We are migrating Spring from 5.6.x to 6.2.x. We have SSO authentication and we use SAML2. What we noticed in production, few sessions were getting 401 and logs said "Failed to match SubjectConfirmationData@InResponseTo of: #RequestId#. I don't have any prior experience with Spring security but debugging this issue made me realized it happens when user has open concurrent windows of browser.
To replicate, we open multiple windows and kept http session time out to 1 minute. When we get all 6 time out, we clicked ok and 6 parallel SSO request were sent to IDP. But issue is, HttpSessionSaml2AuthenticationRequestRepository calls "setAttribute" with a static key like "HttpSessionSaml2AuthenticationRequestRepository.SAML@_AUTHN_REQUEST" So if Id is static in the ConcurrentHashMap in HttpSession implementation, it is getting overwritten ( As per my understanding) SSO Req 1 (Req id: "arqxdedtww") httpsessiond id: updates session and add SamlRequest with id -> "arqxdedtww" and send SSO REQ 1 to IDP
SSO Req 2 (Req id: "wdwhwehwehw") (same jessionId as above request) :overwrites (as key is static) Saml2PostAuthenticationRequest with ID to "wdwhwehwehw" -> SSO Req 2 to Idp
SSO Response 1 comes with Attribute InResponseTo="arqxdedtww" and Spring tries to validate it. But in session Saml2PostAuthenticationRequest is already updated to SSO req 2 and thus validation fails. It clears the context.
SSO Response 2 comes and error says no id found and throws and Exception.
We have a business case where a user open multiple tabs and when auth request goes it fails. Spring 5.6.x by default use to send Valid response for InResponseTo validation but with recent changes (5.7.x) this validation was added.
As said, i had no prior knowledge with Spring Security, need inputs on how to manage this use case and how we can disable this InResponseTo validation or store the AuthenticationRequest in say our Hazelcast cluster and use it for validation on relateState id.
Spring Change: https://github.com/spring-projects/spring-security/issues/9174
Thank you.
Not tried any fix as not aware if we can disable the validation.
OpenSaml 4.2 Spring 6.2.1 SAML2