-
-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSO :: 500 Error after initial authentication #8
Comments
I Googled the error message and it led me to https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html#d5e1935 ... does that help? |
Extending WEB-INF/applicationContext-security-saml.xml with the provided snippet does NOT solve the issue.
|
Hard-codding of host name in server.xml does NOT solved the issue |
Hi together, I installed the SAML Chrome extension to validate the failed request against a successful request. Maybe that helps. <samlp:AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="F84D888AA3B44C1B844375A4E8210D9E" Version="2.0" IssueInstant="2022-12-05T12:12:00.100Z" IsPassive="false" AssertionConsumerServiceURL="https://structurizr.slsystem.aws.XXX/saml/SSO" ForceAuthn="false">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">structurizr-prod</Issuer>
</samlp:AuthnRequest> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_3fda838d-5d7a-4775-8def-4a3ae3adb0d2" Version="2.0" IssueInstant="2022-12-05T12:15:01.510Z" Destination="https://structurizr.slsystem.aws.XXX/saml/SSO">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/31f1b789-90e3-442a-acd2-d6ae8c8bda31/</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode>
</samlp:Status>
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_6c7a5fac-8c29-42b5-88be-f764398b7400" IssueInstant="2022-12-05T12:15:01.510Z" Version="2.0">
<Issuer>https://sts.windows.net/31f1b789-90e3-442a-acd2-d6ae8c8bda31/</Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></SignatureMethod>
<Reference URI="#_6c7a5fac-8c29-42b5-88be-f764398b7400">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod>
<DigestValue>90GUdqmO0EtquGhviYi6ETmOht5Wv2e1HJ2eIt9LAtk=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>my-signature</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>my-certificate</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">my-email</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData NotOnOrAfter="2022-12-05T13:15:01.385Z" Recipient="https://structurizr.slsystem.aws.XXX/saml/SSO"></SubjectConfirmationData>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2022-12-05T12:10:01.385Z" NotOnOrAfter="2022-12-05T13:15:01.385Z">
<AudienceRestriction>
<Audience>structurizr-prod</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
<AttributeValue>31f1b789-90e3-442a-acd2-d6ae8c8bda31</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
<AttributeValue>551bf6ca-2976-4dd7-8627-17e985640e52</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
<AttributeValue>my-displayName</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
<AttributeValue>https://sts.windows.net/31f1b789-90e3-442a-acd2-d6ae8c8bda31/</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
<AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>
<AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
<AttributeValue>my-givenname</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
<AttributeValue>my-lastname</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue>my-email</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
<AttributeValue>my-email</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/claims/Group">
<AttributeValue>guest</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2022-11-25T06:18:51.416Z" SessionIndex="_6c7a5fac-8c29-42b5-88be-f764398b7400">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response> Here is the request / response for a successful request. <samlp:AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="F84D888AA3B44C1B844375A4E8210D9E" Version="2.0" IssueInstant="2022-12-05T13:12:05.029Z" IsPassive="false" AssertionConsumerServiceURL="https://structurizr.slsystem.aws.XXX/saml/SSO" ForceAuthn="false">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">structurizr-prod</Issuer>
</samlp:AuthnRequest> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_49ceae9d-cb9a-4a57-a748-d7eb1f4f4cf0" Version="2.0" IssueInstant="2022-12-05T13:31:05.945Z" Destination="https://structurizr.slsystem.aws.XXX/saml/SSO">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/31f1b789-90e3-442a-acd2-d6ae8c8bda31/</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode>
</samlp:Status>
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_96259533-65a9-423b-b9a1-882321777100" IssueInstant="2022-12-05T13:31:05.930Z" Version="2.0">
<Issuer>https://sts.windows.net/31f1b789-90e3-442a-acd2-d6ae8c8bda31/</Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></SignatureMethod>
<Reference URI="#_96259533-65a9-423b-b9a1-882321777100">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod>
<DigestValue>dQRhNeHF4RJhtUQdJ64YyRICpBPU95YDvVbAZA+KltA=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>my-signature</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>my-certificate</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">my-email</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData NotOnOrAfter="2022-12-05T14:31:05.836Z" Recipient="https://structurizr.slsystem.aws.XXX/saml/SSO"></SubjectConfirmationData>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2022-12-05T13:26:05.836Z" NotOnOrAfter="2022-12-05T14:31:05.836Z">
<AudienceRestriction>
<Audience>structurizr-prod</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
<AttributeValue>31f1b789-90e3-442a-acd2-d6ae8c8bda31</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
<AttributeValue>551bf6ca-2976-4dd7-8627-17e985640e52</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
<AttributeValue>my-displayname</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
<AttributeValue>https://sts.windows.net/31f1b789-90e3-442a-acd2-d6ae8c8bda31/</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
<AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>
<AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
<AttributeValue>my-givenname</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
<AttributeValue>my-surname</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue>my-email</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
<AttributeValue>my-email</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/claims/Group">
<AttributeValue>guest</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2022-12-05T13:30:02.075Z" SessionIndex="_96259533-65a9-423b-b9a1-882321777100">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response> |
I am also getting Error: Sorry, something went wrong when attempting Structurizr Sign in with Azure AD SSO configured. For me this happens with Chrome and Edge, but not Firefox. If I use Chrome or Edge incognito I do not experience the issue. I am using Structurizr onpremises from dockerhub deployed to AWS using Azure AD SAML 2.0 integration, and structurizr logs in CloudWatch show the My browser versions:
Error in structurizr logs when using Chrome or Edge (not incognito):
I don't know if this is related, but in Firefox console I see this warning when I navigate to my structurizr onpremises site:
|
We experience exactly the same issue. Using Firefox doesn't solve the problem for us. |
Hi! I'm having the same issue as @tbdrake: I'm using AzureAD and on-premise install (on AWS EKS) too. Error occurs on Chrome only.
Chrome Version 109.0.5414.87 (x86_64) |
After increasing I chose 90 days based on this Azure AD documentation, but not sure if this is appropriate:
Is there a way to adjust this setting conveniently while using the from my structurizr-onpremises.war\WEB-INF\applicationContext-security-saml.xml: <!-- SAML 2.0 WebSSO Assertion Consumer -->
<bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl">
<!-- by default, Spring Security checks that you've been authenticated with your IdP withing the past 2 hours (7200 seconds) ... uncomment the following line if you need to use a longer value (e.g. 86400 seconds for 24 hours) -->
<property name="maxAuthenticationAge" value="7776000" />
</bean> I enabled debug logging by editing my structurizr-onpremises.war\WEB-INF\classes\log4j2.properties:
|
Thanks @tbdrake!
I've added support for changing this value via a property named |
Awesome, thank you @simonbrowndotje! Structurizr has been fun to work with and has helped me do my job, and I am very grateful! Our Structurizr logs around the times of past login errors showed
I did not find the above exception in @konpolporsche's logs from original issue, so these may be different issues. This part that mentions SAML message ID not found in HTTP session stuck out:
There were instances of same log messages from our Structurizr:
I searched our CloudWatch logs for messages containing
I searched again for messages with Initially we were running 2 instances of
|
Thanks @simonbrowndotje :) you're a lifesaver |
Hi, After using this solution (structurizr.saml.maxAuthenticationAge in properties file) is working well now. Thanks a lot @tbdrake and @simonbrowndotje ! |
Description:
SSO SAML Integration (AzureAD) stops working few minutes after the initial authentication.
How to reproduce:
Details:
APP: Structurizr onpremise installation
SSO: AzureAD with SAML
ERROR: 500 Error Sorry, something went wrong.
Logs:
attached below
The text was updated successfully, but these errors were encountered: