我正在使用Apache 2.2 + Tomcat 7.0 + OKTA(IdP)的spring saml扩展。 securityContext.xml如下所示:
MetadataGeneratorFilter:
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="entityBaseURL" value="https://myapp.com/api"/>
</bean>
</constructor-arg>
</bean>
ContextProvider:
<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderLB">
<property name="scheme" value="https"/>
<property name="serverName" value="myapp.com"/>
<property name="serverPort" value="443"/>
<property name="includeServerPortInRequestURL" value="false"/>
<property name="contextPath" value="/api"/>
<property name="storageFactory">
<bean class="org.springframework.security.saml.storage.EmptyStorageFactory"/>
</property>
</bean>
我使用以下URL触发SP发起的登录。
https://myapp.com/api/welcome.html
身份验证完成后,浏览器将重定向到HTTP而不是HTTPS。
http://myapp.com/api/welcome.html
我不知道为什么请求被重定向到HTTP。请帮忙。
由于
奈良
HTTP请求转储:
https://docs.google.com/document/d/1mYh-EhDjxMixzZ8krhOg_2fjpTaTu7fuST_nIXAMeVY/edit?usp=sharing
在OKTA中,创建了一个包含以下元数据的SAML 2.0应用程序:
Single Sign On URL => https://myapp.com/api/saml/SSO Recipient URL => https://myapp.com/api/saml/SSO Destination URL => https://myapp.com/api/saml/SSO Audience Restriction => https://myapp.com/api/saml/metadata Default Relay State => https://myapp.com/dashboard.html Name ID Format => Unspecified Response => Signed Assertion Signature => Signed Signature Algorithm => RSA_SHA256 Digest Algorithm => SHA256 Assertion Encryption => Unencrypted SAML Single Logout => Disabled authnContextClassRef => PasswordProtectedTransport Request Compression => Uncompressed Honor Force Authentication => Yes SAML Issuer ID => http://www.okta.com/${org.externalKey}
Spring Config:
https://docs.google.com/document/d/16iDLcBuwvQ23-mKMFybPfxdIyvqCBi5sbYePgUjl0p4/edit?usp=sharing
答案 0 :(得分:0)
我仍然没有看到真正的原因,您的配置看起来没问题,但请尝试使用以下内容替换当前的successRedirectHandler
(当然用您自己的网址替换网址)并查看问题是否消失:< / p>
<bean id="successRedirectHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="https://yourapp.com/welcome.jsp"/>
</bean>
答案 1 :(得分:0)
确保您的IDP配置了带有https断言端点的正确元数据XML。
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="**https**://../saml/SSO" index="0" isDefault="true" />
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="**https**://.../saml/SSO" index="1" />