Saml2AuthenticationRequestRepository does not work in combination with Spring Session

[tompson]

Summary

The HttpSessionSaml2AuthenticationRequestRepository saves the Saml2AuthenticationRequest in the session and tries to load it after the IdP authenticated the user.

This does not work when using Spring Session because the session cookie is not sent to the server after the IdP authenticated the user.

Spring Session creates a session cookie with SameSite=Lax which causes the browser not to send the cookie when sending the POST request after the IdP authentication.

To Reproduce

Create a minimal Spring Boot application with Spring Security SAML and Spring Session active.

Expected behaviour

After login at the IdP and being redirected to the application the user should be signed in and seeing the secured URL.

Actual behaviour

A new session is created and the user is at the login page again. When he tries to load the secured URL he is able to request it.

[eleftherias]

Thanks for reaching out @tompson.

Note that we have a workaround shared in spring-projects/spring-session#1577.

We will need to think about what changes in Spring Security or Spring Session could make this scenario work, since there is no clear solution at the moment.
Feel free to share any suggestions.

[jzheaux]

@tompson, can you clarify how this is an issue with Saml2AuthenticationRequestRepository? It sounds like it's an issue with the RequestCache.

Saml2AuthenticationRequestRepository stores the AuthnRequest for the purpose of validating the InResponseTo value in the SAML 2.0 Response, but such validation has not yet been added.

[tompson]

@eleftherias thanks for that hint, I experimented with different settings for SameSite myself but it is not an option for us to reduce protection against CSRF

@jzheaux I stumbled across this when trying to solve #10550 and I realised later that it is just an optional validation of InResponseTo - so it is no blocker for us

[jzheaux]

Thanks, @tompson. I wonder if you could create an implementation of RequestCache that keys the saved requests by the AuthnRequest#ID instead of by the session id.

Since there is no problem with Saml2AuthenticationRequestRepository, I'm going to decline this ticket. Feel free to continue the conversation, though, as needed.