Spring saml将请求重定向到http

时间:2015-07-09 04:30:53

标签: spring-saml

我正在使用Apache 2.2 + Tomcat 7.0 + OKTA(IdP)的spring saml扩展。 securityContext.xml如下所示:

MetadataGeneratorFilter:

<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
    <constructor-arg>
        <bean class="org.springframework.security.saml.metadata.MetadataGenerator">
            <property name="entityBaseURL" value="https://myapp.com/api"/>
        </bean>
    </constructor-arg>
</bean>

ContextProvider:

<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderLB">
    <property name="scheme" value="https"/>
    <property name="serverName" value="myapp.com"/>
    <property name="serverPort" value="443"/>
    <property name="includeServerPortInRequestURL" value="false"/>
    <property name="contextPath" value="/api"/>
    <property name="storageFactory">
        <bean class="org.springframework.security.saml.storage.EmptyStorageFactory"/>
    </property>
</bean>

我使用以下URL触发SP发起的登录。

https://myapp.com/api/welcome.html

身份验证完成后,浏览器将重定向到HTTP而不是HTTPS。

 http://myapp.com/api/welcome.html

我不知道为什么请求被重定向到HTTP。请帮忙。

由于

奈良

HTTP请求转储:

https://docs.google.com/document/d/1mYh-EhDjxMixzZ8krhOg_2fjpTaTu7fuST_nIXAMeVY/edit?usp=sharing

在OKTA中,创建了一个包含以下元数据的SAML 2.0应用程序:


    Single Sign On URL => https://myapp.com/api/saml/SSO
    Recipient URL => https://myapp.com/api/saml/SSO
    Destination URL => https://myapp.com/api/saml/SSO
    Audience Restriction => https://myapp.com/api/saml/metadata
    Default Relay State => https://myapp.com/dashboard.html
    Name ID Format => Unspecified
    Response => Signed
    Assertion Signature => Signed
    Signature Algorithm => RSA_SHA256
    Digest Algorithm => SHA256
    Assertion Encryption => Unencrypted
    SAML Single Logout => Disabled
    authnContextClassRef => PasswordProtectedTransport
    Request Compression => Uncompressed
    Honor Force Authentication => Yes
    SAML Issuer ID => http://www.okta.com/${org.externalKey}

Spring Config:

https://docs.google.com/document/d/16iDLcBuwvQ23-mKMFybPfxdIyvqCBi5sbYePgUjl0p4/edit?usp=sharing

2 个答案:

答案 0 :(得分:0)

我仍然没有看到真正的原因,您的配置看起来没问题,但请尝试使用以下内容替换当前的successRedirectHandler(当然用您自己的网址替换网址)并查看问题是否消失:< / p>

<bean id="successRedirectHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
    <property name="defaultTargetUrl" value="https://yourapp.com/welcome.jsp"/>
</bean>

答案 1 :(得分:0)

确保您的IDP配置了带有https断言端点的正确元数据XML。

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="**https**://../saml/SSO" index="0" isDefault="true" />
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="**https**://.../saml/SSO" index="1" />