Fatal编程技术网
  • meteor/
  • Meteor SAML消息的签名错误

Meteor SAML消息的签名错误

meteor

Meteor SAML消息的签名错误,meteor,adfs2.0,Meteor,Adfs2.0,我有一个meteor应用程序,运行在windows server 2012 r2上,iis 8.5作为我的应用程序的反向代理(在ubuntu和nginx上也尝试过),我正在尝试使用saml通过ADFS 2.0进行身份验证 我不断得到以下错误: Event 303, AD FS 2.0 The Federation Service encountered an error while processing the SAML authentication request. Additional

我有一个meteor应用程序,运行在windows server 2012 r2上,iis 8.5作为我的应用程序的反向代理(在ubuntu和nginx上也尝试过),我正在尝试使用saml通过ADFS 2.0进行身份验证

我不断得到以下错误:

Event 303, AD FS 2.0
The Federation Service encountered an error while processing the SAML authentication request. 

Additional Data
Exception details:
MicrosoftidentityModel.Protocols.XmISignature.SignatureVerificationFailedException: M5I50038: SAML Message has wrong signature. Issuer:
at MicrosoftldentityServer.Protocols.Saml.Contract.SamIContractUtility,CreateSamIMessage(MSISSamlBindingMessage message)
at Microsoft.IdentityServer.Service.Sam1Protocol.Sam1ProtocolService.CreateErrorMessage(CreateErrorMe.ssageRequest
createErrorMessageRequest)r
at Microsoft.IdentityServer.Service.Sam1Protocol.SarnIProtocolService.ProcessRequest(Message requestMessage)
Log Name:
AD FS 2.0/Admin
Source:
AD FS 2.0
Logged:
10/04/2016 09:0S:1
Event ID:
303
Task Category:
None
Level:
Error
Keywords:
AD F
User:
NETWORK SERVICE
Computer:
我尝试根据以下命令安装kb2896713

不幸的是,到目前为止没有运气

有人知道吗?问题的根源是什么

编辑

这是我使用的开源软件:Rocket.Chat

  • 我建议使用此工具生成证书、密钥
  • 您可以在此处签名验证您的请求
  • 用于编码/解码url的工具
  • 在Firefox上安装SAML tracer以查看SAML请求/响应
  • 用于解码/编码SAML消息的工具
    • SAML.prototype.requestToUrl=函数(请求、操作、回调){

    }

    您是否有任何代码用于通过这种方式进行身份验证?如果是,请提供一份报告。 
    console.log("requestToUrl:");
request = request.replace(/(\r\n|\n|\r)/gm,"");
console.log("Logout request:" + request);

var self = this;
var result;
zlib.deflateRaw(request, function (err, buffer) {
if (err) {
    return callback(err);
}

var base64 = buffer.toString('base64');
var target = self.options.entryPoint;

if (operation === 'logout') {
    if (self.options.idpSLORedirectURL) {
    target = self.options.idpSLORedirectURL;
    }
}

if (target.indexOf('?') > 0)
    target += '&';
else
    target += '?';

var samlRequest = {
    SAMLRequest: base64
};

var relayState;

// TBD. We should really include a proper RelayState here
if (operation === 'logout') {
    relayState = self.options.issuer;
} else {
    relayState = self.options.provider;
}

// URL Encode the bytes
var encodedRequest = encodeURIComponent(base64);
console.log("encodedRequest:"+encodedRequest);
var encodedRelayState = encodeURIComponent(relayState);
var finalSignatureValue = "";

var encodedSigAlg = encodeURIComponent("http://www.w3.org/2000/09/xmldsig#rsa-sha1");
var strSignature = "SAMLRequest=" + encodedRequest.replace(/(\r\n|\n|\r)/gm,"");
strSignature += "&RelayState=" + encodedRelayState;
strSignature += "&SigAlg=" + encodedSigAlg;

var signer = crypto.createSign('RSA-SHA1');
signer.update(strSignature);
var signature = signer.sign(self.options.privateKey, 'base64');
console.log("signature:" + signature);

var b = new Buffer(signature);
var s = b.toString('base64');
var encodedSignature = encodeURIComponent(signature);
console.log("encodedSignature:" + encodedSignature);

var finalSignatureValue = "&SigAlg=" + encodedSigAlg + "&Signature=" + encodedSignature;

target += "SAMLRequest=" + encodedRequest.replace(/(\r\n|\n|\r)/gm,"");
target +="&RelayState=" + encodedRelayState;
target += finalSignatureValue;


if (Meteor.settings.debug) {
    console.log("requestToUrl: " + target);
}
if (operation === 'logout') {
    // in case of logout we want to be redirected back to the Meteor app.
    result = target;
    return callback(null, target);

} else {
    callback(null, target);
}
});