{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 等我变得足够好 的问题《Spring Security SAML with PingIdentity/ PingFedera》','https://www.manongdao.com/q-1297759.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
After 1 week of Spring Security SAML Sample App to Ping (PingIdentity) integration effort, I am almost done... now I have an "InResponseToField of the Response doesn't correspond to sent message" error (below). Here are the request and response as you can see the ID and response to do match, no?
Request ***
2017-09-20 11:02:07 DEBUG PROTOCOL_MESSAGE:74 -
<?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://hostwithapp:8443/app1/saml/SSO" Destination="https://hostwithping:9031/idp/SSO.saml2" ForceAuthn="false" ID="a1je2ba47j27cdid2h74507gii19bgj" IsPassive="false" IssueInstant="2017-09-20T09:02:07.956Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">app1</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#a1je2ba47j27cdid2h74507gii19bgj">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>rnJ2+WxLofXdY71JMpCyzvxjeI8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>EHlnvY+rGsrq/KjFo7nhAjkirmy+HXpfPLSBr+FuCCm85fr3Z+yJupvYJlMXtwl/PM6NN3kXEecGA1oanUjnshb5o85QNY1v/PucZccGUr+kxWRc2F3YnDOazAjt8WXV5R1QJIPlf8Hank/7nqgylt35cftWitmcFuth0SSaT9N/gWXj7FvhwvEyO38Hh5W9OEQrZlPBimI6g2LdhM8IjuzXQYdmP5rADu0WQbIx48oRnVMKpaiG/7D7GxVDtT+5F/0Jr/cDo/slhAv3LjhGbuqoX0tUIngdUM+egODW6KnHHj9GAYdTM7XGBlLuIgGPeOQUpbPrf0WtzswzHVqXpw==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDQDCCAiigAwIBAgIGAVzUOBXsMA0GCSqGSIb3DQEBCwUAMGExCzAJBgNVBAYTAkFUMSgwJgYD
VQQKEx9ldzd1aXB3bTA3LmludGVncmF0aW9uLnVuaXFhLmF0MSgwJgYDVQQDEx9ldzd1aXB3bTA3
LmludGVncmF0aW9uLnVuaXFhLmF0MB4XDTE3MDYyMzA5MTEwNFoXDTE4MDYyMzA5MTEwNFowYTEL
MAkGA1UEBhMCQVQxKDAmBgNVBAoTH2V3N3VpcHdtMDcuaW50ZWdyYXRpb24udW5pcWEuYXQxKDAm
BgNVBAMTH2V3N3VpcHdtMDcuaW50ZWdyYXRpb24udW5pcWEuYXQwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCdJmnFfxRHfQvhT1nHRnR2E9k6BUOCChFh0LbtCqOW4DNgpCJMA61RhoAp
4Ao5uWBkOUkf15NCM2sYmrEZtV4AM5X4XBmwkvukwdoTDXPrL7HHpJi96L8+NUeKtw3Hq36x8mF/
jUvzuCzDOmwz0EhUgkSGy8GeKHY74NuhivXnPNo+EiD15oH+m/BotSQnTd6yUd++ZstNqjcyH0kV
VECm0HmxMDQ1P+lGJnGRmzgu0uvYPriv5weP2zF3QxFbR+vs/CtJQtPNbcvOxtFVR+x8qKR/Bc2L
KszFpGJM7rv6LeMusZAVk3m4W5ONrKeplCvPtuhp0iBd0snz6hVzH0/7AgMBAAEwDQYJKoZIhvcN
AQELBQADggEBAHOZdhv8DybvI14C0cwyxH2Eq9z+aeoa7LzZF/wclh5jgZUuWIcCMTEuEMzPc1rD
Ga10Ex3Z8t8qrhAcs7u8OytiLpvZi1+csQFb7O7fRP8xmrkGAytRNNppYtAzue9hnR1W8UkJLzFT
d+iYZ6rE6MwoF6ASR83T8Mk9/EeWh/llDZOJPIH8qR391PaEphDiLCMxPenMce8IKTkFx+ytSbx/
6T2Gjyx9NStV66dgs/h7v0qPr5EKdE+vBMrpnqdi1+4B5HYzk9eT5WI1aZZOd5BRi2clLi8l/d5z
S0elU8bWfMjpk01XbgAFYIizYRpjMZ01X40zGpBNW6rEwq9kMuY=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</saml2p:AuthnRequest>
Response ***
2017-09-20 11:02:09 DEBUG BaseSAML2MessageDecoder:115 - Extracting ID, issuer and issue instant from status response
2017-09-20 11:02:09 INFO stdout:71 - 2017-09-20 11:02:09 DEBUG PROTOCOL_MESSAGE:113 -
2017-09-20 11:02:09 INFO stdout:71 - <?xml version="1.0" encoding="UTF-8"?><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="vr.9BGHJqgMjrb_LZuq261qE9M8" InResponseTo="a1je2ba47j27cdid2h74507gii19bgj" IssueInstant="2017-09-20T09:02:01.717Z" Version="2.0">
2017-09-20 11:02:09 INFO stdout:71 - <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">app1</saml:Issuer>
2017-09-20 11:02:09 INFO stdout:71 - <samlp:Status>
2017-09-20 11:02:09 INFO stdout:71 - <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
2017-09-20 11:02:09 INFO stdout:71 - </samlp:Status>
2017-09-20 11:02:09 INFO stdout:71 - <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="mbPkcKjMO1j2AuxzPEbK-5DY73T" IssueInstant="2017-09-20T09:02:01.748Z" Version="2.0">
2017-09-20 11:02:09 INFO stdout:71 - <saml:Issuer>app1</saml:Issuer>
2017-09-20 11:02:09 INFO stdout:71 - <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
2017-09-20 11:02:09 INFO stdout:71 - <ds:SignedInfo>
2017-09-20 11:02:09 INFO stdout:71 - <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
2017-09-20 11:02:09 INFO stdout:71 - <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
2017-09-20 11:02:09 INFO stdout:71 - <ds:Reference URI="#mbPkcKjMO1j2AuxzPEbK-5DY73T">
2017-09-20 11:02:09 INFO stdout:71 - <ds:Transforms>
2017-09-20 11:02:09 INFO stdout:71 - <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
2017-09-20 11:02:09 INFO stdout:71 - <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
2017-09-20 11:02:09 INFO stdout:71 - </ds:Transforms>
2017-09-20 11:02:09 INFO stdout:71 - <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
2017-09-20 11:02:09 INFO stdout:71 - <ds:DigestValue>EBqN6ZmIBFy69PsA3vxAMhvKPdSLiwUykRPlMnsxrnU=</ds:DigestValue>
2017-09-20 11:02:09 INFO stdout:71 - </ds:Reference>
2017-09-20 11:02:09 INFO stdout:71 - </ds:SignedInfo>
2017-09-20 11:02:09 INFO stdout:71 - <ds:SignatureValue>
2017-09-20 11:02:09 INFO stdout:71 - lEDbj7QYOpoAF6Zf6g7mD1J1i01iGHJZiSeZ5EmAvH+yyylrtZDzwvpikrXTiBrTjoJzYm0a6qSC
2017-09-20 11:02:09 INFO stdout:71 - SupHKG5gviH3HA2Ghcmz/pneF6lqtcIW1WpznyBPYzNsRZreDT4ZCkJBNmh1vRS8VNkgPtXHYIp6
2017-09-20 11:02:09 INFO stdout:71 - SaDvvUOnIjBRaDcbsaIzsCetek+0uDI456I3z+FfT9lIXMEqbfkeUxXSdwqK3BPA4a1GkUCYNG7K
2017-09-20 11:02:09 INFO stdout:71 - ens068ul0GxbXNFYgdLN/NOG3m+rCIJaVzhgbBNGHtMxVTxnyPyvz6exAUYHJAGv5aYCDVYfFber
2017-09-20 11:02:09 INFO stdout:71 - YXKG5dZldhUO2yoxOVCaPgCd7MZjAwA0uN3U3g==
2017-09-20 11:02:09 INFO stdout:71 - </ds:SignatureValue>
2017-09-20 11:02:09 INFO stdout:71 - </ds:Signature>
2017-09-20 11:02:09 INFO stdout:71 - <saml:Subject>
2017-09-20 11:02:09 INFO stdout:71 - <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">userid</saml:NameID>
2017-09-20 11:02:09 INFO stdout:71 - <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
2017-09-20 11:02:09 INFO stdout:71 - <saml:SubjectConfirmationData InResponseTo="a1je2ba47j27cdid2h74507gii19bgj" NotOnOrAfter="2017-09-20T09:52:01.748Z" Recipient="https://hostwithapp:8443/app1/saml/SSO"/>
2017-09-20 11:02:09 INFO stdout:71 - </saml:SubjectConfirmation>
2017-09-20 11:02:09 INFO stdout:71 - </saml:Subject>
2017-09-20 11:02:09 INFO stdout:71 - <saml:Conditions NotBefore="2017-09-20T08:12:01.748Z" NotOnOrAfter="2017-09-20T09:52:01.748Z">
2017-09-20 11:02:09 INFO stdout:71 - <saml:AudienceRestriction>
2017-09-20 11:02:09 INFO stdout:71 - <saml:Audience>app1</saml:Audience>
2017-09-20 11:02:09 INFO stdout:71 - </saml:AudienceRestriction>
2017-09-20 11:02:09 INFO stdout:71 - </saml:Conditions>
2017-09-20 11:02:09 INFO stdout:71 - <saml:AuthnStatement AuthnInstant="2017-09-20T09:02:01.748Z" SessionIndex="mbPkcKjMO1j2AuxzPEbK-5DY73T">
2017-09-20 11:02:09 INFO stdout:71 - <saml:AuthnContext>
2017-09-20 11:02:09 INFO stdout:71 - <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
2017-09-20 11:02:09 INFO stdout:71 - </saml:AuthnContext>
2017-09-20 11:02:09 INFO stdout:71 - </saml:AuthnStatement>
2017-09-20 11:02:09 INFO stdout:71 - <saml:AttributeStatement>
2017-09-20 11:02:09 INFO stdout:71 - <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
2017-09-20 11:02:09 INFO stdout:71 - <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">APP-ESB-UIP-ADMIN</saml:AttributeValue>
..
2017-09-20 11:02:09 INFO stdout:71 - <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">CN=APP-BM,C</saml:AttributeValue>
2017-09-20 11:02:09 INFO stdout:71 - <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">all-authenticated</saml:AttributeValue>
2017-09-20 11:02:09 INFO stdout:71 - </saml:Attribute>
2017-09-20 11:02:09 INFO stdout:71 - </saml:AttributeStatement>
2017-09-20 11:02:09 INFO stdout:71 - </saml:Assertion>
2017-09-20 11:02:09 INFO stdout:71 - </samlp:Response>
Per Vladimirs suggestions I have tried putting ping and app1 on seperate hosts. And I tried the Spring Cookie rename injection. But that seemed not to change any cookie names in my HAR file. I did it like this, correct? No idea how sessionRepository should be initialized....
<bean id="sessionRepository"
class="org.springframework.session.MapSessionRepository">
</bean>
<!-- avoid spring ping cookie conflict to run poc spring app and ping on same host -->
<bean id="sessionRepositoryFilter"
class="org.springframework.session.web.http.SessionRepositoryFilter">
<constructor-arg ref="sessionRepository"/>
<property name="httpSessionStrategy">
<bean class="org.springframework.session.web.http.CookieHttpSessionStrategy">
<property name="cookieName" value="myCookieName" />
</bean>
</property>
</bean>
HAR file is here: http://jmp.sh/nmJhefs
Cookies I see are ping1
"name": "PF",
"value": "8dq7R8jflRT2lMbeOkYK34tHdGUwOS50Ncl4r74qH4QM"
ping2:
"name": "PF",
"value": "8dq7R8jflRT2lMbeOkYK34"
Wildfly Web Session
"name": "JSESSIONID",
"value": "Z9HSNymqBc6SXLnn68CZcdT2",
This problem is usually caused when JSESSIONID cookie stored when request is generated differs from JSESSIONID found during reception of response. Reason for this is usage of different hostname to send the request and receive the response.
Any chance both Ping Identity and your application are deployed on localhost? If not, make sure that the hostname you open to initialize the request (e.g. http://localhost:8080/saml/login) is the same where PingIdentity sends the response.
Past issues with the same error: