Cant parse attributes from OKTA response

[richardcs]

We have a spring-security-saml SP implementation that has been working with many IdPs (ADFS, Ping Identity, etc.) We are trying to integrate with OKTA's IdP and although nothing readily fails, we are not able to read the attributes out of the assertion. I have included the obfuscated response which uses the saml2 and saml2p namespaces (unlike other Response's we parse correctly with samlp namespace). That's the only real difference I can determine. The code we use to parse the attributes looks like:

public class SAMLAuthenticationUserDetailsService implements SAMLUserDetailsService {
    private static Logger logger = Logger.getLogger(SAMLAuthenticationUserDetailsService.class);
    private String firstNameAttribute;
    private String lastNameAttribute;
    private String emailAttribute;

    public UserDetails loadUserDetails(Authentication token) throws UsernameNotFoundException {
        logger.debug(token);
        throw new UsernameNotFoundException("not supported");
    }

    public UserDetails loadUserBySAML(SAMLCredential samlCredential) throws UsernameNotFoundException {
        String nameId = samlCredential.getNameID().getValue(); // nameid is required so use that as default
        UserDetails userDetails = new UserDetails(nameId, nameId, nameId, AuthorityUtils.NO_AUTHORITIES);

        String firstName = samlCredential.getAttributeAsString(firstNameAttribute);
        String lastName = samlCredential.getAttributeAsString(lastNameAttribute);
        String email = samlCredential.getAttributeAsString(emailAttribute);
        if (StringUtils.isNotEmpty(firstName) && StringUtils.isNotEmpty(lastName)) {
            userDetails = new UserDetails(nameId, StringUtils.isNotEmpty(email)?email:nameId, nameId, firstName, lastName, AuthorityUtils.NO_AUTHORITIES);
        }
        return userDetails;
    }

Where the actual names are injected from a properties file and were correct. We tried many variations with no spaces, all lowercase. No combinations worked.

and we do see from the logs that the attributes are being processed:

2016-08-31 21:23:20,865 [http-apr-8280-exec-5] 88792226 DEBUG org.springframework.security.saml.websso.WebSSOProfileConsumerImpl (processAuthenticationResponse:237) - Including attribute email from assertion id17554796923033802113941666
2016-08-31 21:23:20,865 [http-apr-8280-exec-5] 88792226 DEBUG org.springframework.security.saml.websso.WebSSOProfileConsumerImpl (processAuthenticationResponse:237) - Including attribute First Name from assertion id17554796923033802113941666
2016-08-31 21:23:20,865 [http-apr-8280-exec-5] 88792226 DEBUG org.springframework.security.saml.websso.WebSSOProfileConsumerImpl (processAuthenticationResponse:237) - Including attribute Last Name from assertion id1755479692303380211394

But the Principal comes back with the firstname, lastname as null.

The Response:

<?xml version="1.0"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema" Destination="https://sp.example.org/saml/SSO" ID="id17554796922952048461035922" IssueInstant="2016-08-31T21:23:20.307Z" Version="2.0">
  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/ekx28s8khb7y4J3qH1d9</saml2:Issuer>
  <saml2p:Status>
    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </saml2p:Status>
  <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="id17554796923033802113941666" IssueInstant="2016-08-31T21:23:20.307Z" Version="2.0">
    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/exk18s8jzb7y0J3qG1d8</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
        <ds:Reference URI="#id17554796923033802113941666">
          <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
              <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
            </ds:Transform>
          </ds:Transforms>
          <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
          <ds:DigestValue>99Te1cA02NziEBFHa5I/9frm4+4VNWO3Nfj4l36y9AQ=</ds:DigestValue>
        </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>hiFHwIHvS7SuFjmZ3uQ1eGX1N0PEHYVE+Oirg8dbC+ejoqLCXr/C9aSVsSZQptKSLlxA9mgzHwpq/44wLOfkjTClM4i/VLQdVbnr3lNoQu2vOwIYXzSKBuh0ua8myxZUaO7/tHgIFU+X6tXpFmZS+Wt5dOj7yFFPBesqRNmVJ8kLG9MdcCwkKnZ5vWaalytkZiHN2WKZnniABj8evP2v11JDFWlUIzYIQWevSdxVgx+oMiYRc6AwUArQbFwkNFuccii9uX1xhN+IQl3ZL61k1qfiFSrj8aHEpJQEfopQNStPkuUIIKaVRdE5MBJYcLslxbacrhEjyEcvrHtN5v6vCw==</ds:SignatureValue>
      <ds:KeyInfo>
        <ds:X509Data>
          <ds:X509Certificate>[redacted certificate]</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </ds:Signature>
    <saml2:Subject>
      <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">[email protected]</saml2:NameID>
      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml2:SubjectConfirmationData NotOnOrAfter="2016-08-31T21:28:20.308Z" Recipient="https://sp.example.org/saml/SSO"/>
      </saml2:SubjectConfirmation>
    </saml2:Subject>
    <saml2:Conditions NotBefore="2016-08-31T21:18:20.308Z" NotOnOrAfter="2016-08-31T21:28:20.308Z">
      <saml2:AudienceRestriction>
        <saml2:Audience>https://sp.example.org:443</saml2:Audience>
      </saml2:AudienceRestriction>
    </saml2:Conditions>
    <saml2:AuthnStatement AuthnInstant="2016-08-31T21:23:20.307Z" SessionIndex="id1472678600307.1519145808">
      <saml2:AuthnContext>
        <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
      </saml2:AuthnContext>
    </saml2:AuthnStatement>
    <saml2:AttributeStatement>
      <saml2:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[email protected]</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute Name="First Name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Joe</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute Name="Last Name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Smith</saml2:AttributeValue>
      </saml2:Attribute>
    </saml2:AttributeStatement>
  </saml2:Assertion>
</saml2p:Response>

[serenayang001]

The namespace is not compatible with our authenticator either. Is there a way to config prefix in xml configuraiton?

[richardcs]

This issue was related to a properties file that we were using in windows. The properties file contained key=value type properties and one of the values was blank prior to the properties we needed for getting the attributes. Moving the blank value'd property to the end of the file solved our problem.

[mnagineni85]

Hi Richard, I am trying to implement okta sso for my spring mvc application. We already have regular spring security authentication. We have to implement okta sso auth now. I am following the below link to implement it.

https://developer.okta.com/blog/2017/03/16/spring-boot-saml

It is not working with context path in the url.

Also, once the authentication is successful, how are you parsing the response.

Below is my security config code.

@Override
    protected void configure(final HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/saml*").permitAll()
                .anyRequest().authenticated()
                .and()
            .apply(saml())
                .serviceProvider()
                    .keyStore()
                        .storeFilePath("classpath:saml/keystore.jks")
                        .password("secret")
                        .keyname("spring")
                        .keyPassword("secret")
                        .and()
                    .protocol("http")
                    .hostname("localhost:8443")
                    .basePath("/")
                    .and()
                .identityProvider()
                .metadataFilePath("****************************");
    }

Any help would be appreciated.

Thanks

[brzler]

this issue is stil present in mid 2020 ... the SP part in Spring Security can't parse any information from the SAMLResponse (all fields in the OpenSaml Response object parsed in the org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider are null) because the XML Namespaces in the response XML are saml2 and saml2p (and not saml and samlp as expected by Spring Security) ... closed without any comments ... nice guys.

At least tell us if this is even supported or a bug or configurable ...

[jzheaux]

I've heard recent reports of successful Okta integrations.

Also, it appears that the OP for the ticket was able to resolve their own issue, which is why they closed it with a comment explaining their solution.