3

Spring SAML Extension seem to disregard the query string param configured in IDP xml. Here is the configuration

   <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://<provier host>/saml/?query1=xxx&amp;query2=yyy"/>

1) When the SSO request gets redirected, SAML extension seem to strip anything after ? and send only SAMLRequest query string param.

2) Also I wanted modify query string param value based on some configuration so that I can hit environment specific endpoints for testing and development

Is there a way to intercept the redirection request before the redirection to satisfy the above needs?

webjockey
  • 1,647
  • 2
  • 20
  • 28

2 Answers2

7

The query parameters are removed by the underlaying OpenSAML library in class org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder. You can extend this class, override method buildRedirectURL and add parameters as you need to the constructed URL. Your implementation would then need to be added to bean org.springframework.security.saml.processor.HTTPRedirectDeflateBinding using its constructor which accepts instances of MessageDecoder and MessageEncoder.

Vladimír Schäfer
  • 15,375
  • 2
  • 51
  • 71
  • Thanks. I was debugging on it and found that OpenSAML library strips of the query string after I posted the question. I also tried to update the url through samlmessagecontext.getPeerEntityRoleMetadata().getEndpoints() and then singlesignon service but it did not work. I am going to try the solution that you suggested here. – webjockey Jan 09 '15 at 15:37
  • This did not work for me trying to override the HTTPRedirectDeflateEncoder with a new HttpRedirectDeflateBinding bean with a high prescedence. I posted my effort in SO https://stackoverflow.com/questions/48551925/saml-http-request-intercept-with-spring-boot Overriding the bean doesn't seem to take affect and adding the query params in the Idp metadata continue to get stripped – Fratt Feb 02 '18 at 15:33
0

Hit this exact issue with the new Google Apps SAML IDP Federated SSO. Vladimír's suggestion above helped me solve the problem. Here is the exact error I was getting to enable others to find the solution. 

400. That’s an error.

Invalid Request, no idpId in request URL, check if SSO URL is configured properly on SP side. That’s all we know.
Kenneth Dixon
  • 104
  • 1
  • 5