Major Description
On a tomcat hosting a SP application trying to authenticate against a SAML IDP (OKTA)
authentication fails with this log:
May 11, 2018 11:22:14 AM org.apache.cxf.fediz.core.processor.SAMLProcessorImpl processRelayState
SEVERE: Missing Request State
May 11, 2018 11:22:14 AM org.apache.cxf.fediz.core.handler.SigninHandler handleRequest
SEVERE: Federation processing failed: The request was invalid or malformed
I checked in the code and it fails because request state in org.apache.cxf.fediz.core.processor.FedizRequest is null, but it seems with SAML protocol org.apache.cxf.fediz.core.processor.FedizRequest.setRequestState(RequestState) is never called, so I am wondering how it can be different from null and I suspect a bug
I manage to patch fediz to have it working, I could propose a Pull request for this if required
Additionally to OKTA I also tried with samling for a simple test setup, same error
<FedizConfig> <contextConfig name="/myApp"> <audienceUris> <audienceItem>http://localhost:8080/myApp/</audienceItem> </audienceUris> <certificateStores> <trustManager> <keyStore file="/opt/tomcat/.keystore" password="changeit" type="JKS" /> </trustManager> </certificateStores> <trustedIssuers> <issuer certificateValidation="PeerTrust" /> </trustedIssuers> <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="samlProtocolType" version="2.0"> <disableDeflateEncoding>true</disableDeflateEncoding> <doNotEnforceKnownIssuer>true</doNotEnforceKnownIssuer> <issuer>https://capriza.github.io/samling/samling.html</issuer> <roleURI>groups</roleURI> </protocol> </contextConfig> </FedizConfig>
Attachments
Issue Links
- links to