Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSO :: 500 Error after initial authentication #8

Closed
konpolporsche opened this issue Nov 14, 2022 · 12 comments
Closed

SSO :: 500 Error after initial authentication #8

konpolporsche opened this issue Nov 14, 2022 · 12 comments

Comments

@konpolporsche
Copy link

konpolporsche commented Nov 14, 2022
edited
Loading

Description:
SSO SAML Integration (AzureAD) stops working few minutes after the initial authentication.

How to reproduce:

  • Login to AzureAD
  • Open Structurizr and click "Sign in"
  • Re-Open browser
  • Open Structurizr and click "Sign in"
  • 500 Error

Details:
APP: Structurizr onpremise installation
SSO: AzureAD with SAML
ERROR: 500 Error Sorry, something went wrong.

Logs:
attached below

[DEBUG] 2022-11-14 12:57:52.184 [http-nio-8080-exec-1] FilterChainProxy - Securing POST /saml/SSO
[DEBUG] 2022-11-14 12:57:52.184 [http-nio-8080-exec-1] SecurityContextPersistenceFilter - Set SecurityContextHolder to empty SecurityContext
[DEBUG] 2022-11-14 12:57:52.184 [http-nio-8080-exec-1] FilterChainProxy - Securing POST /saml/SSO
[DEBUG] 2022-11-14 12:57:52.184 [http-nio-8080-exec-1] SAMLProcessingFilter - Attempting SAML2 authentication using profile urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser
[DEBUG] 2022-11-14 12:57:52.184 [http-nio-8080-exec-1] ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: structurizr-prod
[DEBUG] 2022-11-14 12:57:52.184 [http-nio-8080-exec-1] AbstractMetadataProvider - Searching for entity descriptor with an entity ID of structurizr-prod
[DEBUG] 2022-11-14 12:57:52.184 [http-nio-8080-exec-1] AbstractMetadataProvider - Metadata document did not contain a descriptor for entity structurizr-prod
[DEBUG] 2022-11-14 12:57:52.184 [http-nio-8080-exec-1] AbstractMetadataProvider - Metadata document did not contain any role descriptors of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor for entity structurizr-prod
[DEBUG] 2022-11-14 12:57:52.184 [http-nio-8080-exec-1] AbstractMetadataProvider - Metadata document does not contain a role of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor supporting protocol urn:oasis:names:tc:SAML:2.0:protocol for entity structurizr-prod
[DEBUG] 2022-11-14 12:57:52.184 [http-nio-8080-exec-1] ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: structurizr-prod
[DEBUG] 2022-11-14 12:57:52.185 [http-nio-8080-exec-1] AbstractMetadataProvider - Searching for entity descriptor with an entity ID of structurizr-prod
[DEBUG] 2022-11-14 12:57:52.185 [http-nio-8080-exec-1] KeyStoreCredentialResolver - Building credential from keystore entry for entityID structurizr, usage type UNSPECIFIED
[DEBUG] 2022-11-14 12:57:52.185 [http-nio-8080-exec-1] KeyStoreCredentialResolver - Processing PrivateKeyEntry from keystore
[DEBUG] 2022-11-14 12:57:52.185 [http-nio-8080-exec-1] EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
[DEBUG] 2022-11-14 12:57:52.186 [http-nio-8080-exec-1] KeyStoreCredentialResolver - Building credential from keystore entry for entityID structurizr, usage type UNSPECIFIED
[DEBUG] 2022-11-14 12:57:52.186 [http-nio-8080-exec-1] KeyStoreCredentialResolver - Processing PrivateKeyEntry from keystore
[DEBUG] 2022-11-14 12:57:52.186 [http-nio-8080-exec-1] EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
[DEBUG] 2022-11-14 12:57:52.187 [http-nio-8080-exec-1] StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://javax.xml.XMLConstants/feature/secure-processing'
[DEBUG] 2022-11-14 12:57:52.187 [http-nio-8080-exec-1] StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://apache.org/xml/features/dom/defer-node-expansion'
[DEBUG] 2022-11-14 12:57:52.187 [http-nio-8080-exec-1] StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://apache.org/xml/features/disallow-doctype-decl'
[DEBUG] 2022-11-14 12:57:52.188 [http-nio-8080-exec-1] SAMLProcessorImpl - Retrieving message using binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
[DEBUG] 2022-11-14 12:57:52.189 [http-nio-8080-exec-1] BaseMessageDecoder - Beginning to decode message from inbound transport of type: org.opensaml.ws.transport.http.HttpServletRequestAdapter
[DEBUG] 2022-11-14 12:57:52.189 [http-nio-8080-exec-1] HTTPPostDecoder - Decoded SAML relay state of: null
[DEBUG] 2022-11-14 12:57:52.189 [http-nio-8080-exec-1] HTTPPostDecoder - Getting Base64 encoded message from request
[DEBUG] 2022-11-14 12:57:52.190 [http-nio-8080-exec-1] BaseMessageDecoder - Parsing message stream into DOM document
[DEBUG] 2022-11-14 12:57:52.190 [http-nio-8080-exec-1] BaseMessageDecoder - Unmarshalling message DOM
[DEBUG] 2022-11-14 12:57:52.191 [http-nio-8080-exec-1] SignatureUnmarshaller - Starting to unmarshall Apache XML-Security-based SignatureImpl element
[DEBUG] 2022-11-14 12:57:52.191 [http-nio-8080-exec-1] SignatureUnmarshaller - Constructing Apache XMLSignature object
[DEBUG] 2022-11-14 12:57:52.191 [http-nio-8080-exec-1] ElementProxy - setElement("Signature", "")
[DEBUG] 2022-11-14 12:57:52.191 [http-nio-8080-exec-1] ElementProxy - setElement("SignedInfo", "")
[DEBUG] 2022-11-14 12:57:52.191 [http-nio-8080-exec-1] ElementProxy - setElement("SignatureMethod", "")
[DEBUG] 2022-11-14 12:57:52.191 [http-nio-8080-exec-1] SignatureAlgorithm - Create URI "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" class "class org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA256"
[DEBUG] 2022-11-14 12:57:52.191 [http-nio-8080-exec-1] JCEMapper - Request for URI http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
[DEBUG] 2022-11-14 12:57:52.191 [http-nio-8080-exec-1] SignatureBaseRSA - Created SignatureRSA using SHA256withRSA
[DEBUG] 2022-11-14 12:57:52.191 [http-nio-8080-exec-1] ElementProxy - setElement("KeyInfo", "")
[DEBUG] 2022-11-14 12:57:52.191 [http-nio-8080-exec-1] SignatureUnmarshaller - Adding canonicalization and signing algorithms, and HMAC output length to Signature
[DEBUG] 2022-11-14 12:57:52.191 [http-nio-8080-exec-1] SignatureUnmarshaller - Adding KeyInfo to Signature
[DEBUG] 2022-11-14 12:57:52.194 [http-nio-8080-exec-1] BaseMessageDecoder - Message succesfully unmarshalled
[DEBUG] 2022-11-14 12:57:52.194 [http-nio-8080-exec-1] HTTPPostDecoder - Decoded SAML message
[DEBUG] 2022-11-14 12:57:52.194 [http-nio-8080-exec-1] BaseSAML2MessageDecoder - Extracting ID, issuer and issue instant from status response
[DEBUG] 2022-11-14 12:57:52.195 [http-nio-8080-exec-1] PROTOCOL_MESSAGE - 
<?xml version="1.0" encoding="UTF-8"?><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://structurizr.slsystem.cloud/saml/SSO" ID="_6c861f5c-4615-4f4f-aaa7-981439a238e3" InResponseTo="a46j86d85736eh939d3g4e86aage13" IssueInstant="2022-11-14T11:57:05.652Z" Version="2.0">
   <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/31f1b789-90e3-442a-acd2-d6ae8c8bda31/</Issuer>
   <samlp:Status>
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
   </samlp:Status>
   <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_787d7cee-84fa-4f5d-95b7-903eb1cf0d00" IssueInstant="2022-11-14T11:57:05.652Z" Version="2.0">
      <Issuer>https://sts.windows.net/31f1b789-90e3-442a-acd2-d6ae8c8bda31/</Issuer>
      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
         <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_787d7cee-84fa-4f5d-95b7-903eb1cf0d00">
               <Transforms>
                  <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                  <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
               </Transforms>
               <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
               <DigestValue>sBznpOgfu/uw97TXmk3lcqaHIamD3XC1fb/r25yqMYU=</DigestValue>
            </Reference>
         </SignedInfo>
         <SignatureValue>O+nKDhZn++uKA==</SignatureValue>
         <KeyInfo>
            <X509Data>
               <X509Certificate>MIIC8DPHC</X509Certificate>
            </X509Data>
         </KeyInfo>
      </Signature>
      <Subject>
         <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">konstantin@test.test</NameID>
         <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <SubjectConfirmationData InResponseTo="a46j86d85736eh939d3g4e86aage13" NotOnOrAfter="2022-11-14T12:57:05.543Z" Recipient="https://structurizr.slsystem.cloud/saml/SSO"/>
         </SubjectConfirmation>
      </Subject>
      <Conditions NotBefore="2022-11-14T11:52:05.543Z" NotOnOrAfter="2022-11-14T12:57:05.543Z">
         <AudienceRestriction>
            <Audience>structurizr-prod</Audience>
         </AudienceRestriction>
      </Conditions>
      <AttributeStatement>
         <Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
            <AttributeValue>31f1b789-90e3-442a-acd2-d6ae8c8bda31</AttributeValue>
         </Attribute>
         <Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
            <AttributeValue>00f2e6c0-4ab6-4088-ada8-256ece971e66</AttributeValue>
         </Attribute>
         <Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
            <AttributeValue>Konstantin Polyakov (extern)</AttributeValue>
         </Attribute>
         <Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
            <AttributeValue>https://sts.windows.net/31f1b789-90e3-442a-acd2-d6ae8c8bda31/</AttributeValue>
         </Attribute>
         <Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
            <AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>
         </Attribute>
         <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
            <AttributeValue>Konstantin</AttributeValue>
         </Attribute>
         <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
            <AttributeValue>Polyakov</AttributeValue>
         </Attribute>
         <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
            <AttributeValue>konstantin@test.test</AttributeValue>
         </Attribute>
         <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
            <AttributeValue>konstantin@test.test</AttributeValue>
         </Attribute>
         <Attribute Name="http://schemas.xmlsoap.org/claims/Group">
            <AttributeValue>guest</AttributeValue>
         </Attribute>
      </AttributeStatement>
      <AuthnStatement AuthnInstant="2022-11-12T23:44:42.828Z" SessionIndex="_787d7cee-84fa-4f5d-95b7-903eb1cf0d00">
         <AuthnContext>
            <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
         </AuthnContext>
      </AuthnStatement>
   </Assertion>
</samlp:Response>
[DEBUG] 2022-11-14 12:57:52.195 [http-nio-8080-exec-1] BaseMessageDecoder - Evaluating security policy of type 'org.opensaml.ws.security.provider.BasicSecurityPolicy' for decoded message
[DEBUG] 2022-11-14 12:57:52.196 [http-nio-8080-exec-1] BaseSAMLSimpleSignatureSecurityPolicyRule - Evaluating simple signature rule of type: org.opensaml.saml2.binding.security.SAML2HTTPPostSimpleSignRule
[DEBUG] 2022-11-14 12:57:52.196 [http-nio-8080-exec-1] BaseSAMLSimpleSignatureSecurityPolicyRule - HTTP request was not signed via simple signature mechanism, skipping
[INFO ] 2022-11-14 12:57:52.196 [http-nio-8080-exec-1] SAMLProtocolMessageXMLSignatureSecurityPolicyRule - SAML protocol message was not signed, skipping XML signature processing
[DEBUG] 2022-11-14 12:57:52.196 [http-nio-8080-exec-1] BaseMessageDecoder - Successfully decoded message.
[DEBUG] 2022-11-14 12:57:52.196 [http-nio-8080-exec-1] BaseSAMLMessageDecoder - Checking SAML message intended destination endpoint against receiver endpoint
[DEBUG] 2022-11-14 12:57:52.196 [http-nio-8080-exec-1] BaseSAMLMessageDecoder - Intended message destination endpoint: https://structurizr.slsystem.cloud/saml/SSO
[DEBUG] 2022-11-14 12:57:52.196 [http-nio-8080-exec-1] BaseSAMLMessageDecoder - Actual message receiver endpoint: https://structurizr.slsystem.cloud/saml/SSO
[DEBUG] 2022-11-14 12:57:52.196 [http-nio-8080-exec-1] BaseSAMLMessageDecoder - SAML message intended destination endpoint matched recipient endpoint
[DEBUG] 2022-11-14 12:57:52.196 [http-nio-8080-exec-1] SAMLUtil - Found endpoint org.opensaml.saml2.metadata.impl.AssertionConsumerServiceImpl@36113b57 for request URL https://structurizr.slsystem.cloud/saml/SSO based on location attribute in metadata
[DEBUG] 2022-11-14 12:57:52.196 [http-nio-8080-exec-1] HttpSessionStorage - Message a46j86d85736eh939d3g4e86aage13 not found in session 26EEC63FA2C71FC291414D44B958E0BD
[DEBUG] 2022-11-14 12:57:52.196 [http-nio-8080-exec-1] SAMLAuthenticationProvider - Error validating SAML message
org.opensaml.common.SAMLException: InResponseToField of the Response doesn't correspond to sent message a46j86d85736eh939d3g4e86aage13
	at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:139) ~[spring-security-saml2-core-1.0.3.RELEASE.jar:1.0.3.RELEASE]
	at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:87) [spring-security-saml2-core-1.0.3.RELEASE.jar:1.0.3.RELEASE]
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182) [spring-security-core-5.6.2.jar:5.6.2]
	at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:87) [spring-security-saml2-core-1.0.3.RELEASE.jar:1.0.3.RELEASE]
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:223) [spring-security-web-5.6.2.jar:5.6.2]
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:213) [spring-security-web-5.6.2.jar:5.6.2]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.6.2.jar:5.6.2]
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:211) [spring-security-web-5.6.2.jar:5.6.2]
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) [spring-security-web-5.6.2.jar:5.6.2]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.6.2.jar:5.6.2]
	at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) [spring-security-web-5.6.2.jar:5.6.2]
	at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) [spring-security-web-5.6.2.jar:5.6.2]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) [spring-web-5.3.23.jar:5.3.23]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.6.2.jar:5.6.2]
	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:55) [spring-security-web-5.6.2.jar:5.6.2]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) [spring-web-5.3.23.jar:5.3.23]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.6.2.jar:5.6.2]
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:110) [spring-security-web-5.6.2.jar:5.6.2]
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80) [spring-security-web-5.6.2.jar:5.6.2]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.6.2.jar:5.6.2]
	at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87) [spring-security-saml2-core-1.0.3.RELEASE.jar:1.0.3.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.6.2.jar:5.6.2]
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:211) [spring-security-web-5.6.2.jar:5.6.2]
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:183) [spring-security-web-5.6.2.jar:5.6.2]
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354) [spring-web-5.3.23.jar:5.3.23]
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267) [spring-web-5.3.23.jar:5.3.23]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [catalina.jar:9.0.68]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [catalina.jar:9.0.68]
	at com.structurizr.onpremises.web.NoOpSpringSessionRepositoryFilter.doFilter(NoOpSpringSessionRepositoryFilter.java:14) [structurizr-onpremises.jar:?]
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354) [spring-web-5.3.23.jar:5.3.23]
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267) [spring-web-5.3.23.jar:5.3.23]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [catalina.jar:9.0.68]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [catalina.jar:9.0.68]
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) [spring-web-5.3.23.jar:5.3.23]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) [spring-web-5.3.23.jar:5.3.23]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [catalina.jar:9.0.68]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [catalina.jar:9.0.68]
	at org.springframework.web.filter.ForwardedHeaderFilter.doFilterInternal(ForwardedHeaderFilter.java:156) [spring-web-5.3.23.jar:5.3.23]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) [spring-web-5.3.23.jar:5.3.23]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [catalina.jar:9.0.68]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [catalina.jar:9.0.68]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197) [catalina.jar:9.0.68]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) [catalina.jar:9.0.68]
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) [catalina.jar:9.0.68]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135) [catalina.jar:9.0.68]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [catalina.jar:9.0.68]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) [catalina.jar:9.0.68]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:360) [catalina.jar:9.0.68]
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399) [tomcat-coyote.jar:9.0.68]
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) [tomcat-coyote.jar:9.0.68]
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:893) [tomcat-coyote.jar:9.0.68]
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1789) [tomcat-coyote.jar:9.0.68]
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote.jar:9.0.68]
	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) [tomcat-util.jar:9.0.68]
	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) [tomcat-util.jar:9.0.68]
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:9.0.68]
	at java.lang.Thread.run(Thread.java:829) [?:?]
[INFO ] 2022-11-14 12:57:52.197 [http-nio-8080-exec-1] SAMLDefaultLogger - AuthNResponse;FAILURE;95.223.73.245;structurizr-prod;https://sts.windows.net/31f1b789-90e3-442a-acd2-d6ae8c8bda31/;;;org.opensaml.common.SAMLException: InResponseToField of the Response doesn't correspond to sent message a46j86d85736eh939d3g4e86aage13
	at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:139)
	at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:87)
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182)
	at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:87)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:223)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:213)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:211)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
	at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90)
	at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:55)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:110)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
	at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:211)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:183)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
	at com.structurizr.onpremises.web.NoOpSpringSessionRepositoryFilter.doFilter(NoOpSpringSessionRepositoryFilter.java:14)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
	at org.springframework.web.filter.ForwardedHeaderFilter.doFilterInternal(ForwardedHeaderFilter.java:156)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:360)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:893)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1789)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.base/java.lang.Thread.run(Thread.java:829)
[DEBUG] 2022-11-14 12:57:52.198 [http-nio-8080-exec-1] SimpleUrlAuthenticationFailureHandler - Forwarding to /500
[DEBUG] 2022-11-14 12:57:52.198 [http-nio-8080-exec-1] DispatcherServlet - "FORWARD" dispatch for POST "/500", parameters={masked}
[DEBUG] 2022-11-14 12:57:52.198 [http-nio-8080-exec-1] RequestMappingHandlerMapping - Mapped to com.structurizr.onpremises.web.error.Http500Controller#showErrorPage(ModelMap)
[ERROR] 2022-11-14 12:57:52.199 [http-nio-8080-exec-1] Http500Controller - null```
@simonbrowndotje
Copy link
Contributor

I Googled the error message and it led me to https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html#d5e1935 ... does that help?

@konpolporsche
Copy link
Author

Extending WEB-INF/applicationContext-security-saml.xml with the provided snippet does NOT solve the issue.

<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl">
  <property name="storageFactory">
    <bean class="org.springframework.security.saml.storage.EmptyStorageFactory"/>
  </property>
</bean>

@konpolporsche
Copy link
Author

Hard-codding of host name in server.xml does NOT solved the issue

@AndreasKrueger1
Copy link

Hi together, I installed the SAML Chrome extension to validate the failed request against a successful request. Maybe that helps.
Here ist the output for a failed request.

<samlp:AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="F84D888AA3B44C1B844375A4E8210D9E" Version="2.0" IssueInstant="2022-12-05T12:12:00.100Z" IsPassive="false" AssertionConsumerServiceURL="https://structurizr.slsystem.aws.XXX/saml/SSO" ForceAuthn="false">
 <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">structurizr-prod</Issuer>
</samlp:AuthnRequest>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_3fda838d-5d7a-4775-8def-4a3ae3adb0d2" Version="2.0" IssueInstant="2022-12-05T12:15:01.510Z" Destination="https://structurizr.slsystem.aws.XXX/saml/SSO">
 <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/31f1b789-90e3-442a-acd2-d6ae8c8bda31/</Issuer>
 <samlp:Status>
  <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode>
 </samlp:Status>
 <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_6c7a5fac-8c29-42b5-88be-f764398b7400" IssueInstant="2022-12-05T12:15:01.510Z" Version="2.0">
  <Issuer>https://sts.windows.net/31f1b789-90e3-442a-acd2-d6ae8c8bda31/</Issuer>
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
   <SignedInfo>
    <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
    <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></SignatureMethod>
    <Reference URI="#_6c7a5fac-8c29-42b5-88be-f764398b7400">
     <Transforms>
      <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
      <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
     </Transforms>
     <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod>
     <DigestValue>90GUdqmO0EtquGhviYi6ETmOht5Wv2e1HJ2eIt9LAtk=</DigestValue>
    </Reference>
   </SignedInfo>
   <SignatureValue>my-signature</SignatureValue>
   <KeyInfo>
    <X509Data>
     <X509Certificate>my-certificate</X509Certificate>
    </X509Data>
   </KeyInfo>
  </Signature>
  <Subject>
   <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">my-email</NameID>
   <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
    <SubjectConfirmationData NotOnOrAfter="2022-12-05T13:15:01.385Z" Recipient="https://structurizr.slsystem.aws.XXX/saml/SSO"></SubjectConfirmationData>
   </SubjectConfirmation>
  </Subject>
  <Conditions NotBefore="2022-12-05T12:10:01.385Z" NotOnOrAfter="2022-12-05T13:15:01.385Z">
   <AudienceRestriction>
    <Audience>structurizr-prod</Audience>
   </AudienceRestriction>
  </Conditions>
  <AttributeStatement>
   <Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
    <AttributeValue>31f1b789-90e3-442a-acd2-d6ae8c8bda31</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
    <AttributeValue>551bf6ca-2976-4dd7-8627-17e985640e52</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
    <AttributeValue>my-displayName</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
    <AttributeValue>https://sts.windows.net/31f1b789-90e3-442a-acd2-d6ae8c8bda31/</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
    <AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>
    <AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
    <AttributeValue>my-givenname</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
    <AttributeValue>my-lastname</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
    <AttributeValue>my-email</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
    <AttributeValue>my-email</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.xmlsoap.org/claims/Group">
    <AttributeValue>guest</AttributeValue>
   </Attribute>
  </AttributeStatement>
  <AuthnStatement AuthnInstant="2022-11-25T06:18:51.416Z" SessionIndex="_6c7a5fac-8c29-42b5-88be-f764398b7400">
   <AuthnContext>
    <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
   </AuthnContext>
  </AuthnStatement>
 </Assertion>
</samlp:Response>

Here is the request / response for a successful request.

<samlp:AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="F84D888AA3B44C1B844375A4E8210D9E" Version="2.0" IssueInstant="2022-12-05T13:12:05.029Z" IsPassive="false" AssertionConsumerServiceURL="https://structurizr.slsystem.aws.XXX/saml/SSO" ForceAuthn="false">
 <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">structurizr-prod</Issuer>
</samlp:AuthnRequest>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_49ceae9d-cb9a-4a57-a748-d7eb1f4f4cf0" Version="2.0" IssueInstant="2022-12-05T13:31:05.945Z" Destination="https://structurizr.slsystem.aws.XXX/saml/SSO">
 <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/31f1b789-90e3-442a-acd2-d6ae8c8bda31/</Issuer>
 <samlp:Status>
  <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode>
 </samlp:Status>
 <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_96259533-65a9-423b-b9a1-882321777100" IssueInstant="2022-12-05T13:31:05.930Z" Version="2.0">
  <Issuer>https://sts.windows.net/31f1b789-90e3-442a-acd2-d6ae8c8bda31/</Issuer>
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
   <SignedInfo>
    <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
    <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></SignatureMethod>
    <Reference URI="#_96259533-65a9-423b-b9a1-882321777100">
     <Transforms>
      <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
      <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
     </Transforms>
     <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod>
     <DigestValue>dQRhNeHF4RJhtUQdJ64YyRICpBPU95YDvVbAZA+KltA=</DigestValue>
    </Reference>
   </SignedInfo>
   <SignatureValue>my-signature</SignatureValue>
   <KeyInfo>
    <X509Data>
     <X509Certificate>my-certificate</X509Certificate>
    </X509Data>
   </KeyInfo>
  </Signature>
  <Subject>
   <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">my-email</NameID>
   <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
    <SubjectConfirmationData NotOnOrAfter="2022-12-05T14:31:05.836Z" Recipient="https://structurizr.slsystem.aws.XXX/saml/SSO"></SubjectConfirmationData>
   </SubjectConfirmation>
  </Subject>
  <Conditions NotBefore="2022-12-05T13:26:05.836Z" NotOnOrAfter="2022-12-05T14:31:05.836Z">
   <AudienceRestriction>
    <Audience>structurizr-prod</Audience>
   </AudienceRestriction>
  </Conditions>
  <AttributeStatement>
   <Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
    <AttributeValue>31f1b789-90e3-442a-acd2-d6ae8c8bda31</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
    <AttributeValue>551bf6ca-2976-4dd7-8627-17e985640e52</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
    <AttributeValue>my-displayname</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
    <AttributeValue>https://sts.windows.net/31f1b789-90e3-442a-acd2-d6ae8c8bda31/</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
    <AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>
    <AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
    <AttributeValue>my-givenname</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
    <AttributeValue>my-surname</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
    <AttributeValue>my-email</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
    <AttributeValue>my-email</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.xmlsoap.org/claims/Group">
    <AttributeValue>guest</AttributeValue>
   </Attribute>
  </AttributeStatement>
  <AuthnStatement AuthnInstant="2022-12-05T13:30:02.075Z" SessionIndex="_96259533-65a9-423b-b9a1-882321777100">
   <AuthnContext>
    <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
   </AuthnContext>
  </AuthnStatement>
 </Assertion>
</samlp:Response>

@tbdrake
Copy link

tbdrake commented Dec 20, 2022
edited
Loading

I am also getting Error: Sorry, something went wrong when attempting Structurizr Sign in with Azure AD SSO configured. For me this happens with Chrome and Edge, but not Firefox. If I use Chrome or Edge incognito I do not experience the issue.

I am using Structurizr onpremises from dockerhub deployed to AWS using Azure AD SAML 2.0 integration, and structurizr logs in CloudWatch show the Http500Controller - null message.

My browser versions:

  • Chrome: 101.0.4951.54 (Official Build) (64-bit)
  • Firefox: 104.0 (64-bit)
  • Edge: Version 108.0.1462.54 (Official build) (64-bit)

Error in structurizr logs when using Chrome or Edge (not incognito):

[ERROR] 2022-12-20 20:50:16.416 [http-nio-8080-exec-22] Http500Controller - null

I don't know if this is related, but in Firefox console I see this warning when I navigate to my structurizr onpremises site:

Cookie “JSESSIONID” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

@UPiotr
Copy link

UPiotr commented Jan 18, 2023

We experience exactly the same issue. Using Firefox doesn't solve the problem for us.
I also tried setting EmptyStorageFactory and removing comments from maxAuthenticationAge parameter inside the applicationContext-security-saml.xml leaving default value.
Nothing helped so far.
Has anyone got any idea how to fix this?

@marcelofabricanti
Copy link

marcelofabricanti commented Jan 20, 2023
edited
Loading

Hi!

I'm having the same issue as @tbdrake:
Http500Controller - null

I'm using AzureAD and on-premise install (on AWS EKS) too.

Error occurs on Chrome only.

  • Firefox doesn't show any errors, works well.
  • Chrome in incognito mode doesn't show any errors as well.

Chrome Version 109.0.5414.87 (x86_64)
Firefox Version Versão 109.0
macOS Version 10.15.5

@tbdrake
Copy link

tbdrake commented Jan 20, 2023
edited
Loading

After increasing maxAuthenticationAge in applicationContext-security-saml.xml from default 2 hours to 90 days (7776000 seconds), I am no longer experiencing the issue (but I have been using this less than 90 days).

I chose 90 days based on this Azure AD documentation, but not sure if this is appropriate:

The Azure Active Directory (Azure AD) default configuration for user sign-in frequency is a rolling window of 90 days.

Is there a way to adjust this setting conveniently while using the structurizr/onpremises image from dockerhub rather than editing the .war and building an image?

from my structurizr-onpremises.war\WEB-INF\applicationContext-security-saml.xml:

    <!-- SAML 2.0 WebSSO Assertion Consumer -->
    <bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl">
        <!-- by default, Spring Security checks that you've been authenticated with your IdP withing the past 2 hours (7200 seconds) ... uncomment the following line if you need to use a longer value (e.g. 86400 seconds for 24 hours) -->
        <property name="maxAuthenticationAge" value="7776000" />
    </bean>

I enabled debug logging by editing log4j2.properties in the .war file as well. Instructions were in another issue comment in this repo, contents of my file are below. I will try and check logs later from past errors to understand better.

my structurizr-onpremises.war\WEB-INF\classes\log4j2.properties:

status = info

appender.console.type = Console
appender.console.name = LogToConsole
appender.console.layout.type = PatternLayout
appender.console.layout.pattern = [%-5level] %d{yyyy-MM-dd HH:mm:ss.SSS} [%t] %c{1} - %msg%n

appender.file.type = File
appender.file.name = LogToFile
appender.file.fileName=${sys:structurizr.dataDirectory}/logs/structurizr.log
appender.file.layout.type=PatternLayout
appender.file.layout.pattern=[%-5level] %d{yyyy-MM-dd HH:mm:ss.SSS} [%t] %c{1} - %msg%n

logger.app.name = com.structurizr
logger.app.level = debug
logger.app.additivity = false
logger.app.appenderRef.console.ref = LogToConsole
logger.app.appenderRef.file.ref = LogToFile

rootLogger.level = debug
rootLogger.appenderRef.stdout.ref = LogToConsole
rootLogger.appenderRef.file.ref = LogToFile

@simonbrowndotje
Copy link
Contributor

Thanks @tbdrake!

Is there a way to adjust this setting conveniently while using the structurizr/onpremises image from dockerhub rather than editing the .war and building an image?

I've added support for changing this value via a property named structurizr.saml.maxAuthenticationAge in your structurizr.properties file (the value is the number of seconds). This will be available in build 2914+; see https://structurizr.com/share/18571/documentation#max-authentication-age for more.

@tbdrake
Copy link

tbdrake commented Jan 21, 2023
edited
Loading

Awesome, thank you @simonbrowndotje! Structurizr has been fun to work with and has helped me do my job, and I am very grateful!

Our Structurizr logs around the times of past login errors showed org.springframework.security.authentication.CredentialsExpiredException like this:

Timestamp: 2023-01-13T09:32:58.372-05:00
Message: Caused by: org.springframework.security.authentication.CredentialsExpiredException: Authentication statement is too old to be used with value 2022-11-21T14:01:18.637Z

I did not find the above exception in @konpolporsche's logs from original issue, so these may be different issues. This part that mentions SAML message ID not found in HTTP session stuck out:

[DEBUG] 2022-11-14 12:57:52.196 [http-nio-8080-exec-1] HttpSessionStorage - Message a46j86d85736eh939d3g4e86aage13 not found in session 26EEC63FA2C71FC291414D44B958E0BD
[DEBUG] 2022-11-14 12:57:52.196 [http-nio-8080-exec-1] SAMLAuthenticationProvider - Error validating SAML message
org.opensaml.common.SAMLException: InResponseToField of the Response doesn't correspond to sent message a46j86d85736eh939d3g4e86aage13

There were instances of same log messages from our Structurizr:

[DEBUG] 2022-12-24 20:52:57.838 [http-nio-8080-exec-2] HttpSessionStorage - Message a40b341bd9che66i156e70d4i40ja6 not found in session 490E4D2E77973778F71410BAC91D93C1
[DEBUG] 2022-12-24 20:52:57.839 [http-nio-8080-exec-2] SAMLAuthenticationProvider - Error validating SAML message
org.opensaml.common.SAMLException: InResponseToField of the Response doesn't correspond to sent message a40b341bd9che66i156e70d4i40ja6

I searched our CloudWatch logs for messages containing a40b341bd9che66i156e70d4i40ja6 or 490E4D2E77973778F71410BAC91D93C1 and found this message saying it stored the message ID in a different session 0CD3997BD4D12FCE05F288C7D117BF68:

[DEBUG] 2022-12-24 20:52:54.536 [http-nio-8080-exec-8] HttpSessionStorage - Storing message a40b341bd9che66i156e70d4i40ja6 to session 0CD3997BD4D12FCE05F288C7D117BF68

I searched again for messages with a40b341bd9che66i156e70d4i40ja6 (SAML message ID), 490E4D2E77973778F71410BAC91D93C1 (HTTP Session where SAML message ID not found), or 0CD3997BD4D12FCE05F288C7D117BF68 (HTTP Session where SAML message ID was stored) and attached the CSV export from CloudWatch: log-events-viewer-result.csv

Initially we were running 2 instances of structurizr/onpremises using AWS Fargate service with desired task count 2, and had tried enabling "sticky sessions" using AWS ALB, but have since gone to 1 desired task count. This part from HTTP Sessions seems to match what our logs showed:

By default, HTTP sessions are stored locally, in memory, on the server that created them. This works for a single server installation, but may not work for a high-availability installation, particularly where multiple instances are deployed behind a load balancer that is delivering requests using a round-robin algorithm. If "sticky sessions" or "session pinning" is not an option, you can choose to have HTTP session information stored in a Redis database instead.

@UPiotr
Copy link

UPiotr commented Jan 23, 2023

Thanks @tbdrake!

Is there a way to adjust this setting conveniently while using the structurizr/onpremises image from dockerhub rather than editing the .war and building an image?

I've added support for changing this value via a property named structurizr.saml.maxAuthenticationAge in your structurizr.properties file (the value is the number of seconds). This will be available in build 2914+; see https://structurizr.com/share/18571/documentation#max-authentication-age for more.

Thanks @simonbrowndotje :) you're a lifesaver

@marcelofabricanti
Copy link

Hi,

After using this solution (structurizr.saml.maxAuthenticationAge in properties file) is working well now.

Thanks a lot @tbdrake and @simonbrowndotje !

@simonbrowndotje simonbrowndotje mentioned this issue Jan 27, 2023
Closed
@edgrip edgrip mentioned this issue Apr 11, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@simonbrowndotje @tbdrake @konpolporsche @marcelofabricanti @AndreasKrueger1 @UPiotr