13. Troubleshooting common problems

Time synchronization

Processing of SAML messages and assertions is often limited to a specific time window which e.g. prevents possibilities of replay attacks. Validation of messages can fail when internal clocks of the IDP and SP machines are not synchronized. Make sure to use a time synchronization service on all systems in the federation.

Error 'InResponseToField doesn't correspond to sent message' during SSO

Make sure that application uses the same HttpSession during sending of the request and reception of the response. Typically, this problem arises when the authentication request is initialized from localhost address or http scheme, while response is received at a public host name or https scheme. E.g., when initializing authentication from URL https://host:port/app/saml/login, the response must be received at https://host;port/app/saml/SSO, not https://host:port/app/saml/SSO or https://localhost:port/app/saml/SSO.

The checking of the InResponseToField can be disabled by re-configuring the context provider as follows:

<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl">
  <property name="storageFactory">
    <bean class="org.springframework.security.saml.storage.EmptyStorageFactory"/>

System is redirecting to e.g. localhost address when public facing URL is different

In case you use automatic metadata generation make sure to set property entityBaseURL on bean MetadataGenerator to e.g. https://server:port/yourapp or use pre-generated metadata.

System fails during decryption or encryption of fields, e.g. with 'Failed to decrypt EncryptedData'

Make sure the Unlimited Strength Jurisdiction Policy Files are correctly installed in your JDK. See Section 4.1, “Pre-requisites” for details.

My system fails during validation of certificates with errors similar to "PKIX path building failed"

This is typically caused by misconfiguration of certificates. Either your metadata or keyStore do not contain the correct leaf certificates or CA certificates, or your certificates are invalid. You can get additional information by starting your application with flag -Djavax.net.debug=all.