iam icon indicating copy to clipboard operation
iam copied to clipboard
verified publisher icon indigo-iam

Incorrect fail match for `InResponseto` SAML field with redis HTTP session store

Open DonaldChung-HK opened this issue 1 year ago • 3 comments

Description

When using redis as storage HttpSession

  1. The indigoiam container POST a SAML request to SAML Idp
  2. It stores the ID to a HttpSession
01:48:46.551 DEBUG 6 --- o.s.s.saml.storage.HttpSessionStorage    : Storing message {ID} to session c5336582-6039-49a9-b052-5b9b45079651
  1. The container receives SAML response from Idp
  2. The container tries to retrieve the ID from the wrong session causing it to fail the InResponseto check
01:48:50.849 DEBUG 6 --- [nio-8080-exec-9] o.s.s.saml.storage.HttpSessionStorage    : Message {ID} not found in session 20b60cf8-1c32-4084-b060-a0205dea2949
org.opensaml.common.SAMLException: InResponseToField of the Response doesn't correspond to sent message {ID}

To Reproduce

This doesn't happen when using internal session storage. Set up IAM SAML with Redis as HttpSession Store and nginx reverse proxy using native forward header strategy and running on host network mode. Try to use SAML login. See the above description.

Possible reason for the issue

  • Spring Session incompatibility to SAMLContextProviderLB
  • Same site cookies rules to cause it to generate the wrong HttpSessions?
  • Could also be the reverse proxy since both the application looks like it is from localhost?
  1. Spring SAML creates an HTTP session
  2. SAML Idp accepts the request and authenticates the user, but creates its own session and redirects the user back to Spring SAML
  3. The container running Spring SAML receives the cookie but as it doesn't recognize such session it creates a new one
  4. Spring SAML tries to verify the received SAML message based on the original request, but it cannot be found because the original session is now gone

Task or fixes

  • Option to use EmptyStorageFactory for SAMLContextProvider/SAMLContextProviderLB to disable the InResponseTo check https://github.com/DonaldChung-HK/iam/commit/59559a354ecc951cd9a081287e377920f06b0898
  • set a custom cookie name / name strategy for spring session with SAML so that the session name is consistent.
  • Updating SpringSAML / SpringSession packages if this issue is fixed in a later version

DonaldChung-HK avatar Feb 07 '24 15:02 DonaldChung-HK

Thank you very much for the detailed issue! We will look soon into this.

federicaagostini avatar Feb 08 '24 15:02 federicaagostini

Hi INDIGO IAM team,

I am closing this issue. I discovered that this is caused by my organisation's test SAML IDP enforcing SameSite=Strict cookie which caused it to go wrong.

Thanks.

DonaldChung-HK avatar Jun 21 '24 08:06 DonaldChung-HK

Hi IndigoIAM team,

I am re-opening this issue because we have experienced issues with other SAML IdP signing in.

I was wondering if we should add cookie sanitation for cookie to replace the header with SameSite=none ; secure to prevent the issue of broken SAML login flow.

DonaldChung-HK avatar Oct 03 '24 12:10 DonaldChung-HK

I believe the article is referring to the same issue https://www.linkedin.com/pulse/samesite-cookie-infinite-redirections-saml-digvijay-singh/

we are able to fix it by adding a line to nginx.conf

proxy_cookie_flags ~ secure samesite=none;

DonaldChung-HK avatar Nov 27 '24 13:11 DonaldChung-HK

Closing as the PR fixing the issue has been merged.

federicaagostini avatar Jun 11 '25 15:06 federicaagostini