Deion: SSO SAML Integration (AzureAD) stops working few minutes after the in

After increasing maxAuthenticationAge in <code class=

Thanks <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-u

I Googled the error message and it led me to <a href="https://docs.spring.io/spring-se

Hi! I'm having the same issue as <a class="user-mention notranslate"

Awesome, thank you <a class="user-mention notranslate" data-hovercard-type="user" data

structurizr,onpremises

Comments (12)

tbdrake commented on July 18, 2024 3

After increasing maxAuthenticationAge in applicationContext-security-saml.xml from default 2 hours to 90 days (7776000 seconds), I am no longer experiencing the issue (but I have been using this less than 90 days).

I chose 90 days based on this Azure AD documentation, but not sure if this is appropriate:

The Azure Active Directory (Azure AD) default configuration for user sign-in frequency is a rolling window of 90 days.

Is there a way to adjust this setting conveniently while using the structurizr/onpremises image from dockerhub rather than editing the .war and building an image?

from my structurizr-onpremises.war\WEB-INF\applicationContext-security-saml.xml:

    <!-- SAML 2.0 WebSSO Assertion Consumer -->
    <bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl">
        <!-- by default, Spring Security checks that you've been authenticated with your IdP withing the past 2 hours (7200 seconds) ... uncomment the following line if you need to use a longer value (e.g. 86400 seconds for 24 hours) -->
        <property name="maxAuthenticationAge" value="7776000" />
    </bean>

I enabled debug logging by editing log4j2.properties in the .war file as well. Instructions were in another issue comment in this repo, contents of my file are below. I will try and check logs later from past errors to understand better.

my structurizr-onpremises.war\WEB-INF\classes\log4j2.properties:

status = info

appender.console.type = Console
appender.console.name = LogToConsole
appender.console.layout.type = PatternLayout
appender.console.layout.pattern = [%-5level] %d{yyyy-MM-dd HH:mm:ss.SSS} [%t] %c{1} - %msg%n

appender.file.type = File
appender.file.name = LogToFile
appender.file.fileName=${sys:structurizr.dataDirectory}/logs/structurizr.log
appender.file.layout.type=PatternLayout
appender.file.layout.pattern=[%-5level] %d{yyyy-MM-dd HH:mm:ss.SSS} [%t] %c{1} - %msg%n

logger.app.name = com.structurizr
logger.app.level = debug
logger.app.additivity = false
logger.app.appenderRef.console.ref = LogToConsole
logger.app.appenderRef.file.ref = LogToFile

rootLogger.level = debug
rootLogger.appenderRef.stdout.ref = LogToConsole
rootLogger.appenderRef.file.ref = LogToFile

from onpremises.

simonbrowndotje commented on July 18, 2024 3

Thanks @tbdrake!

Is there a way to adjust this setting conveniently while using the structurizr/onpremises image from dockerhub rather than editing the .war and building an image?

I've added support for changing this value via a property named structurizr.saml.maxAuthenticationAge in your structurizr.properties file (the value is the number of seconds). This will be available in build 2914+; see https://structurizr.com/share/18571/documentation#max-authentication-age for more.

from onpremises.

tbdrake commented on July 18, 2024 1

I am also getting Error: Sorry, something went wrong when attempting Structurizr Sign in with Azure AD SSO configured. For me this happens with Chrome and Edge, but not Firefox. If I use Chrome or Edge incognito I do not experience the issue.

I am using Structurizr onpremises from dockerhub deployed to AWS using Azure AD SAML 2.0 integration, and structurizr logs in CloudWatch show the Http500Controller - null message.

My browser versions:

Chrome: 101.0.4951.54 (Official Build) (64-bit)
Firefox: 104.0 (64-bit)
Edge: Version 108.0.1462.54 (Official build) (64-bit)

Error in structurizr logs when using Chrome or Edge (not incognito):

[ERROR] 2022-12-20 20:50:16.416 [http-nio-8080-exec-22] Http500Controller - null

I don't know if this is related, but in Firefox console I see this warning when I navigate to my structurizr onpremises site:

Cookie “JSESSIONID” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

from onpremises.

simonbrowndotje commented on July 18, 2024

I Googled the error message and it led me to https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html#d5e1935 ... does that help?

from onpremises.

konpolporsche commented on July 18, 2024

Extending WEB-INF/applicationContext-security-saml.xml with the provided snippet does NOT solve the issue.

<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl">
  <property name="storageFactory">
    <bean class="org.springframework.security.saml.storage.EmptyStorageFactory"/>
  </property>
</bean>

from onpremises.

konpolporsche commented on July 18, 2024

Hard-codding of host name in server.xml does NOT solved the issue

from onpremises.

AndreasKrueger1 commented on July 18, 2024

Hi together, I installed the SAML Chrome extension to validate the failed request against a successful request. Maybe that helps.
Here ist the output for a failed request.

<samlp:AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="F84D888AA3B44C1B844375A4E8210D9E" Version="2.0" IssueInstant="2022-12-05T12:12:00.100Z" IsPassive="false" AssertionConsumerServiceURL="https://structurizr.slsystem.aws.XXX/saml/SSO" ForceAuthn="false">
 <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">structurizr-prod</Issuer>
</samlp:AuthnRequest>

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_3fda838d-5d7a-4775-8def-4a3ae3adb0d2" Version="2.0" IssueInstant="2022-12-05T12:15:01.510Z" Destination="https://structurizr.slsystem.aws.XXX/saml/SSO">
 <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/31f1b789-90e3-442a-acd2-d6ae8c8bda31/</Issuer>
 <samlp:Status>
  <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode>
 </samlp:Status>
 <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_6c7a5fac-8c29-42b5-88be-f764398b7400" IssueInstant="2022-12-05T12:15:01.510Z" Version="2.0">
  <Issuer>https://sts.windows.net/31f1b789-90e3-442a-acd2-d6ae8c8bda31/</Issuer>
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
   <SignedInfo>
    <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
    <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></SignatureMethod>
    <Reference URI="#_6c7a5fac-8c29-42b5-88be-f764398b7400">
     <Transforms>
      <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
      <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
     </Transforms>
     <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod>
     <DigestValue>90GUdqmO0EtquGhviYi6ETmOht5Wv2e1HJ2eIt9LAtk=</DigestValue>
    </Reference>
   </SignedInfo>
   <SignatureValue>my-signature</SignatureValue>
   <KeyInfo>
    <X509Data>
     <X509Certificate>my-certificate</X509Certificate>
    </X509Data>
   </KeyInfo>
  </Signature>
  <Subject>
   <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">my-email</NameID>
   <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
    <SubjectConfirmationData NotOnOrAfter="2022-12-05T13:15:01.385Z" Recipient="https://structurizr.slsystem.aws.XXX/saml/SSO"></SubjectConfirmationData>
   </SubjectConfirmation>
  </Subject>
  <Conditions NotBefore="2022-12-05T12:10:01.385Z" NotOnOrAfter="2022-12-05T13:15:01.385Z">
   <AudienceRestriction>
    <Audience>structurizr-prod</Audience>
   </AudienceRestriction>
  </Conditions>
  <AttributeStatement>
   <Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
    <AttributeValue>31f1b789-90e3-442a-acd2-d6ae8c8bda31</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
    <AttributeValue>551bf6ca-2976-4dd7-8627-17e985640e52</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
    <AttributeValue>my-displayName</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
    <AttributeValue>https://sts.windows.net/31f1b789-90e3-442a-acd2-d6ae8c8bda31/</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
    <AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>
    <AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
    <AttributeValue>my-givenname</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
    <AttributeValue>my-lastname</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
    <AttributeValue>my-email</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
    <AttributeValue>my-email</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.xmlsoap.org/claims/Group">
    <AttributeValue>guest</AttributeValue>
   </Attribute>
  </AttributeStatement>
  <AuthnStatement AuthnInstant="2022-11-25T06:18:51.416Z" SessionIndex="_6c7a5fac-8c29-42b5-88be-f764398b7400">
   <AuthnContext>
    <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
   </AuthnContext>
  </AuthnStatement>
 </Assertion>
</samlp:Response>

Here is the request / response for a successful request.

<samlp:AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="F84D888AA3B44C1B844375A4E8210D9E" Version="2.0" IssueInstant="2022-12-05T13:12:05.029Z" IsPassive="false" AssertionConsumerServiceURL="https://structurizr.slsystem.aws.XXX/saml/SSO" ForceAuthn="false">
 <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">structurizr-prod</Issuer>
</samlp:AuthnRequest>

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_49ceae9d-cb9a-4a57-a748-d7eb1f4f4cf0" Version="2.0" IssueInstant="2022-12-05T13:31:05.945Z" Destination="https://structurizr.slsystem.aws.XXX/saml/SSO">
 <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/31f1b789-90e3-442a-acd2-d6ae8c8bda31/</Issuer>
 <samlp:Status>
  <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode>
 </samlp:Status>
 <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_96259533-65a9-423b-b9a1-882321777100" IssueInstant="2022-12-05T13:31:05.930Z" Version="2.0">
  <Issuer>https://sts.windows.net/31f1b789-90e3-442a-acd2-d6ae8c8bda31/</Issuer>
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
   <SignedInfo>
    <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
    <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></SignatureMethod>
    <Reference URI="#_96259533-65a9-423b-b9a1-882321777100">
     <Transforms>
      <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
      <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
     </Transforms>
     <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod>
     <DigestValue>dQRhNeHF4RJhtUQdJ64YyRICpBPU95YDvVbAZA+KltA=</DigestValue>
    </Reference>
   </SignedInfo>
   <SignatureValue>my-signature</SignatureValue>
   <KeyInfo>
    <X509Data>
     <X509Certificate>my-certificate</X509Certificate>
    </X509Data>
   </KeyInfo>
  </Signature>
  <Subject>
   <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">my-email</NameID>
   <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
    <SubjectConfirmationData NotOnOrAfter="2022-12-05T14:31:05.836Z" Recipient="https://structurizr.slsystem.aws.XXX/saml/SSO"></SubjectConfirmationData>
   </SubjectConfirmation>
  </Subject>
  <Conditions NotBefore="2022-12-05T13:26:05.836Z" NotOnOrAfter="2022-12-05T14:31:05.836Z">
   <AudienceRestriction>
    <Audience>structurizr-prod</Audience>
   </AudienceRestriction>
  </Conditions>
  <AttributeStatement>
   <Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
    <AttributeValue>31f1b789-90e3-442a-acd2-d6ae8c8bda31</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
    <AttributeValue>551bf6ca-2976-4dd7-8627-17e985640e52</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
    <AttributeValue>my-displayname</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
    <AttributeValue>https://sts.windows.net/31f1b789-90e3-442a-acd2-d6ae8c8bda31/</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
    <AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>
    <AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
    <AttributeValue>my-givenname</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
    <AttributeValue>my-surname</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
    <AttributeValue>my-email</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
    <AttributeValue>my-email</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.xmlsoap.org/claims/Group">
    <AttributeValue>guest</AttributeValue>
   </Attribute>
  </AttributeStatement>
  <AuthnStatement AuthnInstant="2022-12-05T13:30:02.075Z" SessionIndex="_96259533-65a9-423b-b9a1-882321777100">
   <AuthnContext>
    <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
   </AuthnContext>
  </AuthnStatement>
 </Assertion>
</samlp:Response>

from onpremises.

UPiotr commented on July 18, 2024

We experience exactly the same issue. Using Firefox doesn't solve the problem for us.
I also tried setting EmptyStorageFactory and removing comments from maxAuthenticationAge parameter inside the applicationContext-security-saml.xml leaving default value.
Nothing helped so far.
Has anyone got any idea how to fix this?

from onpremises.

marcelofabricanti commented on July 18, 2024

Hi!

I'm having the same issue as @tbdrake:
Http500Controller - null

I'm using AzureAD and on-premise install (on AWS EKS) too.

Error occurs on Chrome only.

Firefox doesn't show any errors, works well.
Chrome in incognito mode doesn't show any errors as well.

Chrome Version 109.0.5414.87 (x86_64)
Firefox Version Versão 109.0
macOS Version 10.15.5

from onpremises.

tbdrake commented on July 18, 2024

Awesome, thank you @simonbrowndotje! Structurizr has been fun to work with and has helped me do my job, and I am very grateful!

Our Structurizr logs around the times of past login errors showed org.springframework.security.authentication.CredentialsExpiredException like this:

Timestamp: 2023-01-13T09:32:58.372-05:00
Message: Caused by: org.springframework.security.authentication.CredentialsExpiredException: Authentication statement is too old to be used with value 2022-11-21T14:01:18.637Z

I did not find the above exception in @konpolporsche's logs from original issue, so these may be different issues. This part that mentions SAML message ID not found in HTTP session stuck out:

[DEBUG] 2022-11-14 12:57:52.196 [http-nio-8080-exec-1] HttpSessionStorage - Message a46j86d85736eh939d3g4e86aage13 not found in session 26EEC63FA2C71FC291414D44B958E0BD
[DEBUG] 2022-11-14 12:57:52.196 [http-nio-8080-exec-1] SAMLAuthenticationProvider - Error validating SAML message
org.opensaml.common.SAMLException: InResponseToField of the Response doesn't correspond to sent message a46j86d85736eh939d3g4e86aage13

There were instances of same log messages from our Structurizr:

[DEBUG] 2022-12-24 20:52:57.838 [http-nio-8080-exec-2] HttpSessionStorage - Message a40b341bd9che66i156e70d4i40ja6 not found in session 490E4D2E77973778F71410BAC91D93C1
[DEBUG] 2022-12-24 20:52:57.839 [http-nio-8080-exec-2] SAMLAuthenticationProvider - Error validating SAML message
org.opensaml.common.SAMLException: InResponseToField of the Response doesn't correspond to sent message a40b341bd9che66i156e70d4i40ja6

I searched our CloudWatch logs for messages containing a40b341bd9che66i156e70d4i40ja6 or 490E4D2E77973778F71410BAC91D93C1 and found this message saying it stored the message ID in a different session 0CD3997BD4D12FCE05F288C7D117BF68:

[DEBUG] 2022-12-24 20:52:54.536 [http-nio-8080-exec-8] HttpSessionStorage - Storing message a40b341bd9che66i156e70d4i40ja6 to session 0CD3997BD4D12FCE05F288C7D117BF68

I searched again for messages with a40b341bd9che66i156e70d4i40ja6 (SAML message ID), 490E4D2E77973778F71410BAC91D93C1 (HTTP Session where SAML message ID not found), or 0CD3997BD4D12FCE05F288C7D117BF68 (HTTP Session where SAML message ID was stored) and attached the CSV export from CloudWatch: log-events-viewer-result.csv

Initially we were running 2 instances of structurizr/onpremises using AWS Fargate service with desired task count 2, and had tried enabling "sticky sessions" using AWS ALB, but have since gone to 1 desired task count. This part from HTTP Sessions seems to match what our logs showed:

By default, HTTP sessions are stored locally, in memory, on the server that created them. This works for a single server installation, but may not work for a high-availability installation, particularly where multiple instances are deployed behind a load balancer that is delivering requests using a round-robin algorithm. If "sticky sessions" or "session pinning" is not an option, you can choose to have HTTP session information stored in a Redis database instead.

from onpremises.

UPiotr commented on July 18, 2024

Thanks @tbdrake!

Is there a way to adjust this setting conveniently while using the structurizr/onpremises image from dockerhub rather than editing the .war and building an image?

I've added support for changing this value via a property named structurizr.saml.maxAuthenticationAge in your structurizr.properties file (the value is the number of seconds). This will be available in build 2914+; see https://structurizr.com/share/18571/documentation#max-authentication-age for more.

Thanks @simonbrowndotje :) you're a lifesaver

from onpremises.

marcelofabricanti commented on July 18, 2024

Hi,

After using this solution (structurizr.saml.maxAuthenticationAge in properties file) is working well now.

Thanks a lot @tbdrake and @simonbrowndotje !

from onpremises.

SSO :: 500 Error after initial authentication about onpremises HOT 12 CLOSED

Comments (12)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent