Integration of Okta Saml 2.0 with Structurizr onpremises application

[sdobhal369]

I would like to know how to integrate Okta Saml 2.0 into the application using the structurizr property file. Right now I am facing issues after integration and it says invalid credentials and sometimes it just gives me a blank page, which means it is not redirecting to the dashboard after signing in.

Error:- Invalid destination [{structurizr.url}/login/saml2/sso] for SAML response [id5232169254467101793067833]

This is the below configuration example which I am currently using

structurizr.authentication=saml
structurizr.saml.metadata=https://dev-05937739.okta.com/app/exk46xofd8NZvFCpS5d7/sso/saml/metadata
structurizr.saml.attribute.username=email
structurizr.saml.signing.certificate=certificate.crt

and my reply URL is {structurizr.url}/login/saml2/sso and docker image I am using structurizr/onpremises:2024.06.25

Is there any other property for Saml like okta URL, SSO URL, Signout URL, etc..

[simonbrowndotje]

I copied the example Okta configuration from the docs and it worked first time -> https://docs.structurizr.com/onpremises/authentication/saml

(my on-premises installation is running at http://localhost:8080 ... I would try that first before introducing more variables)

[jimmcslim]

I'm also experiencing similar issues. I would advise following https://docs.structurizr.com/onpremises/configuration#logging for enhanced logging, but in particular set logger.springSecurity.level = trace. Then I observe in the logs (log level, timestamp, log source elided for clarity)...

[01] Processing SAML response from http://www.okta.com/<oktaId>
[02] Found 2 validation errors in SAML response [<responseId>]: [[invalid_destination] Invalid destination [http://localhost:8080/login/saml2/sso] for SAML response [<responseId>], [invalid_assertion] Invalid assertion [<assertionId>] for SAML response [<responseId>]: Condition '{urn:oasis:names:tc:SAML:2.0:assertion}AudienceRestriction' of type 'null' in assertion '<assertionId>' was not valid.: None of the audiences within Assertion '<assertionId>' matched the list of valid audiances]
[03] No event was found for the exception org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException
[04] Failed to process authentication request

The key part of that above seems to be:

Condition '{urn:oasis:names:tc:SAML:2.0:assertion}AudienceRestriction' of type 'null' in assertion '<assertionId>' was not valid.: None of the audiences within Assertion '<assertionId>' matched the list of valid audiances]

Looking at the relevant fragment SAML response (you can grab this out of the Chrome Network tab, it is in the form data payload POSTed to http://localhost:8080/login/saml2/sso, it will need to be base64 decoded into its XML)

    <saml2:Conditions NotBefore="2024-12-02T04:28:48.072Z" NotOnOrAfter="2024-12-02T04:38:48.072Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
      <saml2:AudienceRestriction>
        <saml2:Audience>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress</saml2:Audience>
      </saml2:AudienceRestriction>
    </saml2:Conditions>

"AudienceRestriction of type 'null'" seems a bit suspicious to me.

There is this link https://support.okta.com/help/s/question/0D54z00007IX1aTCAT/saml2-signing-audiencerestriction-of-type-null-in-assertion which suggests:

I think my issue is resolved after putting http://[hostaddress]:8080/saml2/service-provider-metadata/okta for Audience Restriction

But I'm not sure how to set that in structurizr/Spring SAML - or maybe that is what should go into Okta itself?

[jimmcslim]

Also trying to test SAML authentication with http://mocksaml.com which looks like a great resource, but I haven't gotten a successful integration yet.

[simonbrowndotje]

it might be handy if you could share a screenshot of your configuration on the Okta side.

I don't use Okta I'm afraid - sorry!

[jimmcslim]

it might be handy if you could share a screenshot of your configuration on the Okta side.

I don't use Okta I'm afraid - sorry!

Ok no problem. Curious to know how you test this. The http://mocksaml.com website for example looks pretty good for testing things in the absence of a real backend but I found I got less far along the process than with Okta (e.g. it didn't refer the client to the IdP login page). And I couldn't find a meaningful message in the logs. I might try and stand up the code and debug it.

[simonbrowndotje]

Curious to know how you test this.

SAML integration is notoriously complicated because every IdP is configured differently. I've tested against the Okta configuration used by the Spring Security team (that's the config in the docs pointed to above), but all of our clients paying for support are using Azure AD/Entra ... so that's what I test against the most.

[jimmcslim]

Is there a way to get clearer debug information out of this? I have both logger.app.level and logger.springSecurity.level set to trace - when testing against mocksaml.com I get 500 from the /saml2/authenticate/structurizr endpoint from clicking Sign In - and there are no error logs with an ERROR level that might make this clearer.

[jimmcslim]

Ok I got farther with my attempt at Okta integration.

I ensured that structurizr.saml.entityId matched what is configured in the Okta SAML Settings/Audience Restriction field.

Now my error is essentially No subject confirmation methods were met for assertion. in the SAML response from Okta that being...

    <saml2:Subject>
      <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml2:NameID>
      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml2:SubjectConfirmationData InResponseTo="ARQf1753ff-9cd9-4526-9907-03d65b37a2a3" NotOnOrAfter="2024-12-04T13:19:45.595Z" Recipient="http://localhost:8080/login/saml2/sso" />
      </saml2:SubjectConfirmation>
    </saml2:Subject>

This StackOverflow question suggests that it is a problem with the port number.

Okta allows you to set either Single Signon URL (e.g. http://localhost:8080/login/saml2/sso) or separately set Recipient URL and Destination URL - in this case I left Destination URL with the port but for Recipient URL I removed the port number. When trying with this I observed Recipient="http://localhost/login/saml2/sso" in the SubjectConfirmationData but still didn't work.

[jimmcslim]

I'm also wondering if this line

onpremises/structurizr-onpremises/src/main/java/com/structurizr/onpremises/authentication/saml/Configuration.java

Line 108 in d04f203

if (!StringUtils.isNullOrEmpty(signingCertificate) && !StringUtils.isNullOrEmpty(privateKey)) {

should really be expecting both signingCertificate AND privateKey to be set. E.g. Okta allows you to specify that responses from the IdP are signed (e.g. signingCertificate may have a value), however the requests themselves don't have to be signed (privateKey is empty).

[jimmcslim]

GOT IT!

In Okta, the Single Sign On URL needs to be set to (in the localhost example we are talking about here) http://localhost:8080/login/saml2/sso/structurizr where the final structurizr is actually the value of the structurizr.saml.registrationId property (structurizr by default). In the Okta example in the documentation, linking to the Spring Security sample, it is mysteriously one but unfortunately we are missing the information that the value of structurizr.saml.registrationId needs to be appended to the {structurizr.url}/login/saml2/sso Reply URL/Single Sign On URL.

[sdobhal369]

Great!

So what is your final configuration look like? If you don't mind to share!

[sdobhal369]

I am also getting this error when login successfully and creating a workspace.

[jimmcslim]

If you are repeatedly testing login, this appears to happen frequently, not sure if it is an issue beyond that.