PHP签名SAML文档_Php_Saml_Simplesamlphp_Xmlseclibs

PHP签名SAML文档

php

PHP签名SAML文档,php,saml,simplesamlphp,xmlseclibs,Php,Saml,Simplesamlphp,Xmlseclibs,我正在做一个项目，基本上已经到了一个我不知道该怎么做才能走得更远的地步尝试与供应商合作，使用SAML设置SSO进程。目前，我们正在手工完成这个过程，因为我们没有像SimpleSAMLPHP那样实现解决方案为了测试这个过程，我们将SimpleSAMLPHP设置为服务提供者。这对我们的测试阶段有很大帮助，但我们目前遇到了以下错误： SimpleSAML_Error_Error: UNHANDLEDEXCEPTION Backtrace: 0 /portal/server/htdocs/saml/

我正在做一个项目，基本上已经到了一个我不知道该怎么做才能走得更远的地步

尝试与供应商合作，使用SAML设置SSO进程。目前，我们正在手工完成这个过程，因为我们没有像SimpleSAMLPHP那样实现解决方案

为了测试这个过程，我们将SimpleSAMLPHP设置为服务提供者。这对我们的测试阶段有很大帮助，但我们目前遇到了以下错误：

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 /portal/server/htdocs/saml/www/module.php:180 (N/A)
Caused by: SimpleSAML_Error_Exception: Neither the assertion nor the response was signed.
Backtrace:
3 /portal/server/htdocs/saml/modules/saml/lib/Message.php:554 (sspmod_saml_Message::processAssertion)
2 /portal/server/htdocs/saml/modules/saml/lib/Message.php:518 (sspmod_saml_Message::processResponse)
1 /portal/server/htdocs/saml/modules/saml/www/sp/saml2-acs.php:96 (require)
0 /portal/server/htdocs/saml/www/module.php:135 (N/A)

这是我们发送给SP的SAML请求，以查看是否可以进行身份验证

<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="efmlkhlddlofoifkbikjkbemicpndhjingeioamb" Version="2.0" IssueInstant="2014-04-14T15:09:50Z" Destination="https://mytest.mediumuniversity.edu/saml/www/module.php/saml/sp/saml2-acs.php/default-sp" InResponseTo="_bf9dc3aa65b9899c565fdc153cefe40c06c1209229">
<saml:Issuer>https://mydevl.mediumuniversity.edu/portal/services/academicworks/process_response.php</saml:Issuer>

<samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="llgkdlffdpoobdkjfkgjcabphgifgfgbammdibjm" Version="2.0" IssueInstant="2014-04-14T15:09:50Z">
    <saml:Issuer>https://mydevl.mediumuniversity.edu/portal/services/academicworks/process_response.php</saml:Issuer>

    <saml:Subject>
        <saml:NameID SPNameQualifier="https://mytest.mediumuniversity.edu/saml/www/module.php/saml/sp/metadata.php/default-sp" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">123456789</saml:NameID>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData NotOnOrAfter="2014-04-14T15:19:50Z" Recipient="https://mytest.mediumuniversity.edu/saml/www/module.php/saml/sp/saml2-acs.php/default-sp" InResponseTo="_bf9dc3aa65b9899c565fdc153cefe40c06c1209229"/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2014-04-14T15:04:50Z" NotOnOrAfter="2014-04-14T15:19:50Z">
        <saml:AudienceRestriction>
            <saml:Audience>https://mytest.mediumuniversity.edu/saml/www/module.php/saml/sp/metadata.php/default-sp</saml:Audience>
        </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2014-04-14T15:09:50Z" SessionNotOnOrAfter="2014-04-14T16:09:50Z" SessionIndex="hkckflaackcdmckckpipgjpdgdlhmiieclpigaij">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
        <saml:Attribute Name="eagleID" NameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
            <saml:AttributeValue xsi:type="xs:string">123456789</saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="emailAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
            <saml:AttributeValue xsi:type="xs:string">cwsterling@mediumuniversity.edu</saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
</saml:Assertion>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  <ds:Reference URI="#llgkdlffdpoobdkjfkgjcabphgifgfgbammdibjm"><ds:Transforms>    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>    </ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>    <ds:DigestValue>p/aLBlix/UI0oNiHgg4t5fgkwJg=</ds:DigestValue></ds:Reference>    </ds:SignedInfo>    <ds:SignatureValue>AsVSwH8mVNHhOak3z2A9j8F/1Q67Yuw472K9BI649EUePdT8QOCW/+BTS+OG+CM++Yn1J7ceT+pwYvOLMr5HFcUcdr8VMZNfPuk2oefs4afK8BpP2ndskPlGhfFx7UlkdXdu41dzWMJeaULo1KfcHtKF0e1ZgObucN3GCNDs97s=</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data>    <ds:X509Certificate>MIIC2DCCAkGgAwIBAgIJAMCu9vwLblc3MA0GCSqGSIb3DQEBBQUAMIGEMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHR2VvcmdpYTETMBEGA1UEBwwKU3RhdGVzYm9ybzEkMCIGA1UECgwbR2VvcmdpYSBTb3V0aGVybiBVbml2ZXJzaXR5MSgwJgYDVQQLDB9FbnRlcnByaXNlIEFwcGxpY2F0aW9uIFNlcnZpY2VzMB4XDTE0MDMyNTEyMjg1NVoXDTE0MDQyNDEyMjg1NVowgYQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdHZW9yZ2lhMRMwEQYDVQQHDApTdGF0ZXNib3JvMSQwIgYDVQQKDBtHZW9yZ2lhIFNvdXRoZXJuIFVuaXZlcnNpdHkxKDAmBgNVBAsMH0VudGVycHJpc2UgQXBwbGljYXRpb24gU2VydmljZXMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANN71CK2aSfTTd63cEkhG/DlpIOMtkUTLQLRfUFZ1U5RX8TA0NcmVMwJcIKVHllsJiwNZBl2RT/GUb+1PwLUkiUxFNZ6eT1qQ6t8SaPosv40ofnD4AXEGwG5Rzx3BvBSuz+viCc8/yjNY4RqSQ/wS34tMd0Eu9Z+Q6MZsmVmBWefAgMBAAGjUDBOMB0GA1UdDgQWBBS46JUAvJGsu79wMjdba7q3iOQ3xTAfBgNVHSMEGDAWgBS46JUAvJGsu79wMjdba7q3iOQ3xTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAL+iVErbdU6lCISWWE7Dr3efaDAhyAxQVU/nLIi8aHvniQCQ6uACQhkQbfZpRdB6cbBDKzzsZD2pqIwY+N/yeomyRhpGqw0Y+q3Wa5tOoyY/AheCfqfRgVSfWkNFLv8Ri4G5Gz+2PJeMuZq4aJ5II/m0OUCn+84OOXDBiPs8+K</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature></samlp:Response>

我会说，如果我没有这行的最后一部分

$objDSig->addReference($doc, XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature'), array('force_uri' => true,'uri_context'=>$encHash1));

具体来说，数组'force\u uri'=>true，'uri\u context'=>$encHash1服务提供者看到文件并成功地验证了我的请求

关于如何创建要发送的文件，有什么建议吗？我们不想将SimpleSAMLPHP实现为我们的登录，因为这需要更改整个登录过程，我们已经在夏季更改了整个登录过程，以便与CAS集成

编辑以阐明我所做的更改是如何使其工作的

当我告诉它去掉引用URI部分时，它去掉了以下内容：URI=llgkdlfdpoobdkjfkgjcabphgiffgbammdibjm，不再指向已签名文档的特定部分。所以我觉得要么整个文档都已签名，要么签名只是添加到文档中，SimpleSAMLPHP只是忽略了签名

<编辑2：我忘了更新这个，我最终找到了这个代码：这真的帮助了我和我在2次尝试之后能做我想做的事情。

你可以考虑使用库。使用断言生成签名响应的方式如下所示

$response = new Response();
$response->setID(Helper::generateID());
$response->setInResponseTo($request->getID());
$response->setIssueInstant(time());
$response->setDestination($destination);

$assertion = new Assertion();
$response->addAssertion($assertion);

$subject = new Subject();
$assertion->setSubject($subject);    
$assertion->setNameID(NameID($username, NameIDPolicy::PERSISTENT));

$subjectConfirmation = new SubjectConfirmation();
$subject->addSubjectConfirmation($subjectConfirmation);
$subjectConfirmation->setMethod(Protocol::CM_BEARER);
$data = new SubjectConfirmationData();
$subjectConfirmation->setData($data);
$data->setInResponseTo($request->getID());
$data->setNotOnOrAfter(time()+$this->expirationTime);
$data->setRecipient($recipient);

$assertion->setNotBefore(time());
$assertion->setNotOnOrAfter(time()+$this->expirationTime);
$assertion->setValidAudience(array($request->getIssuer()));

$authnStatement = new AuthnStatement();
$authnStatement->setAuthnContext($this->authnContextClassRef);
$assertion->setAuthnStatement($authnStatement);

$assertion->addAttribute(new Attribute(ClaimTypes::COMMON_NAME, array('username'), 'Common Name'));


$signatureCreator = new SignatureCreator();
$signatureCreator->setXmlSecurityKey($xmlSecKey);
$signatureCreator->setCertificate($certificate);
$response->setSignature($signatureCreator);

$bindingManager = new BindingManager();
$r = $bindingManager->send($response);
$r->render();

你能澄清一下关于改变的评论吗？我在结尾加了一点，如果有帮助请告诉我？如果这有助于编辑代码，我可以生成另一个xml文档

$response = new Response();
$response->setID(Helper::generateID());
$response->setInResponseTo($request->getID());
$response->setIssueInstant(time());
$response->setDestination($destination);

$assertion = new Assertion();
$response->addAssertion($assertion);

$subject = new Subject();
$assertion->setSubject($subject);    
$assertion->setNameID(NameID($username, NameIDPolicy::PERSISTENT));

$subjectConfirmation = new SubjectConfirmation();
$subject->addSubjectConfirmation($subjectConfirmation);
$subjectConfirmation->setMethod(Protocol::CM_BEARER);
$data = new SubjectConfirmationData();
$subjectConfirmation->setData($data);
$data->setInResponseTo($request->getID());
$data->setNotOnOrAfter(time()+$this->expirationTime);
$data->setRecipient($recipient);

$assertion->setNotBefore(time());
$assertion->setNotOnOrAfter(time()+$this->expirationTime);
$assertion->setValidAudience(array($request->getIssuer()));

$authnStatement = new AuthnStatement();
$authnStatement->setAuthnContext($this->authnContextClassRef);
$assertion->setAuthnStatement($authnStatement);

$assertion->addAttribute(new Attribute(ClaimTypes::COMMON_NAME, array('username'), 'Common Name'));


$signatureCreator = new SignatureCreator();
$signatureCreator->setXmlSecurityKey($xmlSecKey);
$signatureCreator->setCertificate($certificate);
$response->setSignature($signatureCreator);

$bindingManager = new BindingManager();
$r = $bindingManager->send($response);
$r->render();