-
Notifications
You must be signed in to change notification settings - Fork 6.1k
InResponseTo validation for saml2 executed even if saved request is not found #12203
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
Thanks for getting in touch! It feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (and I'll be happy to address your question there) or add more detail if you feel this is a genuine bug. |
Added question to Stack Overflow (https://stackoverflow.com/questions/74435518/spring-security-saml2-provider-inresponseto-validation-for-saml2-executed-even) as requested. Hope I'll get an answer there. |
@jzheaux haven't received any response regarding the issue on Stack Overflow. |
I am commenting on closed issue. Just want to make sure anyone landing here with same problem (seems to be very common) are able to view and comment on the solution suggested. @inabumst I ran into the same issue and created an alternative implementation of
|
Summary
With 5.7.x mandatory validation of InResponseTo was introduced if it is provided in the authentication response. Validation logic expects to find saved Saml2AuthenticationRequest in HttpSession. However that is only possible if SameSite attribute is not set.
According security requirements of current project I'm working on it is set to Lax or Strict. This configuration is done on Apache through which developed application is accessible.
Looks like it is the same issue as closed #10828 with no solution provided.
Would highly appreciate any proposals how to deal with the issue as it currently stops us from upgrading to 5.7.x version.
To Reproduce
Use Spring Security Saml2 provider with combination of SameSite Lax or Strict set.
Expected behavior
Maybe possibility to disable InResponseTo validation or alternative way to save authentication request data?
The text was updated successfully, but these errors were encountered: