Hi all,
I have problem with logout functionallity. My app sends logout request to IDp:
and receive response from IDp:
but after that next message appear on my app "org.opensaml.common.SAMLRuntimeException: Incoming SAML message is invalid". In the log file I see:
I guess that error related to storage factory as it was in this thread InResponseToField.
Also I tried wrote something like this:
and like this:
but it doesn't work. I attached application-сontext-security file for more information.
I have problem with logout functionallity. My app sends logout request to IDp:
Code:
<saml2p:LogoutRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://accounts400.sap.com/saml2/idp/slo/accounts.sap.com"
ID="a37j4j32f57c3hfa3g160f3if31cjja"
IssueInstant="2013-08-19T11:07:21.625Z"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">localcrs.sap.com</saml2:Issuer>
<saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
>C5134682</saml2:NameID>
<saml2p:SessionIndex>S-SP-7480a29e-b22c-4568-a2ac-e86a9476ea7b</saml2p:SessionIndex>
</saml2p:LogoutRequest>Code:
<ns3:LogoutResponse Version="2.0"
IssueInstant="2013-08-19T11:07:21.760Z"
InResponseTo="a37j4j32f57c3hfa3g160f3if31cjja"
ID="S1f928fbe-dd56-4596-a4d7-85633482dba1"
Destination="http://localhost:8080/crs/saml/SingleLogout/alias/defaultAlias"
xmlns:ns2="http://www.w3.org/2000/09/xmldsig#"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ns4="http://www.w3.org/2001/04/xmlenc#"
xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol"
>
<Issuer>accounts.sap.com</Issuer>
<ns3:Status>
<ns3:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</ns3:Status>
</ns3:LogoutResponse>Code:
[INFO ] MetadataGeneratorFilter at 14:07:10 | Created default metadata for system with entityID: localcrs.sap.com
[INFO ] SAMLDefaultLogger at 14:07:17 | AuthNRequest;SUCCESS;127.0.0.1
[INFO ] SAMLProtocolMessageXMLSignatureSecurityPolicyRule at 14:07:19 | SAML protocol message was not signed, skipping XML signature processing
[INFO ] SAMLDefaultLogger at 14:07:19 | AuthNResponse;SUCCESS;127.0.0.1
[INFO ] SAMLDefaultLogger at 14:07:21 | LogoutRequest;SUCCESS;127.0.0.1
Aug 19, 2013 2:07:21 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [default] in context with path [/crs] threw exception
org.opensaml.common.SAMLRuntimeException: Incoming SAML message is invalid
at org.springframework.security.saml.SAMLLogoutProcessingFilter.processLogout(SAMLLogoutProcessingFilter.java:130)
at org.springframework.security.saml.SAMLLogoutProcessingFilter.doFilter(SAMLLogoutProcessingFilter.java:93)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter.doFilter(DefaultLoginPageGeneratingFilter.java:91)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:86)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: org.opensaml.xml.security.SecurityException: SAML message intended destination endpoint did not match recipient endpoint
at org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder.checkEndpointURI(BaseSAMLMessageDecoder.java:217)
at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:72)
at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:105)
at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172)
at org.springframework.security.saml.SAMLLogoutProcessingFilter.processLogout(SAMLLogoutProcessingFilter.java:120)
... 37 more
[INFO ] BaseSAMLSimpleSignatureSecurityPolicyRule at 14:07:21 | Validation of request simple signature succeeded
[INFO ] BaseSAMLSimpleSignatureSecurityPolicyRule at 14:07:21 | Authentication via request simple signature succeeded for context issuer entity ID accounts.sap.com
[INFO ] SAMLProtocolMessageXMLSignatureSecurityPolicyRule at 14:07:21 | SAML protocol message was not signed, skipping XML signature processing
[ERROR] BaseSAMLMessageDecoder at 14:07:21 | SAML message intended destination endpoint 'http://localhost:8080/crs/saml/SingleLogout/alias/defaultAlias' did not match the recipient endpoint 'https://10.25.11.139/crs/saml/SingleLogout/alias/defaultAlias'Also I tried wrote something like this:
Code:
<bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter">
<constructor-arg ref="successLogoutHandler"/>
<constructor-arg ref="logoutHandler"/>
<constructor-arg ref="logoutHandler"/>
<property name="contextProvider">
<bean class="org.springframework.security.saml.context.SAMLContextProviderLB">
<property name="scheme" value="${saml-scheme}"/>
<property name="serverName" value="${saml-server-name}"/>
<property name="serverPort" value="${saml-server-port}"/>
<property name="includeServerPortInRequestURL" value="false"/>
<property name="contextPath" value="${saml-context-path}"/>
<property name="storageFactory">
<bean class="org.springframework.security.saml.storage.EmptyStorageFactory"/>
</property>
</bean>
</property>
</bean>Code:
<bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter">
<constructor-arg ref="successLogoutHandler"/>
<constructor-arg ref="logoutHandler"/>
<constructor-arg ref="logoutHandler"/>
<property name="contextProvider" ref="contextProvider">
</bean>