Spring Security SAML plugin - No hosted service provider is configured exception

spring security-saml2 service provider
spring security saml example
no idp was configured, please update included metadata with at least one idp
spring security saml metadata url
spring security saml extension documentation
how to get saml metadata file
spring saml multiple idp
spring saml idp discovery

I am trying to integrate SAML SSO with Spring Security using Spring Security SAML extension. Before, I succeeded to run a proof of concept found here: https://github.com/vdenotaris/spring-boot-security-saml-sample. Unfortunately, after moving the configuration to my project it is not working correctly.

After analyzing the logs, I figured out that my application (SP) is correctly downloading the IdP metadata from provided URL. However, after trying to download metadata of my SP by trying https://localhost:8443/saml/metadata in browser, the following exception is thrown:

javax.servlet.ServletException: Error initializing metadata
at org.springframework.security.saml.metadata.MetadataDisplayFilter.processMetadataDisplay(MetadataDisplayFilter.java:120)
at org.springframework.security.saml.metadata.MetadataDisplayFilter.doFilter(MetadataDisplayFilter.java:88)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1645)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:564)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:578)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1111)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:498)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1045)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:98)
at org.eclipse.jetty.server.Server.handle(Server.java:461)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:284)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:244)
at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:534)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:607)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:536)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.opensaml.saml2.metadata.provider.MetadataProviderException: No hosted service provider is configured and no alias was selected
    at org.springframework.security.saml.context.SAMLContextProviderImpl.populateLocalEntity(SAMLContextProviderImpl.java:311)
    at org.springframework.security.saml.context.SAMLContextProviderImpl.populateLocalContext(SAMLContextProviderImpl.java:216)
    at org.springframework.security.saml.context.SAMLContextProviderImpl.getLocalEntity(SAMLContextProviderImpl.java:107)
    at org.springframework.security.saml.metadata.MetadataDisplayFilter.processMetadataDisplay(MetadataDisplayFilter.java:114)
    ... 24 more

After debugging, I was not able to figure out why Spring is not able to figure out entity ID of my application. I am setting it like this:

// Filter automatically generates default SP metadata
@Bean
public MetadataGenerator metadataGenerator() {
    MetadataGenerator metadataGenerator = new MetadataGenerator();
    metadataGenerator.setEntityId(environment.getRequiredProperty("saml.entity-id"));
    metadataGenerator.setEntityBaseURL("URL is here");
    metadataGenerator.setExtendedMetadata(extendedMetadata());
    metadataGenerator.setIncludeDiscoveryExtension(false);
    metadataGenerator.setKeyManager(keyManager());
    return metadataGenerator;
}

Of course the saml.entity-id property is correctly downloaded from my configuration. Whole security config is here: https://gist.github.com/mc-suchecki/671ecb4d5ae4bae17f81

Order of the filters is correct - the Metadata Generator Filter is before the SAML Filter. I am not sure that is relevant - I suppose not - but my application is not using Spring Boot - and the sample application (the source of the configuration) is.

Thank you in advance for any help.

I found the issue this week. There was a problem with filters. One of the methods was creating the 'samlFilter', like this:

public FilterChainProxy samlFilter() throws Exception {
    List<SecurityFilterChain> chains = new ArrayList<SecurityFilterChain>();
    chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/login/**"), samlEntryPoint()));
    chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/logout/**"), samlLogoutFilter()));
    chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/metadata/**"),
        metadataDisplayFilter()));
    chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSO/**"),
        samlWebSSOProcessingFilter()));
    chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSOHoK/**"),
        samlWebSSOHoKProcessingFilter()));
    chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SingleLogout/**"),
        samlLogoutProcessingFilter()));
    chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/discovery/**"), samlIDPDiscovery()));
    return new FilterChainProxy(chains);
}

After that, another method was setting the whole filter chain for Spring, like so:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.httpBasic().authenticationEntryPoint(samlEntryPoint());
    http.csrf().disable();
    http.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
        .addFilterAfter(samlFilter(), BasicAuthenticationFilter.class);
    http.authorizeRequests().antMatchers("/").permitAll().antMatchers("/error").permitAll()
        .antMatchers("/saml/**").permitAll().anyRequest().authenticated();
    http.logout().logoutSuccessUrl("/");
}

That was perfectly correct. However, when I was launching the application using Jetty server, I was trying to connect only the 'samlFilter' to the application context. Because of that, the 'metadataGeneratorFilter' that is required to be before the 'metadataDisplayFilter' was not added to the filter chain at all. When I changed 'samlFilter' to 'springSecurityFilter', everything started working. That was not easy to find, because of my non-standard use of Jetty.

Thank you for your help!

7. Metadata configuration, Service provider metadata contains keys, services and URLs defining SAML endpoints of your application. In case there is no service provider metadata already specified (meaning <bean class="org.springframework.security.saml.​metadata. multiple local service providers, set property hostedSPName of the metadata  Start configuring your SAML 2.0 Service provider (see below). Configure your SAML 2.0 Service Provider. For those familiar with spring-security-saml this plugin exposes most of it configuration points through 2 different forms that are fully interchangeable and combine-able except when providing custom implementations and instances. The two

Do you have an IDP configured?

Spring Security SAML Extension, Configuration of IDP metadata; 4.2.3. This manual describes Spring Security SAML Extension component, its uses, installation, The extension can also be used in applications which are not primarily secured using Spring Security. Other Java open-source alternatives are e.g. native SAML service providers integrating  Start configuring your SAML 2.0 Service provider (see below).. Configure your SAML 2.0 Service Provider. For those familiar with spring-security-saml this plugin exposes most of it configuration points through 2 different forms that are fully interchangeable and combine-able except when providing custom implementations and instances.

In MetadataGenerator entityId is a shared key you use to communicate to your IDP that your application wants to access it. On IDP side there is a samlConfiguration where you need to enter the same entityId to enable your application to access to the IDP users.

<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
    <bean class="org.springframework.security.saml.metadata.MetadataGenerator">              
        <property name="entityId" value="****"/>
        <property name="extendedMetadata">
            <bean class="org.springframework.security.saml.web.MyExtendedMetadata">
                <property name="signMetadata" value="true"/>                        
                <property name="signingKey" value="****"/>
                <property name="encryptionKey" value="****"/>
            </bean>
        </property>
    </bean>
</constructor-arg>

java - Spring Security SAML plugin, java - Spring Security SAML plugin - No hosted service provider is configured exception -. This guide provides a general overview of the Security Assertion Markup Language (SAML) 2.0 Building Block along with common Single Sign-On (SSO) issues and troubleshooting techniques for the SAML authentication provider.

I was able to resolve this by excluding the SAML filters from Spring Boot's auto-registration of regular (non-security) filters by adding a FilterRegistrationBean for each filter, such as

  @Bean
  public FilterRegistrationBean disableSAMLEntryPoint() {
    final FilterRegistrationBean registration = 
        new FilterRegistrationBean<>(samlEntryPoint());
    registration.setEnabled(false);
    return registration;
  }

Common Issues with SAML Authentication, Add the Codota plugin to your IDE and get smart completions null) { throw new MetadataProviderException("No hosted service provider is configured and no  SAMLv2 Authenticated application. I integrated the SAMLv2 spring security plugin in our application some time ago, and I must say that was a bit challenging at the beginning: it took me a while to have it up and running, because I felt the need to understand what the different pieces where doing, how they where interacting, and how to choose between the options.

org.springframework.security.saml.metadata.MetadataManager , This project targets a smooth integration between spring-security-saml and Spring Boot by exposing a set of configurer adapters while dealing with the nitty-​gritty  This chapter will guide you through steps required to easily integrate Spring Security SAML Extension with ssocircle.com's IDP service using SAML 2.0 protocol. When done you will have a working example of Web SSO against a single Identity Provider.

ulisesbocchio/spring-boot-security-saml: spring-security , Integrations · Actions · Packages · Security · Team management · Hosting SBS3 — A sample SAML 2.0 Service Provider built on Spring Boot. RuntimeException: Key for alias apollo not found Opened by mailfordebi over 1 year ago #34 fix problem with configuration of logging Closed by vdenotaris almost 3 years  Spring SAML. Spring SAML Extension allows seamless inclusion of SAML 2.0 Service Provider capabilities in Spring applications. All products supporting SAML 2.0 in Identity Provider mode (e.g. ADFS 2.0, Shibboleth, OpenAM/OpenSSO, Ping Federate, Okta) can be used to connect with Spring SAML Extension.

vdenotaris/spring-boot-security-saml-sample: SBS3, MetadataProviderException: No hosted service provider is configured and no alias was selected at org.springframework.security.saml.context. Spring Boot should add auto configuration support for spring-security-saml2-service-provider to support basic SAML 2 authentication in Spring Security. Concept: A user can configure one or more relying parties in Spring Boot. Each relying party represents a paired configuration between an Identity Provider, IDP, and a Service Provider, SP.

Comments
  • Have you tried using url : localhost:8443/<Application Context Root>/saml/metadata in the browser to download metadata? The url you are trying is not having application name at all.
  • I think the URL is correct - if not, there will be 404 status code instead of 500 status code and no exception.
  • I was also getting this error when using spring-saml-extension for SSO. Can you please tell me the value of saml.entity-id property
  • To be precise following is the code snippet of method from SAMLContextProviderImpl class where you are getting error. It seems your entity id is null. void populateLocalEntity(SAMLMessageContext samlContext) throws MetadataProviderException { String localEntityId = samlContext.getLocalEntityId(); QName localEntityRole = samlContext.getLocalEntityRole(); if (localEntityId == null) { throw new MetadataProviderException("No hosted service provider is configured and no alias was selected"); }
  • Yeah, exactly - the local entity ID is null in my SAMLContext. But the question is - why?
  • " When I changed 'samlFilter' to 'springSecurityFilter', everything started working. " can you please give a code sample for that? Do you mean that you added a Spring IOC Ref in securityContext.xml? I can not find any "springSecurityFilter" other than the Servlet defined in web.xml <filter-name>springSecurityFilterChain</filter-name>
  • I am stuck on the similar issue. Could you share a code sample or elaborate "changing samlFilter to springSecurityFilter" ?
  • For me, it was basically the same story: the SAML configuration was loaded after the other Http Configuration. I have solved that by implementing the @Order annotation (load SAML configuration earlier than the other configuration).
  • I think you do not have any entry with the saml.entity-id in your IDP
  • My IDP is configured via web interface and it is working well when I am using it from another application. The problem is on SP side, and I am 100% sure about that. My SP is also correctly downloading IDP metadata, basing on the logs.
  • That is unfortunately not the issue. My IDP is configured via web interface and it is working well when I am using it from another application. The problem is on SP side, and I am 100% sure about that. My SP is also correctly downloading IDP metadata, basing on the logs.