SAMLException: InResponseToField of the Response doesn't correspond to sent message

Asked 20/7, 2017 at 6:31 Answered 17/11, 2017 at 12:54

Solved spring security spring-security saml spring-saml

We are working on an application, which is protected with spring security saml.

Authentication works fine, but there is one problem with the following workflow in production environment.

user requests the unprotected address www.server.com
response is a html page with an inline script that changes window.location.href to the saml protected page (service provider) www.server.com/app/action?param1=value1&param2=value2
spring saml detects that authentication is needed and redirects the user to the login form (identity provider) on www.login-server.com
at this point the login form is the first page that is displayed to the user
user adds this login page as bookmark (including saml related url params for this http session) www.login-server.com/adfs/ls/?SAMLRequest=xxx&SigAlg=xxx&Signature=arGdsZwJtHzTDjQP1oYqbjNO
user works with the application...
at the next day the user opens this bookmark and login
IdP redirects to the SP but the belonging http session has already expired

Now we get the following exception in our application:

org.opensaml.common.SAMLException: InResponseToField of the Response doesn't correspond to sent message arGdsZwJtHzTDjQP1oYqbjNO

Any ideas how to handle this workflow so the user can use the application after successful login? Thanks for your answers!

Izanami answered 20/7, 2017 at 6:31 Comment(0)

We have solved our issue with following changes to the spring saml configuration:

In bean with id successRedirectHandler (org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler) we set the defaultTargetUrl to the init-Action of our application (including all request parameters). This url will be automatically used in case of IdP initiated SSO.
In Bean with id contextProvider (org.springframework.security.saml.context.SAMLContextProviderLB) we set storageFactory to org.springframework.security.saml.storage.EmptyStorageFactory. This disables the check of the InResponseToField.

Izanami answered 17/11, 2017 at 12:54 Comment(4)

What is the init-Action of your application? – Smilacaceous 8/10, 2020 at 18:47

Our init action is something like /index.do?lang=de&paramX=Y. It is completly static, that's why our solution actually works. – Izanami 9/11, 2020 at 18:52

Why would you disable the check on InResponseToField, unless it is purely debugging in development? – Kerstin 24/11, 2020 at 12:26

EmptyStorageFactory is really helpful. Thank – Wisniewski 25/5, 2021 at 8:48

When you applicate generated an AuthnRequest, the request has an ID which your application somehow keeps. The corresponding response from IdP must have InResponseTo attribute set to that same ID value so that your application can verify that the response is meant to be for the request it sent.

However, when your user bookmarked the adfs link that contains request (www.login-server.com/adfs/ls/?SAMLRequest=xxx...), your application had totally forgotten about that request. In other word, it no longer kept the request ID somewhere and couldn't verify response.

The solution is to tell your users not to bookmark the www.login-server.com/adfs/ls/?SAMLRequest=xxx... link. Instead, they must bookmark a link in your application where it can generate a new request and send to ADFS.

Wesleywesleyan answered 29/7, 2017 at 8:7 Comment(0)

Recommended topics

Hot tags