SAML v2 POST method
-
Hi there,
I have an application that only supports SAML POST bindings, and I"m trying to integrate it with FusionAuth.
I'm getting the following error when I try to log in to my app. The app sends the POST request to FusionAuth, but all I get back is
HTTP ERROR 405
HTTP/1.1 405 Date: Wed, 26 Aug 2020 09:46:08 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips Access-Control-Allow-Origin: https://XXXXXX Vary: Origin Access-Control-Allow-Credentials: true Access-Control-Expose-Headers: Access-Control-Allow-Origin,Access-Control-Allow-Credentials Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-AliveIn the server logs (fusionauth-app.log) I get a single line:
Aug 26, 2020 10:41:30.865 am WARN org.primeframework.mvc.action.DefaultActionMappingWorkflow - The action class [io.fusionauth.app.action.samlv2.LoginAction] does not have a valid execute method for the HTTP method [POST]The SAML request that gets sent in the POST request is:
<?xml version="1.0" encoding="UTF-8"?> <saml2p:AuthnRequest AssertionConsumerServiceURL="https://XXXXXX/api/auth/saml2/handle-assertion" Destination="https://XXXX.cybanetix.com/samlv2/login/863a8e18-7ae4-8ad7-4fa0-3e9e02a36525" ForceAuthn="false" ID="a58686e0-6743-4a74-9af1-d3d5a21a6b75" IsPassive="false" IssueInstant="2020-08-26T08:31:36.303Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://XXXX/api/auth/saml2/login</saml2:Issuer> <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" /> <saml2p:RequestedAuthnContext Comparison="exact"> <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> </saml2p:RequestedAuthnContext> </saml2p:AuthnRequest>This looks well-formed to me, the ACS looks good and matches the config in the application, as does the Login URL etc.
Any help will be greatly appreciated.
--
Brad. -
Hiya,
Can you provide a bit more information?
- Are you trying to use FusionAuth as the identity provider or the service provider? (I'm guessing the former, but want to confirm.)
- What is the application you are trying to integrate (if you feel comfortable posting that)?
- Have you set up CORS correctly? This post may be helpful: https://fusionauth.io/community/forum/topic/111/403-when-using-saml-idp (though the error is different).
-
Hi Dan,
We are using FusionAuth as the IDP. Its already acting as an IDP for another application, but this app is not playing ball.
I'm afraid I'm not able to name the application, but its a web-based cyber security app that has documented support for Okta, Google and ADFS as the IDP, but we are trying to get it to work with FusionAuth. I'm sure it will be possible, but we need to understand what the above error means.
I've checked the CORS settings and they are fine - we've wild-card allowed CORS requests just as a test, and included POST (among others) as allowed requests.
Regards
Brad.
-
Hi,
Is the code for io.fusionauth.app.action.samlv2.LoginAction available as open source? I'd like to implement the missing POST method - it appears that the GET method is implemented, but not POST.
I've found some SAML-related bits on github (https://github.com/FusionAuth/fusionauth-samlv2) but not this class.
-
Hiya,
Sorry, the
io.fusionauth.app.action.samlv2.LoginActioncode is not open source.Can you please file a github issue referencing this forum post? The engineering team will evaluate implementing the
postmethod. -
Thanks Dan,
I've created a github issue here: