“HTTP Status 401 - Authentication Failed: Incoming SAML message is invalid” spring-saml app and VMWare Horizon

Question

We have application using spring saml auth, in combination with VMWare Horizon. We have been successfully using the application, but with the migration to new Horizon Workspace 2.0 there are issues.

Below is the debug log from catalina.out. All I see is that SAML is invalid, but don't understand why.

  DEBUG org.apache.xml.security.utils.IdResolver - getElementByIdUsingDOM() Search for ID http___app.application.us_app_saml_metadata_alias_defaultAlias
    2014-07-02 14:47:47,846 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.IdResolver - I could find an Element using the simple getElementByIdUsingDOM method: md:EntityDescriptor
    2014-07-02 14:47:47,846 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.resolver.implementations.ResolverFragment - Try to catch an Element with ID http___app.application.us_app_saml_metadata_alias_defaultAlias and Element was [md:EntityDescriptor: null]
    2014-07-02 14:47:47,848 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:Transform", "null")
    2014-07-02 14:47:47,848 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.transforms.Transforms - Perform the (0)th http://www.w3.org/2000/09/xmldsig#enveloped-signature transform
    2014-07-02 14:47:47,849 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:Transform", "null")
    2014-07-02 14:47:47,854 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.DigesterOutputStream - Pre-digested input:
    2014-07-02 14:47:47,855 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.DigesterOutputStream - <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="http___app.application.us_app_saml_metadata_alias_defaultAlias" entityID="http://app.application.us/app/saml/metadata/alias/defaultAlias"><md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIICgjCCAesCBGpSpuowDQYJKoZIhvcNAQEFBQAwgYcxLzAtBgkqhkiG9w0BCQEWIHZsYWRpbWly
    LnNjaGFmZXJAcm01c29mdHdhcmUuY29tMQswCQYDVQQGEwJGSTERMA8GA1UEBxMISGVsc2lua2kx
    FTATBgNVBAoTDFJNNSBTb2Z0d2FyZTEMMAoGA1UECxMDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wHhcN
    MDgxMTI5MjIxNjA0WhcNMDkxMjI4MjIwMDAwWjCBhzEvMC0GCSqGSIb3DQEJARYgdmxhZGltaXIu
    c2NoYWZlckBybTVzb2Z0d2FyZS5jb20xCzAJBgNVBAYTAkZJMREwDwYDVQQHEwhIZWxzaW5raTEV
    MBMGA1UEChMMUk01IFNvZnR3YXJlMQwwCgYDVQQLEwNSJkQxDzANBgNVBAMTBmFwb2xsbzCBnzAN
    BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsoEvHts4n4EwloxJNueekYYF8xjoV1AtXHAAW0c+Qtb
    uEXR8wG1QzSlcasTua+iGsC+wK4T8l0IH9Y3+oVaDVbpzrWr2li9zhJB+htJYZ0t7m+3GEIeNlr1
    qkUum/uNxUthklrhg2zCVW0b4NFDP/jI4rARsAkGXa7z/AgonrUCAwEAATANBgkqhkiG9w0BAQUF
    AAOBgQArpq022JktjH3EHw0b4+CFrPzAXFuSd8WXWzoT6YZTgbcLR9K38383mMXoBjHdX3SYr0uF
    njEwP6gqo8KyzXxsqlvTkUSkGAAzxLuQ4rwnandQMr8H0Wq7x5Cwa7Z3NDT/Q4EE3xRJOpoRgjyH
    STdzW1akQ9dX2Et/8TiJe6SHuQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIICgjCCAesCBGpSpuowDQYJKoZIhvcNAQEFBQAwgYcxLzAtBgkqhkiG9w0BCQEWIHZsYWRpbWly
    LnNjaGFmZXJAcm01c29mdHdhcmUuY29tMQswCQYDVQQGEwJGSTERMA8GA1UEBxMISGVsc2lua2kx
    FTATBgNVBAoTDFJNNSBTb2Z0d2FyZTEMMAoGA1UECxMDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wHhcN
    MDgxMTI5MjIxNjA0WhcNMDkxMjI4MjIwMDAwWjCBhzEvMC0GCSqGSIb3DQEJARYgdmxhZGltaXIu
    c2NoYWZlckBybTVzb2Z0d2FyZS5jb20xCzAJBgNVBAYTAkZJMREwDwYDVQQHEwhIZWxzaW5raTEV
    MBMGA1UEChMMUk01IFNvZnR3YXJlMQwwCgYDVQQLEwNSJkQxDzANBgNVBAMTBmFwb2xsbzCBnzAN
    BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsoEvHts4n4EwloxJNueekYYF8xjoV1AtXHAAW0c+Qtb
    uEXR8wG1QzSlcasTua+iGsC+wK4T8l0IH9Y3+oVaDVbpzrWr2li9zhJB+htJYZ0t7m+3GEIeNlr1
    qkUum/uNxUthklrhg2zCVW0b4NFDP/jI4rARsAkGXa7z/AgonrUCAwEAATANBgkqhkiG9w0BAQUF
    AAOBgQArpq022JktjH3EHw0b4+CFrPzAXFuSd8WXWzoT6YZTgbcLR9K38383mMXoBjHdX3SYr0uF
    njEwP6gqo8KyzXxsqlvTkUSkGAAzxLuQ4rwnandQMr8H0Wq7x5Cwa7Z3NDT/Q4EE3xRJOpoRgjyH
    STdzW1akQ9dX2Et/8TiJe6SHuQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://app.application.us/app/saml/SingleLogout/alias/defaultAlias"></md:SingleLogoutService><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://app.application.us/app/saml/SingleLogout/alias/defaultAlias"></md:SingleLogoutService><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://app.application.us/app/saml/SSO/alias/defaultAlias" index="0" isDefault="true"></md:AssertionConsumerService><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://app.application.us/app/saml/SSO/alias/defaultAlias" index="1"></md:AssertionConsumerService><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="http://app.application.us/app/saml/SSO/alias/defaultAlias" index="2"></md:AssertionConsumerService><md:AssertionConsumerService xmlns:hoksso="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser" Binding="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser" Location="http://app.application.us/app/saml/HoKSSO/alias/defaultAlias" index="3" hoksso:ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"></md:AssertionConsumerService><md:AssertionConsumerService xmlns:hoksso="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser" Binding="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser" Location="http://app.application.us/app/saml/HoKSSO/alias/defaultAlias" index="4" hoksso:ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"></md:AssertionConsumerService></md:SPSSODescriptor></md:EntityDescriptor>
    2014-07-02 14:47:47,858 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.SignerOutputStream - Canonicalized SignedInfo:
    2014-07-02 14:47:47,858 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.SignerOutputStream - <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#http___app.application.us_app_saml_metadata_alias_defaultAlias"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>p/YIWZw2jbJJB4tTVBrLt5jmLrM=</ds:DigestValue></ds:Reference></ds:SignedInfo>
    2014-07-02 14:47:47,888 [http-bio-8080-exec-1] DEBUG org.apache.commons.httpclient.HttpConnection - Open connection to gateway-va.application.us:443
    2014-07-02 14:47:52,891 [http-bio-8080-exec-1] DEBUG org.apache.commons.httpclient.HttpMethodDirector - Closing the connection.
    2014-07-02 14:47:52,891 [http-bio-8080-exec-1] DEBUG org.apache.commons.httpclient.HttpMethodDirector - Method retry handler returned false. Automatic recovery will not be attempted
    2014-07-02 14:47:52,891 [http-bio-8080-exec-1] DEBUG org.apache.commons.httpclient.HttpConnection - Releasing connection back to connection manager.
    2014-07-02 14:47:52,893 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.FilterChainProxy - /saml/SSO/alias/defaultAlias at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
    2014-07-02 14:47:52,894 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
    2014-07-02 14:47:52,894 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@3e0a52d3. A new one will be created.
    2014-07-02 14:47:52,897 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.FilterChainProxy - /saml/SSO/alias/defaultAlias at position 3 of 10 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
    2014-07-02 14:47:52,906 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.FilterChainProxy - /saml/SSO/alias/defaultAlias at position 4 of 10 in additional filter chain; firing Filter: 'FilterChainProxy'
    2014-07-02 14:47:52,906 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/saml/sso/alias/defaultalias'; against '/saml/login/**'
    2014-07-02 14:47:52,906 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/saml/sso/alias/defaultalias'; against '/saml/logout/**'
    2014-07-02 14:47:52,906 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/saml/sso/alias/defaultalias'; against '/saml/metadata/**'
    2014-07-02 14:47:52,907 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/saml/sso/alias/defaultalias'; against '/saml/sso/**'
    2014-07-02 14:47:52,907 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.FilterChainProxy - /saml/SSO/alias/defaultAlias at position 1 of 1 in additional filter chain; firing Filter: 'SAMLProcessingFilter'
    2014-07-02 14:47:52,907 [http-bio-8080-exec-1] DEBUG org.springframework.security.saml.SAMLProcessingFilter - Request is to process authentication
    2014-07-02 14:47:52,959 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:Signature", "")
    2014-07-02 14:47:52,959 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:SignedInfo", "")
    2014-07-02 14:47:52,960 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:SignatureMethod", "")
    2014-07-02 14:47:52,962 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:Signature", "")
    2014-07-02 14:47:52,962 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:SignedInfo", "")
    2014-07-02 14:47:52,962 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:SignatureMethod", "")
    2014-07-02 14:47:52,972 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:Reference", "")
    2014-07-02 14:47:52,972 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:Transforms", "")
    2014-07-02 14:47:52,973 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.IdResolver - getElementByIdType() Search for ID _99f9607e4086b3e566244a576acf6b69
    2014-07-02 14:47:52,973 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.IdResolver - getElementByIdUsingDOM() Search for ID _99f9607e4086b3e566244a576acf6b69
    2014-07-02 14:47:52,973 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.IdResolver - I could find an Element using the simple getElementByIdUsingDOM method: samlp:Response
    2014-07-02 14:47:52,973 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:Transform", "")
    2014-07-02 14:47:52,973 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:Transform", "")
    2014-07-02 14:47:52,974 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.algorithms.JCEMapper - Request for URI http://www.w3.org/2000/09/xmldsig#rsa-sha1
    2014-07-02 14:47:52,976 [http-bio-8080-exec-1] DEBUG org.springframework.security.saml.SAMLProcessingFilter - Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Incoming SAML message is invalid
    2014-07-02 14:47:52,977 [http-bio-8080-exec-1] DEBUG org.springframework.security.saml.SAMLProcessingFilter - Updated SecurityContextHolder to contain null Authentication
    2014-07-02 14:47:52,977 [http-bio-8080-exec-1] DEBUG org.springframework.security.saml.SAMLProcessingFilter - Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@5409ae
    2014-07-02 14:47:52,977 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler - No failure URL set, sending 401 Unauthorized error
    2014-07-02 14:47:52,977 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
    2014-07-02 14:47:52,979 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
    2014-07-02 14:48:07,001 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/index.jsp'; against '/saml/web/**'
    2014-07-02 14:48:07,002 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/index.jsp'; against '/logout.jsp'
    2014-07-02 14:48:07,002 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/index.jsp'; against '/favicon.ico'
    2014-07-02 14:48:07,002 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp at position 1 of 10 in additional filter chain; firing Filter: 'MetadataGeneratorFilter'
    2014-07-02 14:48:07,002 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
    2014-07-02 14:48:07,003 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
    2014-07-02 14:48:07,003 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@33125360. A new one will be created.
    2014-07-02 14:48:07,003 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp at position 3 of 10 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
    2014-07-02 14:48:07,003 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp at position 4 of 10 in additional filter chain; firing Filter: 'FilterChainProxy'
    2014-07-02 14:48:07,003 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/index.jsp'; against '/saml/login/**'
    2014-07-02 14:48:07,004 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/index.jsp'; against '/saml/logout/**'
    2014-07-02 14:48:07,004 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/index.jsp'; against '/saml/metadata/**'
    2014-07-02 14:48:07,004 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/index.jsp'; against '/saml/sso/**'
    2014-07-02 14:48:07,004 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/index.jsp'; against '/saml/ssohok/**'
    2014-07-02 14:48:07,004 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/index.jsp'; against '/saml/singlelogout/**'
    2014-07-02 14:48:07,004 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/index.jsp'; against '/saml/discovery/**'
    2014-07-02 14:48:07,004 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp has no matching filters
    2014-07-02 14:48:07,004 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp at position 5 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
    2014-07-02 14:48:07,005 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - pathInfo: both null (property equals)
    2014-07-02 14:48:07,005 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - queryString: both null (property equals)
    2014-07-02 14:48:07,005 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - requestURI: arg1=/app/; arg2=/app/ (property equals)
    2014-07-02 14:48:07,005 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - serverPort: arg1=8080; arg2=8080 (property equals)
    2014-07-02 14:48:07,005 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - requestURL: arg1=http://application.us:8080/app/; arg2=http://application.us:8080/app/ (property equals)
    2014-07-02 14:48:07,005 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - scheme: arg1=http; arg2=http (property equals)
    2014-07-02 14:48:07,006 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - serverName: arg1=application.us; arg2=application.us (property equals)
    2014-07-02 14:48:07,006 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - contextPath: arg1=/app; arg2=/app (property equals)
    2014-07-02 14:48:07,006 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - servletPath: arg1=/index.jsp; arg2=/index.jsp (property equals)
    2014-07-02 14:48:07,006 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.savedrequest.HttpSessionRequestCache - Removing DefaultSavedRequest from session if present
    2014-07-02 14:48:07,009 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp at position 6 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
    2014-07-02 14:48:07,011 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp at position 7 of 10 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
    2014-07-02 14:48:07,012 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8dbd0: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffdaa08: RemoteIpAddress: 127.0.0.1; SessionId: 606210049192D854D1A0CB2BBB41861D; Granted Authorities: ROLE_ANONYMOUS'
    2014-07-02 14:48:07,012 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
    2014-07-02 14:48:07,013 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
    2014-07-02 14:48:07,013 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
    2014-07-02 14:48:07,014 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /index.jsp; Attributes: [IS_AUTHENTICATED_FULLY]
    2014-07-02 14:48:07,014 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8dbd0: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffdaa08: RemoteIpAddress: 127.0.0.1; SessionId: 606210049192D854D1A0CB2BBB41861D; Granted Authorities: ROLE_ANONYMOUS
    2014-07-02 14:48:07,014 [http-bio-8080-exec-3] DEBUG org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.RoleVoter@1ab2e368, returned: 0
    2014-07-02 14:48:07,014 [http-bio-8080-exec-3] DEBUG org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.AuthenticatedVoter@566fce89, returned: -1
    2014-07-02 14:48:07,018 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
    org.springframework.security.access.AccessDeniedException: Access is denied
        at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
        at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206)
        at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115)
        at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:186)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:86)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:409)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1044)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:313)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1146)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:701)
    2014-07-02 14:48:07,021 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.savedrequest.HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[http://application.us:8080/app/]
    2014-07-02 14:48:07,022 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Calling Authentication entry point.
    2014-07-02 14:48:07,023 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
    2014-07-02 14:48:07,023 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed

In Horizon log I see one error, not sure if this is related or not:

2014-07-01 21:02:20,610 ERROR (tomcat-http--38) [GATEWAY-VA;5f81ce6f-66c5-48d0-b7fd-1b8876bb8960;50.174.63.9] com.tricipher.saas.assertion.Saml20Saas - No encryption certificates provided, encrypted attribute password not included in SAML

We already installed horizon certificate in tomcat java keystone hosting our SP, but no effect. Any help is appreciated.

Answer 1

There's a feature in Spring SAML which enables you to change the URL as seen by the extension. You can find details in the manual (chapter 9.1). The configuration is done by changing the context provider bean to e.g.:

  <bean id="contextProvider"
  class="org.springframework.security.saml.context.SAMLContextProviderLB">
      <property name="scheme" value="http"/>
      <property name="serverName" value="app.application.us"/>
      <property name="serverPort" value="80"/>
      <property name="includeServerPortInRequestURL" value="false"/>
      <property name="contextPath" value="/app"/>
  </bean>

Of course you can also just change the metadata to include the correct URLs.