Java Spring SAML握手失败-无法根据受信任密钥验证不受信任的凭据
我正在使用SpringSecuritySAML扩展与ACA医疗保健(又名奥巴马医保)网站集成。它使用IDP启动的SSO。SAML握手失败,输出如下Java Spring SAML握手失败-无法根据受信任密钥验证不受信任的凭据,java,spring,spring-security,spring-saml,Java,Spring,Spring Security,Spring Saml,我正在使用SpringSecuritySAML扩展与ACA医疗保健(又名奥巴马医保)网站集成。它使用IDP启动的SSO。SAML握手失败,输出如下 org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider] Single certificate was present, treating as end-entity certificate org.opensaml.xml.security.keyinfo.BasicPro
org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider] Single certificate was present, treating as end-entity certificate
org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver] Credentials successfully extracted from child {http://www.w3.org/2000/09/xmldsig#}X509Data by provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver] A total of 1 credentials were resolved
org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry] Registry could not locate evaluable criteria for criteria class org.opensaml.xml.security.keyinfo.KeyInfoCriteria
org.opensaml.xml.signature.SignatureValidator] Attempting to validate signature using key from supplied credential
org.opensaml.xml.signature.SignatureValidator] Creating XMLSignature object
org.opensaml.xml.signature.SignatureValidator] Validating signature with signature algorithm URI: http://www.w3.org/2000/09/xmldsig#rsa-sha1
org.opensaml.xml.signature.SignatureValidator] Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
org.opensaml.xml.signature.SignatureValidator] Signature validated with key from supplied credential
org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Signature validation using candidate credential was successful
org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Successfully verified signature using KeyInfo-derived credential
org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Attempting to establish trust of KeyInfo-derived credential
org.opensaml.xml.security.trust.ExplicitKeyTrustEvaluator] Failed to validate untrusted credential against trusted key
org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Failed to establish trust of KeyInfo-derived credential
org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Failed to verify signature and/or establish trust using any KeyInfo-derived credentials
org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine] Attempting to verify signature using trusted credentials
org.opensaml.xml.signature.SignatureValidator] Attempting to validate signature using key from supplied credential
org.opensaml.xml.signature.SignatureValidator] Creating XMLSignature object
org.opensaml.xml.signature.SignatureValidator] Validating signature with signature algorithm URI: http://www.w3.org/2000/09/xmldsig#rsa-sha1
org.opensaml.xml.signature.SignatureValidator] Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
org.apache.xml.security.signature.XMLSignature] Signature verification failed.
org.opensaml.xml.signature.SignatureValidator] Signature did not validate against the credential's key
org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Signature validation using candidate validation credential failed
org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key
at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:79)
我的securityContext包含以下内容:
<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
<constructor-arg>
<list>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
<constructor-arg>
<value type="java.io.File">classpath:${MC_METADATA}</value>
</constructor-arg>
<property name="parserPool" ref="parserPool" />
</bean>
</constructor-arg>
<constructor-arg>
<map>
<entry key="${MC_ALIAS_1}">
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="local" value="true" />
<property name="alias" value="${MC_ALIAS_1}" />
<property name="securityProfile" value="metaiop" />
<property name="requireArtifactResolveSigned" value="false" />
<property name="requireLogoutRequestSigned" value="false" />
<property name="requireLogoutResponseSigned" value="false" />
<property name="idpDiscoveryEnabled" value="false" />
</bean>
</entry>
</map>
</constructor-arg>
</bean>
</list>
</constructor-arg>
<property name="defaultExtendedMetadata">
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="local" value="true" />
<property name="alias" value="${MC_ALIAS_1}" />
<property name="securityProfile" value="metaiop" />
<property name="requireArtifactResolveSigned" value="false" />
<property name="requireLogoutRequestSigned" value="false" />
<property name="requireLogoutResponseSigned" value="false" />
<property name="idpDiscoveryEnabled" value="false" />
</bean>
</property>
<property name="hostedSPName" value="${MC_ALIAS_1}" />
</bean>
类路径:${MC_METADATA}
传入的SAML包含X509Certificate,我已将其复制到我的元数据文件中并进行签名。我还尝试将“metadataTrustCheck”添加为false,但仍然是相同的错误。通信通过HTTPS进行,我的测试服务器(接收SAML)使用自签名证书
关于什么可能丢失/错误有什么想法吗?通常,将证书添加到IDP的元数据中会使它受到Spring SAML的信任,因此您的方法是正确的。以下情况之一可能导致您面临的问题:
- ${MC_ALIAS_1}元数据可能是您的IDP元数据,但您当前正在导入它,就像导入SP元数据一样-您是在使用元数据生成器,还是这确实是您预先配置的SP元数据
- 您已将在IDP消息中找到的证书导入SP元数据,但需要将其导入IDP元数据才能信任
发布您收到的SAML消息和完整的配置xml,而不仅仅是一个片段,将使故障排除更加容易。@avijendr和其他查看此问题的人。问题在于Spring IDP元数据文件中的证书错误。@avijendr您是否能够解决该问题。我已验证元数据文件中的证书是否正确。