0

I'm using Spring Security 4.2.13.RELEASE and spring-security-saml2-core 1.0.10.RELEASE. The idp is Google (and I don't have access to its configuration).

My application is run on a tomcat-like server. After this short briefing, my issue!

Often, users complain about problem of connection, they are connect to their idp and when they try to access to my application they go to an error page. This page explain "Authentication Failed: Error validating SAML message". If they empty their web browser cache, they can have the right redirection to the idp and connect to my application.

Why appear this error? It seems configuration is right if they empty their cache.

I have change session time of tomcat to be the same of the idp, I also change maxAuthenticationAge and maxAssertionTime of WebSSOProfileConsumerImpl and WebSSOProfileConsumerHoKImpl but it seems the problem is steel here.

What should I do?

Benoît
  • 41
  • 5
  • You first need to get the logs with the exception and provide it here. The mentioned error is thrown for different causes, so it's impossible to tell without the logs. – Bernhard Thalmayr Jan 23 '20 at 07:10
  • Unfortunatly, there is no exception thrown. My logs are warn level, so I should found every code issue. There is nothing about the issue in the log. – Benoît Jan 24 '20 at 10:15
  • You may have to raise the log level for 'opensaml' as well. If a HTTP POST binding is used to send the SAML response, you may inspect the SAML message yourself via browser plugin or extract the SAML response and validate it with https://www.samltool.com/validate_response.php – Bernhard Thalmayr Jan 29 '20 at 07:12

1 Answers1

0

I have change the log level. The error was a session duration too short. On the log, there is a stack exception bug this stack is only shown in debug mode. maxAuthenticationAge was the right property to modifiy, I made a mistake on duration computation.

Benoît
  • 41
  • 5