SAMLException: with the following error "Assertion invalidated by missing Audience Restriction", when I try to do saml login and started from identity provider site with out initiate the request form service provider site.
my SP meta data :
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor ID="urn_test_system_stag_sp_test" entityID="urn:test:system:stag:sp:test"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://mytestsite/samlSlo"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://mytestsite/samlSlo"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://mytestsite/samlAcs?sp=test" index="0"
isDefault="true"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="https://mytestsite/samlAcs?sp=test"
index="1"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
the Exception that I have :
2018-02-15 15:30:24,356 org.opensaml.common.SAMLException: Response doesn't have any valid assertion which would pass subject validation
2018-02-15 15:30:24,356 at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:229)
2018-02-15 15:30:24,356 at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:87)
2018-02-15 15:30:24,356 at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167)
2018-02-15 15:30:24,356 at com.test.marlin.action.sso.saml2.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:61)
2018-02-15 15:30:24,356 at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217)
2018-02-15 15:30:24,356 at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
2018-02-15 15:30:24,356 at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
2018-02-15 15:30:24,356 at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:184)
2018-02-15 15:30:24,356 at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
2018-02-15 15:30:24,356 at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
2018-02-15 15:30:24,356 at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
2018-02-15 15:30:24,356 at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
2018-02-15 15:30:24,356 at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
2018-02-15 15:30:24,356 at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
2018-02-15 15:30:24,356 at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
2018-02-15 15:30:24,356 at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
2018-02-15 15:30:24,356 at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
2018-02-15 15:30:24,356 at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
2018-02-15 15:30:24,356 at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
2018-02-15 15:30:24,356 at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
2018-02-15 15:30:24,356 at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
2018-02-15 15:30:24,356 at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:24,356 at com.test.marlin.action.TstsFilter.doFilter(TstsFilter.java:79)
2018-02-15 15:30:24,356 at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:24,356 at com.test.mycode.access.InitSessionFilter.doFilter3(InitSessionFilter.java:226)
2018-02-15 15:30:24,356 at com.test.mycode.access.InitSessionFilter.doFilter2(InitSessionFilter.java:160)
2018-02-15 15:30:24,356 at com.test.mycode.access.InitSessionFilter.doFilter(InitSessionFilter.java:95)
2018-02-15 15:30:24,356 at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:24,356 at com.test.modules.servlet.ForwardFilter.doFilter(ForwardFilter.java:230)
2018-02-15 15:30:24,356 at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:24,356 at com.test.modules.servlet.FakeIpFilter.doFilter(FakeIpFilter.java:43)
2018-02-15 15:30:24,356 at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:24,356 at com.test.modules.servlet.ClientIpFilter.doFilter(ClientIpFilter.java:114)
2018-02-15 15:30:24,356 at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:24,356 at com.test.mycode.frontend.filter.HttpSecurityHeadersFilter.doFilter(HttpSecurityHeadersFilter.java:98)
2018-02-15 15:30:24,356 at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:24,356 at com.caucho.server.webapp.WebAppFilterChain.doFilter(WebAppFilterChain.java:156)
2018-02-15 15:30:24,356 at com.caucho.server.webapp.AccessLogFilterChain.doFilter(AccessLogFilterChain.java:95)
2018-02-15 15:30:24,356 at com.caucho.server.dispatch.ServletInvocation.service(ServletInvocation.java:289)
2018-02-15 15:30:24,356 at com.caucho.server.http.HttpRequest.handleRequest(HttpRequest.java:838)
2018-02-15 15:30:24,356 at com.caucho.network.listen.TcpSocketLink.dispatchRequest(TcpSocketLink.java:1349)
2018-02-15 15:30:24,356 at com.caucho.network.listen.TcpSocketLink.handleRequest(TcpSocketLink.java:1305)
2018-02-15 15:30:24,357 at com.caucho.network.listen.TcpSocketLink.handleRequestsImpl(TcpSocketLink.java:1289)
2018-02-15 15:30:24,357 at com.caucho.network.listen.TcpSocketLink.handleRequests(TcpSocketLink.java:1197)
2018-02-15 15:30:24,357 at com.caucho.network.listen.TcpSocketLink.handleAcceptTaskImpl(TcpSocketLink.java:993)
2018-02-15 15:30:24,357 at com.caucho.network.listen.ConnectionTask.runThread(ConnectionTask.java:117)
2018-02-15 15:30:24,357 at com.caucho.network.listen.ConnectionTask.run(ConnectionTask.java:93)
2018-02-15 15:30:24,357 at com.caucho.network.listen.SocketLinkThreadLauncher.handleTasks(SocketLinkThreadLauncher.java:169)
2018-02-15 15:30:24,357 at com.caucho.network.listen.TcpSocketAcceptThread.run(TcpSocketAcceptThread.java:61)
2018-02-15 15:30:24,357 at com.caucho.env.thread2.ResinThread2.runTasks(ResinThread2.java:173)
2018-02-15 15:30:24,357 at com.caucho.env.thread2.ResinThread2.run(ResinThread2.java:118)
2018-02-15 15:30:24,357 Caused by: org.opensaml.common.SAMLException: Assertion invalidated by missing Audience Restriction
2018-02-15 15:30:24,357 at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertionConditions(WebSSOProfileConsumerImpl.java:431)
2018-02-15 15:30:24,357 at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertion(WebSSOProfileConsumerImpl.java:303)
2018-02-15 15:30:24,357 at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:214)
2018-02-15 15:30:24,357 ... 50 more
2018-02-15 15:30:25,939 org.opensaml.common.SAMLException: Response doesn't have any valid assertion which would pass subject validation
2018-02-15 15:30:25,939 at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:229)
2018-02-15 15:30:25,939 at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:87)
2018-02-15 15:30:25,939 at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167)
2018-02-15 15:30:25,939 at com.test.marlin.action.sso.saml2.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:61)
2018-02-15 15:30:25,939 at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217)
2018-02-15 15:30:25,939 at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
2018-02-15 15:30:25,939 at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
2018-02-15 15:30:25,939 at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:184)
2018-02-15 15:30:25,939 at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
2018-02-15 15:30:25,939 at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
2018-02-15 15:30:25,939 at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
2018-02-15 15:30:25,939 at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
2018-02-15 15:30:25,939 at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
2018-02-15 15:30:25,939 at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
2018-02-15 15:30:25,939 at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
2018-02-15 15:30:25,939 at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
2018-02-15 15:30:25,939 at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
2018-02-15 15:30:25,939 at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
2018-02-15 15:30:25,939 at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
2018-02-15 15:30:25,939 at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
2018-02-15 15:30:25,939 at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
2018-02-15 15:30:25,939 at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:25,939 at com.test.marlin.action.TstsFilter.doFilter(TstsFilter.java:79)
2018-02-15 15:30:25,939 at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:25,939 at com.test.mycode.access.InitSessionFilter.doFilter3(InitSessionFilter.java:226)
2018-02-15 15:30:25,939 at com.test.mycode.access.InitSessionFilter.doFilter2(InitSessionFilter.java:160)
2018-02-15 15:30:25,939 at com.test.mycode.access.InitSessionFilter.doFilter(InitSessionFilter.java:95)
2018-02-15 15:30:25,939 at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:25,939 at com.test.modules.servlet.ForwardFilter.doFilter(ForwardFilter.java:230)
2018-02-15 15:30:25,939 at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:25,939 at com.test.modules.servlet.FakeIpFilter.doFilter(FakeIpFilter.java:43)
2018-02-15 15:30:25,939 at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:25,939 at com.test.modules.servlet.ClientIpFilter.doFilter(ClientIpFilter.java:114)
2018-02-15 15:30:25,939 at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:25,939 at com.test.mycode.frontend.filter.HttpSecurityHeadersFilter.doFilter(HttpSecurityHeadersFilter.java:98)
2018-02-15 15:30:25,939 at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:25,939 at com.caucho.server.webapp.WebAppFilterChain.doFilter(WebAppFilterChain.java:156)
2018-02-15 15:30:25,939 at com.caucho.server.webapp.AccessLogFilterChain.doFilter(AccessLogFilterChain.java:95)
2018-02-15 15:30:25,939 at com.caucho.server.dispatch.ServletInvocation.service(ServletInvocation.java:289)
2018-02-15 15:30:25,939 at com.caucho.server.http.HttpRequest.handleRequest(HttpRequest.java:838)
2018-02-15 15:30:25,939 at com.caucho.network.listen.TcpSocketLink.dispatchRequest(TcpSocketLink.java:1349)
2018-02-15 15:30:25,939 at com.caucho.network.listen.TcpSocketLink.handleRequest(TcpSocketLink.java:1305)
2018-02-15 15:30:25,939 at com.caucho.network.listen.TcpSocketLink.handleRequestsImpl(TcpSocketLink.java:1289)
2018-02-15 15:30:25,939 at com.caucho.network.listen.TcpSocketLink.handleRequests(TcpSocketLink.java:1197)
2018-02-15 15:30:25,939 at com.caucho.network.listen.TcpSocketLink.handleAcceptTaskImpl(TcpSocketLink.java:993)
2018-02-15 15:30:25,939 at com.caucho.network.listen.ConnectionTask.runThread(ConnectionTask.java:117)
2018-02-15 15:30:25,939 at com.caucho.network.listen.ConnectionTask.run(ConnectionTask.java:93)
2018-02-15 15:30:25,939 at com.caucho.network.listen.SocketLinkThreadLauncher.handleTasks(SocketLinkThreadLauncher.java:169)
2018-02-15 15:30:25,939 at com.caucho.network.listen.TcpSocketAcceptThread.run(TcpSocketAcceptThread.java:61)
2018-02-15 15:30:25,939 at com.caucho.env.thread2.ResinThread2.runTasks(ResinThread2.java:173)
2018-02-15 15:30:25,939 at com.caucho.env.thread2.ResinThread2.run(ResinThread2.java:118)
2018-02-15 15:30:25,939 Caused by: org.opensaml.common.SAMLException: Assertion invalidated by missing Audience Restriction
2018-02-15 15:30:25,939 at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertionConditions(WebSSOProfileConsumerImpl.java:431)
2018-02-15 15:30:25,939 at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertion(WebSSOProfileConsumerImpl.java:303)
2018-02-15 15:30:25,939 at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:214)
... 50 more
Can any one help me on that?
I got the issue because I did not start my request form service provider site (my site) the saml request that contains the "saml2 Issuer" so the identity provider site will not know about the request sender and after successful login on their side the AudienceRestriction will not included in the response and the SAMLException will be thrown
As solution I asked Idinety provider to add the following AudienceRestriction permanently :
<saml:Conditions NotBefore="2018-02-19T18:51:12.596Z" NotOnOrAfter="2018-02-19T19:51:12.596Z">
<saml:AudienceRestriction>
<saml:Audience>urn:test:system:stag:sp:test</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>