Details
Description
Tomcat9 added CSRF Protection. This causes SAML login to fail with 403 message. The fix that worked for me was adding the following line to the SAML configuration to disable CSRF.
<!-- Secured pages with SAML as entry point --> <security:http entry-point-ref="samlEntryPoint" use-expressions="false"> <security:csrf disabled="true"/> <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/> <security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/> <security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/> </security:http>