Spring Security SAML with Spring session

Question

I am using OpenAM as my IDP and my SP (an angular2 SPA) is based on the example shared at: https://github.com/vdenotaris/spring-boot-security-saml-sample

After authentication, my webapp is supposed to invoke few REST services which are secured via http-basic authentication(using spring security) whose sessions are managed via Spring Session.

I am trying to create spring-session based sessions after a user is authenticated through OpenAM IDP. My intent is to use these sessions to talk to my http-basic-secured REST services.

Following is the "configure()" of my webapp's WebSecurityConfig before I attempted integrating spring-session with spring-saml and this works just fine.

@Override  
protected void configure(HttpSecurity http) throws Exception {
    http
    .httpBasic()
    .authenticationEntryPoint(samlEntryPoint());
    http
    .csrf()
    .disable();
    http
    .addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
    .addFilterAfter(samlFilter(), BasicAuthenticationFilter.class);
    http        
    .authorizeRequests()
    .antMatchers("/").permitAll()
    .antMatchers("/publicUrl").permitAll()
    .antMatchers("/app/**").permitAll()
    .antMatchers("/error").permitAll()
    .antMatchers("/saml/**").permitAll()
    .anyRequest().authenticated();  
    http
    .logout()
    .logoutSuccessUrl("/");

}

And the authentication works just fine. In the POST fired from IDP (OpenAM) I can see the cookie being set properly. eg : Set-Cookie: JSESSIONID=8DD6CDBF8079E83C8F4E7976C970BB27; Path=/; HttpOnly

Response
    Headers
        Pragma:  no-cache
        Date:  Sun, 31 Jul 2016 02:12:06 GMT
        X-Content-Type-Options:  nosniff
        Server:  Apache-Coyote/1.1
        X-Frame-Options:  DENY
        Location:  http://localhost:8097/
        Cache-Control:  no-cache, no-store, max-age=0, must-revalidate
        Set-Cookie:  JSESSIONID=8DD6CDBF8079E83C8F4E7976C970BB27; Path=/; HttpOnly
        Content-Length:  0
        X-XSS-Protection:  1; mode=block
        Expires:  0
    Cookies
        JSESSIONID:  8DD6CDBF8079E83C8F4E7976C970BB27

Following is the "configure()" of my webapp's WebSecurityConfig after I tried integrating spring-session with spring-saml and this breaks the authentication.

@Override  
protected void configure(HttpSecurity http) throws Exception {
    http
    .httpBasic()
    .authenticationEntryPoint(samlEntryPoint());
    http
    .csrf()
    .disable();
    http
    .addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
    .addFilterAfter(samlFilter(), BasicAuthenticationFilter.class);
    http        
    .authorizeRequests()
    .antMatchers("/").permitAll()
    .antMatchers("/publicUrl").permitAll()
    .antMatchers("/app/**").permitAll()
    .antMatchers("/error").permitAll()
    .antMatchers("/saml/**").permitAll()
    .anyRequest().authenticated();  
    http
    .logout()
    .logoutSuccessUrl("/");

    http
    .addFilterBefore(sessionRepositoryFilter(sessionRepository(), httpSessionStrategy()),
            ChannelProcessingFilter.class)
    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED);

}

In the POST fired back from IDP (OpenAM) I dont see the cookie being set.

Response
    Headers
        Pragma:  no-cache
        Date:  Sun, 31 Jul 2016 02:18:44 GMT
        X-Content-Type-Options:  nosniff
        Server:  Apache-Coyote/1.1
        X-Frame-Options:  DENY
        Location:  http://localhost:8097/
        Cache-Control:  no-cache, no-store, max-age=0, must-revalidate
        x-auth-token:  666412f1-b293-49fa-bacb-0aa6fc3d2fe0
        Content-Length:  0
        X-XSS-Protection:  1; mode=block
        Expires:  0
    Cookies

The SAML response was ok as I can see the Subjects details from IDP post authentication.

snippet from the SAML response

    <saml:Subject>
        <saml:NameID 
            Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" 
            NameQualifier="http://openam.example.com:8080/OpenAM-13.0.0">vin@example.com
        </saml:NameID>
        <saml:SubjectConfirmation 
            Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData 
                InResponseTo="a1f07e22gi7db1h425hfj65i5gh0464" 
                NotOnOrAfter="2016-07-31T02:28:44Z" 
                Recipient="http://localhost:8097/saml/SSO"/>
        </saml:SubjectConfirmation>
    </saml:Subject>

Since the cookie is not set, I am not able to get hold of the principal object. My UI assumes the user is not authenticated and redirects the user again to IDP and it keeps running in a loop.

Your response is highly appreciated.

Answer 1

Similar issue for me, I had to explicitly set the following configuration as the default for SameSite cookie config is 'lax' if not set, and when lax is used, Chrome won't send the cookie after being posted back from the IDP

• Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#lax

server.servlet.session.cookie:
  # OWASP best practice
  secure: true
  http-only: true

  # Ensure SAML SSO IDP POST response sends SESSION cookie
  same-site: none

Answer 2

Try to add this: server.session.tracking-modes=cookie in your properties file. Also, try to add an SSL. The cookie may be marked as secure and without SSL cannot be visible.