Spring SAML 2.0 behind Nginx

Question

I have a Spring-boot web app that uses SAML authentication provided by https://samltest.id/ .

It works fine on localhost but now I'm trying to put it on a server that has Nginx. Ngnix is configured so that any http request is redirected to https and https://myserver.company.com/myApp/ is sent to http://local_ip:local_port/ .

This cfg works fine if the application has no security but with SAML the result is: when I access the home page of the app I'm redirected to the login page (correct) and after successful login I'm redirected to https://myserver.company.com/saml/SSO/ instead of https://myserver.company.com/myApp/saml/SSO so Nginx gives a 404.

The metadata.xml contains:

<md:AssertionConsumerService Location="http://myserver.company.com:80/saml/SSO"
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" isDefault="true" index="0"/>
<md:AssertionConsumerService Location="http://myserver.company.com:80/saml/SSO"
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" index="1"/>

Note that URLs are http-based.

After a lot of Google search I have tried the following: I modified SAMLProcessingFilter configuration so that filterProcessesUrl property is "/myApp/saml/SSO" instead of the default value "/saml/SSO".

Now the metadata.xml contains:

<md:AssertionConsumerService Location="http://myserver.company.com:80/myApp/saml/SSO"
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" isDefault="true" index="0"/>
<md:AssertionConsumerService Location="http://myserver.company.com:80/myApp/saml/SSO"
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" index="1"/>

and after login I'm redirected to https://myserver.company.com/myApp/saml/SSO but this time I get a 404 from the web application instead of Nginx (the error page is different).

What am I missing?

UPDATE: the 3rd attempt

• Restored SAMLProcessingFilter cfg to its default,
• modified the context root of my app to be http://local_ip:local_port/myApp ,
• modified Nginx cfg so that https://myserver.company.com/myApp/ maps to http://local_ip:local_port/myApp (same context root),
• set entityBaseURL property of MetadataGenerator to https://myserver.company.com/myApp ,
• uploaded the new metadata.xml to https://samltest.id/ (now it contains https URLs).

Now, after a successful login I'm redirected to https://myserver.company.com/myApp/saml/SSO as expected but I get a 401 from the application with message "Authentication Failed: Incoming SAML message is invalid" and in the application log there is "org.opensaml.common.SAMLException: Unsupported request".

Answer 1

After several attempts I have found the solution. No need to modify SAMLProcessingFilter or the context root. The key is to use SAMLContextProviderLB instead of SAMLContextProviderImpl as described in the chapter "Advanced configuration" of the manual. Also the entityBaseURL change already described in my question is necessary (it is in the manual too).