SAML Authentication Issue with Simultaneous User Logins #14932
Comments
siddharth-78
added
status: waiting-for-triage
|
Hi, @siddharth-78, just in case this is a security vulnerability, will you please report this to our private GitHub repo before disclosing more details about your application? Then, when reporting, please provide a minimal sample of your SAML 2.0 configuration, including any custom implementations of Spring Security interfaces that you use. Depending on the outcome of that investigation, we can post additional details back here. |
jzheaux
added
status: waiting-for-feedback
|
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed. |
spring-projects-issues
added
the
status: feedback-reminder
|
Here is a sample application which is similar to my original SAML setup: Will raise the vulnerability in the private repo as well. Thanks @jzheaux |
spring-projects-issues
added
status: feedback-provided
|
Configuration issue within my application and not a Spring/SAML issue. |
I have set up SAML authentication for MyApp using Okta as the Identity Provider (IDP). The expected behavior is that when users log in to MyApp through the Okta tile, they should be authenticated and logged in to their respective accounts in MyApp (Service Provider or SP) based on their IDP credentials.
However, I have encountered an issue when two different users, sbaranidharan@gmail.com and siddharthb842@gmail.com, attempt to log in simultaneously from the Okta IDP. Instead of each user being logged in to their respective accounts in MyApp, an unexpected behavior occurs:
User 1 (sbaranidharan@gmail.com) initiates the login process by clicking on the Okta tile and providing their credentials.
Simultaneously, User 2 (siddharthb842@gmail.com) also initiates the login process by clicking on the Okta tile and providing their credentials.
Okta (IDP) authenticates both users successfully based on their provided credentials.
Okta generates SAML assertions for both users, which include their respective user identities (e.g., email addresses).
The SAML assertions are sent to MyApp (SP) for further processing and user authentication.
MyApp receives the SAML assertions for both users and attempts to authenticate them based on the provided user identities.
However, instead of correctly mapping and logging in each user to their respective accounts, MyApp logs in both users to the same account (sbaranidharan@gmail.com), regardless of their original IDP credentials.
This behavior is unexpected and incorrect because:
User 1 (sbaranidharan@gmail.com) is correctly logged in to their own account in MyApp, which matches their IDP credentials.
User 2 (siddharthb842@gmail.com) is incorrectly logged in to the account of User 1 (sbaranidharan@gmail.com) in MyApp, despite having different IDP credentials.
The issue seems to occur specifically when the two users attempt to log in simultaneously and does not occur if there is a few seconds gap from the time the User 1 and User 2 attempt to authenticate.
This problem can lead to security vulnerabilities and unauthorized access, as users may gain access to accounts and resources that do not belong to them. It violates the expected behavior of SAML authentication, where each user should be authenticated and logged in to their respective accounts based on their unique IDP credentials.
Here is the link to the logs that are generated when I attempt to login to my SP from Okta simultaneosuly, please note that my 2 users are:
Logs: https://drive.google.com/file/d/16dAgUB0N6NK5PazgYkm-s8S-Fu_JC6Ps/view?usp=sharing
Do let me know if any further information is required, and also what I would need to do to get to the bottom of it.
The text was updated successfully, but these errors were encountered: