I'm using Spring Security 4.2.20.RELEASE and spring-security-saml2-core 1.0.10.RELEASE. My application is an JSF and XML configurated application. I already code a connection to an IDP and it works well (since 3 years), but I try to connect to an ADFS IDP and my application seems to not recognize NameId.
FilterSecurityInterceptor(348).authenticateIfRequired | Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@905571d8: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: IP_OF_USER; SessionId: SESSION_ID; Granted Authorities: ROLE_ANONYMOUS
AffirmativeBased(66).decide | Voter: org.springframework.security.web.access.expression.WebExpressionVoter@5cba5126, returned: -1
ExceptionTranslationFilter(173).handleSpringSecurityException | Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
I change IP and session by "IP_OF_USER" and "SESSION_ID".
I check the ADFS answer and I have a valid NameID in answer.
I don't have full access to ADFS.
In my code, the SAMLUserDetailsService is not called. ADFS configuration seems well and I have a correct answer from IDP. We exchange our metadata. For IDP, the FederatedMetadata is store locally, for me (SP) it is generated. I am using https with valid certificate. The current behavior for user who want to connect is: go to my site, redirect to IDP page, enter valid crendtials, valid then the login page is loading multiple time. My log get the information that someone try to connect but no identify user and send information to SAMLUserDetailsService.
Why the user is anonymous instead of being create using SAMLUserDetailsService?
EDIT : Issue with CSRF