We are using Spring Security with the SAML2 extension in our project. Currently we want to upgrade from version 1.0.0 to 1.0.3 but ran into a problem.
Our application is running in a Tomcat which has an Apache webserver in front of it. The webserver performs URL rewrites, which means that the requests reaching Tomcat have different URLs than the ones on the webserver (e.g. on the webserver it is "/saml/SSO", but in Tomcat it is "/ctx/saml/SSO").
I tracked down the problem to the checks done in SAMLUtil.getEndpoint(...), which expect exact equality of the incoming and the configured endpoint URL, but this is not the case for us because of the rewriting. (Actually, the behaviour of this method has changed between 1.0.0 and 1.0.3.)
I am thinking about some work-arounds to solve this problem, but I wonder if we are the only ones having it. Rewriting URLs in the webserver is not that uncommon, I would expect. Is there an easy solution for this which I am not aware of?
try to provide an instance of SAMLContextProviderLB Bean instead of SAMLContextProviderImpl:
java config example (adapt it to xml if you need):
@Bean
public SAMLContextProviderImpl contextProvider() {
SAMLContextProviderLB samlContextProviderLB = new SAMLContextProviderLB();
samlContextProviderLB.setScheme("https");
samlContextProviderLB.setServerName("myserver.com");
samlContextProviderLB.setServerPort(443);
samlContextProviderLB.setIncludeServerPortInRequestURL(false);
samlContextProviderLB.setContextPath("/mycontextpath");
return samlContextProviderLB;
}
And set the servername according to your Reverse Proxy virtual host server name.