问题
After a successful SAML authentication :
AuthNRequest;SUCCESS;0:0:0:0:0:0:0:1;https://localhost:8443/saml/metadata;http://www.okta.com/exkdwf3hodKFkefLO0h7;;;
The browser is redirected back into an endless loop.
I've sat with a debugger stepping through Spring code and looks like it is erroring out in BasicAuthenticationFilter calling SAMLAuthenticationProvider which doesn't support UsernamePasswordAuthenticationToken and throws an exception which in turn sends the browser into an endless redirect.
Has anyone seen this before?
回答1:
At first I tried incorporating Okta's developer guide's solution into my company's app found at :
https://developer.okta.com/blog/2017/03/16/spring-boot-saml
Using spring-security-saml-dsl library.
That failed , not sure why either because of SpringBoot configuration or something else . The filters were getting miss configured and throwing the browser into an endless redirect loop.
Instead I went back to Spring-SAML project with XML config and it worked beautifully right out of the box.
回答2:
I've fixed this issue after 5 days of pinpointing the source of the issue, by setting the cookies age (expiration) the same as the session age. It seems like the cookie that has the ID (for me is was JSESSIONID since i was working with tomcat)
For my situation in tomcat I've set this:
<session-config>
<session-timeout>60</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
<max-age>3600</max-age>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
Now after the session end, the cookie will be deleted too. Making it possible to authenticate again with a new cookie.
来源:https://stackoverflow.com/questions/48756986/spring-saml-endless-redirect-loop-after-a-successful-authentication