Understanding Zero-day Exploit of Log4j Security Vulnerability and Solution (CVE-2021-44228, CVE-2021-45046)
Introduction On 9th December 2021, an industry-wide vulnerability was discovered…
April 20, 2022
I was trying to integrate Okta with Spring, and when I deploy the code. I got following error:
org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder] SAML message intended destination endpoint did not match the recipient endpoint
And, the error mentioned the two URLs only differe by https
. One was with http
, and other was with https
.
I was working with docker containers for my spring app, and was deploying it on kubernetes
, behind a Ingress load balancer
.
My spring app pod was running on http, and setup SSL (https) on Ingress load balancer.
I’m not mentioning all beans defined. Just mentioning two beans that needed a fix.
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="entityId" value="${saml.audience.url}"/>
<property name="extendedMetadata">
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="idpDiscoveryEnabled" value="false"/>
</bean>
</property>
</bean>
</constructor-arg>
</bean>
<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl"/>
Where value of saml.audience.url
was:
saml.audience.url=https://<MyApp>.com/api/saml/audience
I needed to correct above two beans.
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="entityId" value="${saml.audience.url}"/>
<property name="entityBaseURL" value="${saml.entity.base.url}"/>
<property name="extendedMetadata">
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="idpDiscoveryEnabled" value="false"/>
</bean>
</property>
</bean>
</constructor-arg>
</bean>
<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderLB">
<property name="scheme" value="https"/>
<property name="serverName" value="${saml.server.name}"/>
<property name="serverPort" value="443"/>
<property name="includeServerPortInRequestURL" value="false"/>
<property name="contextPath" value="${saml.context.path}"/>
</bean>
Notice two things:
contextProvider
bean of class SAMLContextProviderLB
entityBaseURL
in metadataGeneratorFilter beanLets have a look at their values:
saml.metadata.url: "https://XYZ.okta.com/app/<IDP_ID>/sso/saml/metadata"
saml.audience.url: "https://<MyApp>.com/api/saml/audience"
saml.entity.base.url: "https://<MyAPp>.com/api"
saml.server.name: "<MyApp>.com"
saml.context.path: "/api"
Note, its very important to set saml.context.path
with a slash in beginning.
Now, build your app and run. It ran smoothly without any issue.
Hope it helps. Thanks for reading.
Introduction On 9th December 2021, an industry-wide vulnerability was discovered…
Introduction Drupal provides a powerful comment module, which comes as a part of…
Introduction Assume you have a drupal website and using cloudflare. You are…
Introduction In last post, we saw How to read CSV with Headers into Dictionary…
You can either do tail -f drupal.log or open it in an editor like vim.
Static websites have several advantages over dyanamic websites. If you are…
Introduction So you have a Django project, and want to run it using docker image…
Introduction It is very important to introduce few process so that your code and…
Introduction In this post, we will see a sample Jenkin Pipeline Groovy script…
Introduction We often require to execute in timed manner, i.e. to specify a max…
Introduction In some of the cases, we need to specify namespace name along with…
Introduction In most of cases, you are not pulling images from docker hub public…