Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SAML - 'InResponseToField doesn't correspond to sent message' error and SAMLContextProviderLB #192

Closed
mskyttner opened this issue Feb 21, 2020 · 6 comments
Closed

SAML - 'InResponseToField doesn't correspond to sent message' error and SAMLContextProviderLB #192

mskyttner opened this issue Feb 21, 2020 · 6 comments
Labels
enhancement

Comments

@mskyttner
Copy link

Using a proxy chain in front of the shinyproxy server with an "outer proxy" as entrypoint (and leading to the SAML-authenticated shinyproxy server, which uses a different hostname, and which is also exposed externally), users will see SSO login attemps fail when attempted via the "outer proxy" but not when going "directly" to the shinyproxy server.

The shinyproxy log at that point complains with:

o.s.security.saml.log.SAMLDefaultLogger : AuthNResponse;FAILURE;****;https://app_identifier;https://saml_idp_server/idp/shibboleth;{cryptic_string_goes_here};;org.opensaml.common.SAMLException: InResponseToField of the Response doesn't correspond to sent message a4eed0g849d0b7030e89bfh89g0j7d

Wishing for a feature be added to shinyproxy so that the checking of the InResponseToField be disabled in shinyproxy when using SAML auth. Or (if this is already possible) for documentation to describe how to activate such behaviour.

The spring-security-saml docs suggests this could be done by re-configuring the context provider: https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html#d5e1935

And these docs indicate that this use case (accessing shinyproxy via a proxy chain through an external load balancer) might be possible to support w spring-security-saml?

https://docs.spring.io/spring-security-saml/docs/current/reference/html/configuration-advanced.html#configuration-load-balancing
@johannestang
Copy link

I'm not sure if it addresses your issue, but I've made a pull request that adds support for SAMLContextProviderLB. You can find a build of the ShinyProxy jar with these changes here.

@LEDfan
Copy link
Member

LEDfan commented Mar 2, 2021

Hi @mskyttner

In ShinyProxy 2.5.0, we included the contribution by @johannestang. Please check our documentation on how to configure it.

I'm looking forward whether this solves your issue.

@mskyttner
Copy link
Author

Hi @LEDfan I will test the release and ping back here with results.

Looking at the documentation I think it looks like two links may need repointing:

@LEDfan
Copy link
Member

LEDfan commented Mar 3, 2021

Thanks for reminding me about the broken links, they are all fixed now.

@LEDfan
Copy link
Member

LEDfan commented Jul 30, 2021

As I believe that your question is answered, I'm closing this issue. Feel free to re-open it if you need more help.

@LEDfan LEDfan closed this as completed Jul 30, 2021
@mskyttner
Copy link
Author

Sorry, late response, this seems to have solved the issue, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mskyttner @LEDfan @johannestang