alpha
Reputation: 31
AuthenticationServiceException: Error validating SAML message :: AuthNResponse;FAILURE; Response has invalid status code : status message is null
I am trying to configure Spring SAML extension with ADFS.
I am getting the message - status message is null. The detailed logs are provided at the end.
I have gone through similar posts on stackoverflow. They suggest to enable RSA1 on the ADFS server.
Issues while integrating ADFS with Spring SAML Extension
My logs seems to have RSA1 fine and settings are same on server.
NOTE
- The server certificate is self-signed.
- There is hairpinning on server and have setup hosts file entry to resolve the same.
Edit 1:
- IdP initiated single-sign-on is working. But, the error happens only with SP initiated login. Also, no logs observed on ADFS server side
LOGS
DEBUG DigesterOutputStream:55 - Pre-digested input:
DEBUG DigesterOutputStream:60 - <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://mysite-dev:443/empdServer/saml/SSO" ID="_4fba4628-a5d1-4fb6-85d4-f9366db2385a" InResponseTo="a4g74i6f5sdi3ebg778g3f4jab0j9c" IssueInstant="2017-05-02T14:28:51.502Z" Version="2.0"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.myserver/adfs/services/trust</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"></samlp:StatusCode></samlp:Status></samlp:Response>
DEBUG Reference:784 - Verification successful for URI "#_4fba4628-a5d1-4fb6-85d4-f9366db2385a"
DEBUG Manifest:344 - The Reference has Type
DEBUG SignatureValidator:70 - Signature validated with key from supplied credential
DEBUG BaseSignatureTrustEngine:148 - Signature validation using candidate credential was successful
DEBUG BaseSignatureTrustEngine:101 - Successfully verified signature using KeyInfo-derived credential
DEBUG BaseSignatureTrustEngine:102 - Attempting to establish trust of KeyInfo-derived credential
DEBUG ExplicitKeyTrustEvaluator:91 - Successfully validated untrusted credential against trusted key
DEBUG BaseSignatureTrustEngine:104 - Successfully established trust of KeyInfo-derived credential
INFO SAMLProtocolMessageXMLSignatureSecurityPolicyRule:129 - Validation of protocol message signature succeeded, message type: {urn:oasis:names:tc:SAML:2.0:protocol}Response
DEBUG SAMLProtocolMessageXMLSignatureSecurityPolicyRule:131 - Authentication via protocol message signature succeeded for context issuer entity ID http://adfs.myserver.com/adfs/services/trust
DEBUG BaseMessageDecoder:85 - Successfully decoded message.
DEBUG BaseSAMLMessageDecoder:191 - Checking SAML message intended destination endpoint against receiver endpoint
DEBUG BaseSAMLMessageDecoder:210 - Intended message destination endpoint: https://mysite-dev:443/myapp/saml/SSO
DEBUG BaseSAMLMessageDecoder:211 - Actual message receiver endpoint: https://mysite-dev/myapp/saml/SSO
DEBUG BaseSAMLMessageDecoder:219 - SAML message intended destination endpoint matched recipient endpoint
DEBUG SAMLUtil:349 - Found endpoint org.opensaml.saml2.metadata.impl.AssertionConsumerServiceImpl@4189c9e9 for request URL https://mysite-dev/myapp/saml/SSO based on location attribute in metadata
DEBUG ProviderManager:162 - Authentication attempt using org.springframework.security.saml.SAMLAuthenticationProvider
DEBUG SAMLAuthenticationProvider:98 - Error validating SAML message
org.opensaml.common.SAMLException: Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Responder, status message is null
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:113)
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:87)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:87)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:184)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:616)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1104)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1519)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1475)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Unknown Source)
2017-05-02 07:28:51 INFO SAMLDefaultLogger:127 - AuthNResponse;FAILURE;1x.1x.1x.1x;urn:myapp.mysite;http://adfs.myserver.com/adfs/services/trust;;;org.opensaml.common.SAMLException: Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Responder, status message is null
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:113)
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:87)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:87)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:184)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:616)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1104)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1519)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1475)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Unknown Source)
DEBUG SAMLProcessingFilter:350 - Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Error validating SAML message
DEBUG SAMLProcessingFilter:351 - Updated SecurityContextHolder to contain null Authentication
DEBUG SAMLProcessingFilter:352 - Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@20088b6d
Upvotes: 0
Views: 4447
Answers (1)
maweeras
Reputation: 823
The error is on AD FS side. Your logs are merely reporting that AD FS reported an error.
You should view the AD FS event logs to see whats in the applications and services\ad fs\admin event log.
if IDP initiated signon works that means the SP side has correct details corresponding to AD FS. You just need to ensure AD FS is receiving a request based on what you configured on AD FS side.
https://technet.microsoft.com/en-us/library/adfs2-troubleshooting-configuring-computers(v=ws.10).aspx should help.
Upvotes: 0
Related Questions
- SAMLException: Response has invalid status code status message is null
- ADFS spring-saml No AssertionConsumerService is configured on the relying party
- Spring security ADFS SSO integration - Response doesn't have any valid assertion which would pass subject validation
- Spring SAML exception with Tomcat/ADFS integration
- Spring-SAML : Incoming SAML message is invalid
- How do I implement SAML for my Spring Boot application?
- Spring SAML Single Sign on ADFS Response failure because status message is null
- Spring Security no HttpSession currently exists
- HTTP Status 401 - Authentication Failed: Error decoding incoming SAML message
- SPRING SAML Authentication not working