Spring Security SAML2 (NOT the SAML Extension) - Authentication Validation Exception due to mismatch of HttpServerRequest URL and Destination URL

Question

OpenSamlAuthenticationProvider.validateSaml2Response auth exception shown below due to mismatch in HttpServletRequest URL and Destination URL in the IDP:

if (StringUtils.hasText(samlResponse.getDestination()) && !recipient.equals(samlResponse.getDestination())) {
            throw this.authException("invalid_destination", "Invalid SAML response destination: " + samlResponse.getDestination());
        }...

• HttpServletRequest URL is returning the hostname of the app server from which the SAML request originated (localhost:port) rather than the dns name.
• Our app is behind a load balancer.
• We attempted to add a proxyName and proxyHost to the Http Connector in Tomcat. We still had a mismatch in protocol and we're not convinced this is the correct approach.
• This must have been such a common issue that the Spring SAML Extension - which we are NOT using - has a config class to deal with this exact issue.
• I don't think we can use an interceptor because the HttpServletRequest URL is not modifiable.

Wondering if anyone else has dealt with something similar and figured out a solution.

Answer 1

First of all, let's determinate where the mismatch is by enabled detailed login eg for log4j configuration snippet fragment will be sth like below:

...
log4j.logger.org.springframework.security.saml2.provider.service.authentication=TRACE
log4j.logger.org.opensaml.saml.saml2.assertion.impl=TRACE

Second let's craft RelyingPartyRegistrationRepository like below(invocation of assertionConsumerServiceLocation will override value from metadata)

@Bean
public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository1() {
    String consumerServiceLocationFixed = "https://some_host:some_port/some_path/login/saml2/sso/{registrationId}";
    RelyingPartyRegistration rp = RelyingPartyRegistrations
            .fromMetadataLocation("assertingPartyMetadataLocation")
            .assertionConsumerServiceLocation(consumerServiceLocationFixed)
            .registrationId("some_idp")
            .build();
    return new InMemoryRelyingPartyRegistrationRepository(rp);
}

For more info don't hesitate to look into amazing https://docs.spring.io/spring-security/site/docs/5.4.1/reference/html5/#servlet-saml2 documentation(much better than documentation of old https://spring.io/projects/spring-security-saml)