responses (i.e. the outer protocol wrappings of the signed AuthN assertion) > > In addition, I'm getting a security warning from my browser once I > confirm the "A remote service has requested your authentication" dialog: > "The information you have entered on this page will be sent over an > insecure connection and could be read by a third party. > Are you sure you want to send this information?" > > I'm assuming that the second problem is cause by some SSL/TLS issue - > any hints on how to debug or remove it? Judging from your response: Recipient="http://localhost:8080/MyWebApp/saml/SSO" your web page is on plan http. So that is the reason. HTH, Krzysztof |
