How to Solve Spring Okta/Saml issue of SAML message intended destination endpoint did not match the recipient endpoint

April 20, 2022

Introduction

I was trying to integrate Okta with Spring, and when I deploy the code. I got following error:

org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder] SAML message intended destination endpoint did not match the recipient endpoint

And, the error mentioned the two URLs only differe by https. One was with http, and other was with https.

Setup

I was working with docker containers for my spring app, and was deploying it on kubernetes, behind a Ingress load balancer. My spring app pod was running on http, and setup SSL (https) on Ingress load balancer.

Spring Beans before Solution

I’m not mentioning all beans defined. Just mentioning two beans that needed a fix.

<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
    <constructor-arg>
        <bean class="org.springframework.security.saml.metadata.MetadataGenerator">
            <property name="entityId" value="${saml.audience.url}"/>
            <property name="extendedMetadata">
                <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                    <property name="idpDiscoveryEnabled" value="false"/>
                </bean>
            </property>
        </bean>
    </constructor-arg>
</bean>

<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl"/>

Where value of saml.audience.url was:

saml.audience.url=https://<MyApp>.com/api/saml/audience

Solution

I needed to correct above two beans.

<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
    <constructor-arg>
        <bean class="org.springframework.security.saml.metadata.MetadataGenerator">
            <property name="entityId" value="${saml.audience.url}"/>
            <property name="entityBaseURL" value="${saml.entity.base.url}"/>
            <property name="extendedMetadata">
                <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                    <property name="idpDiscoveryEnabled" value="false"/>
                </bean>
            </property>
        </bean>
    </constructor-arg>
</bean>

<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderLB">
    <property name="scheme" value="https"/>
    <property name="serverName" value="${saml.server.name}"/>
    <property name="serverPort" value="443"/>
    <property name="includeServerPortInRequestURL" value="false"/>
    <property name="contextPath" value="${saml.context.path}"/>
</bean>

Notice two things:

  • contextProvider bean of class SAMLContextProviderLB
  • entityBaseURL in metadataGeneratorFilter bean

Lets have a look at their values:

saml.metadata.url: "https://XYZ.okta.com/app/<IDP_ID>/sso/saml/metadata"
saml.audience.url: "https://<MyApp>.com/api/saml/audience"
saml.entity.base.url: "https://<MyAPp>.com/api"
saml.server.name: "<MyApp>.com"
saml.context.path: "/api"

Note, its very important to set saml.context.path with a slash in beginning.

Now, build your app and run. It ran smoothly without any issue.

Hope it helps. Thanks for reading.

springoktasamljavabeansspring-beans

Similar Posts

Latest Posts