SAMLException: Response has invalid status code status message is null
Solution 1
My guess the issue is about signature algorithm. Spring SAML uses SHA-1 by default and ADFS expects SHA-256. Mismatch between the two manifests itself in the way you are experiencing.
You can verify this hypothesis, or find another reason for this behavior, by looking at ADFS's event log.
Solution 2
We ran into this same problem, and the problem was a mismatch between Spring wanting SHA-1 and ADFS wanting SHA-256. However, our customer wanted us to upgrade Spring Security SAML to use SHA-256 rather than downgrading ADFS to use SHA-1.
The following shows you how to upgrade Spring Security to SHA-256.
- spring-security-adfs-saml2 example project on GitHub
- Configure Spring Security SAML to use SHA-256 as secure hash algorithm
- Spring Security SAML: Replacing SHA-1 with SHA-256 on Signature and Digest Algorithms
Omri Shneor
Updated on June 13, 2022Comments
-
Omri Shneor almost 2 years
Im trying to implement spring-securtiy-saml integration as a SP with an adfs system, and im bumping my head for some days now with this exception happening when SAMLResponnse is sent back from the ADFS after successful authentication and the following exception is thrown. this is the DEBUG log:
2017-10-02 18:05:09,246 - DEBUG [http-apr-443-exec-9] BaseMessageEncoder - Successfully encoded message. 2017-10-02 18:05:09,246 - INFO [http-apr-443-exec-9] SAMLDefaultLogger - AuthNRequest;SUCCESS;208.95.100.30;saml2.glassboxdigital.com;http://this/is/a/valid/url;;; 2017-10-02 18:05:09,859 - DEBUG [http-apr-443-exec-3] SAMLProcessingFilter - Request is to process authentication 2017-10-02 18:05:09,860 - DEBUG [http-apr-443-exec-3] SAMLProcessingFilter - Attempting SAML2 authentication using profile urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser 2017-10-02 18:05:09,860 - DEBUG [http-apr-443-exec-3] ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: saml2.glassboxdigital.com 2017-10-02 18:05:09,860 - DEBUG [http-apr-443-exec-3] AbstractMetadataProvider - Searching for entity descriptor with an entity ID of saml2.glassboxdigital.com 2017-10-02 18:05:09,860 - DEBUG [http-apr-443-exec-3] AbstractMetadataProvider - Metadata document did not contain a descriptor for entity saml2.glassboxdigital.com 2017-10-02 18:05:09,860 - DEBUG [http-apr-443-exec-3] AbstractMetadataProvider - Metadata document did not contain any role descriptors of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor for entity saml2.glassboxdigital.com 2017-10-02 18:05:09,860 - DEBUG [http-apr-443-exec-3] AbstractMetadataProvider - Metadata document does not contain a role of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor supporting protocol urn:oasis:names:tc:SAML:2.0:protocol for entity saml2.glassboxdigital.com 2017-10-02 18:05:09,860 - DEBUG [http-apr-443-exec-3] ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: saml2.glassboxdigital.com 2017-10-02 18:05:09,860 - DEBUG [http-apr-443-exec-3] AbstractMetadataProvider - Searching for entity descriptor with an entity ID of saml2.glassboxdigital.com 2017-10-02 18:05:09,861 - DEBUG [http-apr-443-exec-3] KeyStoreCredentialResolver - Building credential from keystore entry for entityID apollo, usage type UNSPECIFIED 2017-10-02 18:05:09,861 - DEBUG [http-apr-443-exec-3] KeyStoreCredentialResolver - Processing PrivateKeyEntry from keystore 2017-10-02 18:05:09,861 - DEBUG [http-apr-443-exec-3] EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria 2017-10-02 18:05:09,861 - DEBUG [http-apr-443-exec-3] KeyStoreCredentialResolver - Building credential from keystore entry for entityID apollo, usage type UNSPECIFIED 2017-10-02 18:05:09,861 - DEBUG [http-apr-443-exec-3] KeyStoreCredentialResolver - Processing PrivateKeyEntry from keystore 2017-10-02 18:05:09,861 - DEBUG [http-apr-443-exec-3] EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria 2017-10-02 18:05:09,861 - DEBUG [http-apr-443-exec-3] StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://javax.xml.XMLConstants/feature/secure-processing' 2017-10-02 18:05:09,861 - DEBUG [http-apr-443-exec-3] StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://apache.org/xml/features/dom/defer-node-expansion' 2017-10-02 18:05:09,862 - DEBUG [http-apr-443-exec-3] StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://apache.org/xml/features/disallow-doctype-decl' 2017-10-02 18:05:09,863 - DEBUG [http-apr-443-exec-3] SAMLProcessorImpl - Retrieving message using binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST 2017-10-02 18:05:09,864 - DEBUG [http-apr-443-exec-3] BaseMessageDecoder - Beginning to decode message from inbound transport of type: org.opensaml.ws.transport.http.HttpServletRequestAdapter 2017-10-02 18:05:09,865 - DEBUG [http-apr-443-exec-3] HTTPPostDecoder - Decoded SAML relay state of: https://console-ex-saml.glassboxcloud.com/webinterface/webui/ 2017-10-02 18:05:09,865 - DEBUG [http-apr-443-exec-3] HTTPPostDecoder - Getting Base64 encoded message from request 2017-10-02 18:05:09,866 - DEBUG [http-apr-443-exec-3] BaseMessageDecoder - Parsing message stream into DOM document 2017-10-02 18:05:09,866 - DEBUG [http-apr-443-exec-3] BaseMessageDecoder - Unmarshalling message DOM 2017-10-02 18:05:09,866 - DEBUG [http-apr-443-exec-3] SignatureUnmarshaller - Starting to unmarshall Apache XML-Security-based SignatureImpl element 2017-10-02 18:05:09,867 - DEBUG [http-apr-443-exec-3] SignatureUnmarshaller - Constructing Apache XMLSignature object 2017-10-02 18:05:09,867 - DEBUG [http-apr-443-exec-3] SignatureUnmarshaller - Adding canonicalization and signing algorithms, and HMAC output length to Signature 2017-10-02 18:05:09,867 - DEBUG [http-apr-443-exec-3] SignatureUnmarshaller - Adding KeyInfo to Signature 2017-10-02 18:05:09,867 - DEBUG [http-apr-443-exec-3] BaseMessageDecoder - Message succesfully unmarshalled 2017-10-02 18:05:09,867 - DEBUG [http-apr-443-exec-3] HTTPPostDecoder - Decoded SAML message 2017-10-02 18:05:09,867 - DEBUG [http-apr-443-exec-3] BaseSAML2MessageDecoder - Extracting ID, issuer and issue instant from status response 2017-10-02 18:05:09,872 - DEBUG [http-apr-443-exec-3] PROTOCOL_MESSAGE - <?xml version="1.0" encoding="UTF-8"?><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://console-ex-saml.glassboxcloud.com/webinterface/saml/SSO" ID="_f33a822d-ca9c-4f55-92fd-325454f92f66" InResponseTo="a2g8hci4d0e1aa891bcj1d03ci51c29" IssueInstant="2017-10-02T18:05:12.972Z" Version="2.0"> <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">valid.issuer</Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="#_f33a822d-ca9c-4f55-92fd-325454f92f66"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>XC9VCfj8MgDg/c5PaT/KPIWoAHn67SI2gHU937SILbc=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>wfvDzv0cONrCjWi7k02oyISk16ABYY8UdG2CuP8Dg4jHcWL64Lp5lO3wvmNkcNX87tXN41ndqIIHupuKkqcLvqQs07fprxrIhkmDrScEkJObWD1pkNahUp24ERlOGt+fDWMcfWNpERpgHGU2O/FlH7kRUsj+LCxD3o1FQAHhXJeBVA1lbI6B+dOfyT2zLgpmS1jkaKLX/AKsc/56dvzDIUP5ElF5eMQdwuNmapmvCynSDSalP/v1KVn9pf12ShjiQh/oku4CtAXSgnjFbrg752EtGoaT80foIkooMjJQMSjC/CjHIGAMVEuTJraXUVdvgKPao5rC85OkFdOOoDYtOg==</ds:SignatureValue> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>MIIFFzCCA/+gAwIBAgIETCPgRjANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMWKGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxQzAeFw0xNDA4MTIxODE5MTJaFw0xODEwMTMwMjI0MTlaMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMREwDwYDVQQHEwhCZWxsZXZ1ZTEWMBQGA1UEChMNRXhwZWRpYSwgSW5jLjEYMBYGA1UEAxMPc3NvLmV4cGVkaWEuYml6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz2nGjBS3eZkuPHyjIFsMT8Ex19ywmOUXxDI051/ZVFcCmbNFlKJrfbhxO0PpX1mOv3REC0SC22bwdQGDH35JVSmPq7NR52S0Q/RwVDUb9mXs86d6q/BACm5KfHavsXXbMKrCQSQzHBeMoMS6cQIvUgtmvfjnpJ6tYp+OF2MK6sa568cy34C3m63O66Kt/tFOZwGg8qmJCXdEpCtHR3TEiqmtoHc/A4XbhSg9BR/6+Z8kZb8T7AeKh69BPy5U7SuaW0ifOpS4TigONkqn3vPQkxjtosYL3X0/+WBaHDbA642H4wMBa9cWrMBp6u9u2NBulK82HVrdJB6iC8rZLsD7twIDAQABo4IBfjCCAXowCwYDVR0PBAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmVudHJ1c3QubmV0L2xldmVsMWMuY3JsMGQGCCsGAQUFBwEBBFgwVjAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZW50cnVzdC5uZXQwLwYIKwYBBQUHMAKGI2h0dHA6Ly9haWEuZW50cnVzdC5uZXQvMjA0OC1sMWMuY2VyMEoGA1UdIARDMEEwNQYJKoZIhvZ9B0sCMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuZW50cnVzdC5uZXQvcnBhMAgGBmeBDAECAjAaBgNVHREEEzARgg9zc28uZXhwZWRpYS5iaXowHwYDVR0jBBgwFoAUHvGriQb4SQ8BM3fuFHruGXyTKE0wHQYDVR0OBBYEFDsc7/1fpNaaFgJ1jKZfWmBD9WJ4MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQEFBQADggEBAH97BdZzQIHGzyONbs1uLw71HJhWp3PtubbJ4aBRtmfopgJV/X/u4MfkKO8MokDY/oqN+PQLc0NwT6hfSWiclpOjWSW3u35IFQZTU+stT41/T41gvRHmnfCL3QuB+qNeQdWiDtWKAsJUUlx1Qn90BC23fbyiJptbppP3MDLbbf09grfifW0tJ4ThYOv4JkC/W3rtCiu6XryUWtFtz+RtwWtlSL5dxJnEE7VDvUcOSC+6dywb4dO/bSfYA1/gdbWXImsU+4124eC4DztWChDIMqCVqQObkNYdb9MsRr7itC+ezXVorKXzWhwG2FlNV8TjcCRgTKgdVFyw9+KMPXzFX+Q=</ds:X509Certificate> </ds:X509Data> </KeyInfo> </ds:Signature> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/> </samlp:Status> </samlp:Response> 2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BaseMessageDecoder - Evaluating security policy of type 'org.opensaml.ws.security.provider.BasicSecurityPolicy' for decoded message 2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BaseSAMLSimpleSignatureSecurityPolicyRule - Evaluating simple signature rule of type: org.opensaml.saml2.binding.security.SAML2HTTPPostSimpleSignRule 2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BaseSAMLSimpleSignatureSecurityPolicyRule - HTTP request was not signed via simple signature mechanism, skipping 2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] SAMLSignatureProfileValidator - Saw Enveloped signature transform 2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] SAMLSignatureProfileValidator - Saw Exclusive C14N signature transform 2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] SAMLProtocolMessageXMLSignatureSecurityPolicyRule - Attempting to verify signature on signed SAML protocol message using context issuer message type: {urn:oasis:names:tc:SAML:2.0:protocol}Response 2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] MetadataCredentialResolver - Forcing on-demand metadata provider refresh if necessary 2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] MetadataCredentialResolver - Attempting to retrieve credentials from cache using index: [blabla,{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,SIGNING] 2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] MetadataCredentialResolver - Retrieved credentials from cache using index: [blabla,{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,SIGNING] 2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria 2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] EvaluableCredentialCriteriaRegistry - Registry could not locate evaluable criteria for criteria class org.opensaml.security.MetadataCriteria 2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableKeyAlgorithmCredentialCriteria for criteria class org.opensaml.xml.security.criteria.KeyAlgorithmCriteria 2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableUsageCredentialCriteria for criteria class org.opensaml.xml.security.criteria.UsageCriteria 2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BaseSignatureTrustEngine - Attempting to verify signature and establish trust using KeyInfo-derived credentials 2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BasicProviderKeyInfoCredentialResolver - Found 0 key names: [] 2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BasicProviderKeyInfoCredentialResolver - Processing KeyInfo child with qname: {http://www.w3.org/2000/09/xmldsig#}X509Data 2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BasicProviderKeyInfoCredentialResolver - Provider org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping 2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BasicProviderKeyInfoCredentialResolver - Provider org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping 2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BasicProviderKeyInfoCredentialResolver - Processing KeyInfo child {http://www.w3.org/2000/09/xmldsig#}X509Data with provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider 2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] InlineX509DataProvider - Attempting to extract credential from an X509Data 2017-10-02 18:05:09,874 - DEBUG [http-apr-443-exec-3] InlineX509DataProvider - Found 1 X509Certificates 2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] InlineX509DataProvider - Found 0 X509CRLs 2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] InlineX509DataProvider - Single certificate was present, treating as end-entity certificate 2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BasicProviderKeyInfoCredentialResolver - Credentials successfully extracted from child {http://www.w3.org/2000/09/xmldsig#}X509Data by provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider 2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BasicProviderKeyInfoCredentialResolver - A total of 1 credentials were resolved 2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] EvaluableCredentialCriteriaRegistry - Registry could not locate evaluable criteria for criteria class org.opensaml.xml.security.keyinfo.KeyInfoCriteria 2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] SignatureValidator - Attempting to validate signature using key from supplied credential 2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] SignatureValidator - Creating XMLSignature object 2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] SignatureValidator - Validating signature with signature algorithm URI: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] SignatureValidator - Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl' 2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] SignatureValidator - Signature validated with key from supplied credential 2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseSignatureTrustEngine - Signature validation using candidate credential was successful 2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseSignatureTrustEngine - Successfully verified signature using KeyInfo-derived credential 2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseSignatureTrustEngine - Attempting to establish trust of KeyInfo-derived credential 2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] ExplicitKeyTrustEvaluator - Successfully validated untrusted credential against trusted key 2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseSignatureTrustEngine - Successfully established trust of KeyInfo-derived credential 2017-10-02 18:05:09,875 - INFO [http-apr-443-exec-3] SAMLProtocolMessageXMLSignatureSecurityPolicyRule - Validation of protocol message signature succeeded, message type: {urn:oasis:names:tc:SAML:2.0:protocol}Response 2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] SAMLProtocolMessageXMLSignatureSecurityPolicyRule - Authentication via protocol message signature succeeded for context issuer entity ID blabla 2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseMessageDecoder - Successfully decoded message. 2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseSAMLMessageDecoder - Checking SAML message intended destination endpoint against receiver endpoint 2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseSAMLMessageDecoder - Intended message destination endpoint: https://console-ex-saml.glassboxcloud.com/webinterface/saml/SSO 2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseSAMLMessageDecoder - Actual message receiver endpoint: https://console-ex-saml.glassboxcloud.com/webinterface/saml/SSO 2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseSAMLMessageDecoder - SAML message intended destination endpoint matched recipient endpoint 2017-10-02 18:05:09,876 - DEBUG [http-apr-443-exec-3] SAMLUtil - Found endpoint org.opensaml.saml2.metadata.impl.AssertionConsumerServiceImpl@41fbfcbf for request URL https://console-ex-saml.glassboxcloud.com/webinterface/saml/SSO based on location attribute in metadata 2017-10-02 18:05:09,876 - DEBUG [http-apr-443-exec-3] SAMLAuthenticationProvider - Error validating SAML message org.opensaml.common.SAMLException: Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Responder, status message is null at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:113) at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:87) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:87) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) at com.clarisite.container.web.WebExceptionHandler.doFilter(WebExceptionHandler.java:33) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:616) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684) at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2521) at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2510) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) 2017-10-02 18:05:09,876 - INFO [http-apr-443-exec-3] SAMLDefaultLogger - AuthNResponse;FAILURE;208.95.100.30;saml2.glassboxdigital.com;blabla;;;org.opensaml.common.SAMLException: Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Responder, status message is null at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:113) at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:87) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:87) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) at com.clarisite.container.web.WebExceptionHandler.doFilter(WebExceptionHandler.java:33) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:616) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684) at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2521) at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2510) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745)
Ive been going over some questions in SO:
and more, allmost all of them seem to deem this issue as a problem with outdated keys in the keystore or a problem with the the signing of the message. initially I thought that the problem was with the signing of the message(adfs expects RSA-SHA256 and the default by open saml is RSA-SHA1). but Ive fixed it as seen here:
SignatureValidator - Validating signature with signature algorithm URI: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
the keystore dosent seem to be a problem aswell since the idp certificate is hardcoded in the metadata imported from the idp. the problem seems to be originated from line 113 from WebSSOProfileConsumerImpl.java the method processAuthenticationResponse is checking in line 107 if the statusCode value is equal to
urn:oasis:names:tc:SAML:2.0:status:Success
however in the repsone we receive from the idp the status code is equal tourn:oasis:names:tc:SAML:2.0:status:Responder
im wondering if this a problem on our side in the SAMLRequest or something else, or if this is a problem from the adfs side. any ideas why is this happening?