I have problem running a SAMl2 SP behind reverse proxy running OpenSAMl with Spring security 6. When running locally from own computer this works as it should. When running behind proxy it seems the SAML response is not decrypted correctly. Here's the exception that is thrown:
mes:tc:SAML:2.0:assertion}EncryptedAssertion │with propagation set to true ││2024-10-27 11:46:04.302000[http-nio-5003-exec-175] TRACE o.o.core.xml.AbstractXMLObject - Releasing cached DOM reprsentation for {urn:oasis:names:tc:SAML:2.0:protocol}Response ┤│2024-10-27 11:46:04.302000[http-nio-5003-exec-175] TRACE o.o.core.xml.AbstractXMLObject - Releasing cached DOM reprsentation for parent of {urn:oasis:names:tc:SAML:2.0:protocol}Response with propag│ation set to true ┤│2024-10-27 11:46:04.302000[http-nio-5003-exec-175] TRACE o.s.s.s.p.s.w.a.Saml2WebSsoAuthenticationFilter - Failed to process authentication request ┤│org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException: No relying party registration found ┤│ at org.springframework.security.saml2.provider.service.web.authentication.Saml2WebSsoAuthenticationFilter.attemptAuthentication(Saml2WebSsoAuthenticationFilter.java:127) ┤│ at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:231) ┤│ at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:221) ┤│ at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ┤│ at org.springframework.security.saml2.provider.service.web.Saml2WebSsoAuthenticationRequestFilter.doFilterInternal(Saml2WebSsoAuthenticationRequestFilter.java:100) ┤│ at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ┤│ at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ┤│ at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:107) ┤│ at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:93) ┤│ at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ┤│ at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) ││ at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) ││ at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ┤│ at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ││ at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:82) ┤│ at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:69) ┤│ at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ┤│ at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) ┤│ at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) Traffic goes from https://my.public.domain/ --> http://internal/. SAML2 is the internalhere.
Do I have to address https in my SP somehow like handle X-Forwarded-Proto ? and does reverse proxy's certificates somehow interfere the communication here ?
SP has local self-signed certificate configured for signing and decryption:
RSAPrivateKey k = RsaKeyConverters.pkcs8().convert(new FileInputStream(privateKeyResource)); log.info("certificate path:"+certificateResource.getAbsolutePath()); log.info("private key path:"+privateKeyResource.getAbsolutePath()); X509Certificate certificate = X509Support.decodeCertificate(certificateResource); Saml2X509Credential credential = Saml2X509Credential.signing(k, certificate); Saml2X509Credential decryptCredential = Saml2X509Credential.decryption(k, certificate); RelyingPartyRegistration registration = RelyingPartyRegistrations .fromMetadataLocation("classpath:saml/metadata.xml").registrationId(relyingPartyEntityId) .authnRequestsSigned(true) .signingX509Credentials(c -> c.add(credential)) .decryptionX509Credentials(c -> c.add(decryptCredential)) .assertingPartyDetails(party -> party .entityId(relyingPartyEntityId) ).assertionConsumerServiceLocation(virtuACSLocation) .entityId(relyingPartyEntityId) .build();