Single sign on PingFederate:SP启动登录时需要错误签名
PingFederate服务器响应SP启动的SSO时需要错误签名,尽管我们正在SAML auth请求中发送签名值。以下是我发送给Ping Federate的请求:Single sign on PingFederate:SP启动登录时需要错误签名,single-sign-on,saml-2.0,pingfederate,idp,Single Sign On,Saml 2.0,Pingfederate,Idp,PingFederate服务器响应SP启动的SSO时需要错误签名,尽管我们正在SAML auth请求中发送签名值。以下是我发送给Ping Federate的请求: <?xml version="1.0" encoding="UTF-8"?> <samlp:AuthnRequest xmlns:ds="http://www.w3.org/2000/09/xmldsig#" > > xmlns:saml="urn:oasis:names:tc:SAML:2.0:asse
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:ds="http://www.w3.org/2000/09/xmldsig#" > > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > AssertionConsumerServiceURL="https://mycompany.com/saml2/acs/" Destination="https://idp.com/idp/SSO.saml2" ID="id-1305fe524135c3980b2446c10dec5f08" IssueInstant="2017-11-21T18:27:17Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="My Service" Version="2.0">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://mycompany.com/</saml:Issuer>
<ds:Signature Id="Signature1">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#id-1305fe524135c3980b2446c10dec5f08">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>PgekvX9t5tSi2t……..KMSXBPFMlhjcpk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>m0/……………….J5bmNQ==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MII………………o6jkYDUjhprKdQ+m4=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
</samlp:AuthnRequest>
>xmlns:saml=“urn:oasis:names:tc:saml:2.0:assertion”xmlns:samlp=“urn:oasis:names:tc:saml:2.0:protocol”>AssertionConsumerServiceURL=”https://mycompany.com/saml2/acs/“目的地=”https://idp.com/idp/SSO.saml2“ID=“ID-1305fe524135c3980b2446c10dec5f08”IssueInstant=“2017-11-21T18:27:17Z”协议绑定=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”ProviderName=“我的服务”Version=“2.0”>
https://mycompany.com/
PgekvX9t5tSi2t…….KMSXBPFMlhjcpk=
m0/………J5bmNQ==
信息产业部…………o6jkYDUjhprKdQ+m4=
<samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" />
<samlp:StatusMessage>Signature required</samlp:StatusMessage></samlp:Status>
需要签名
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:ds="http://www.w3.org/2000/09/xmldsig#" > > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > AssertionConsumerServiceURL="https://mycompany.com/saml2/acs/" Destination="https://idp.com/idp/SSO.saml2" ID="id-1305fe524135c3980b2446c10dec5f08" IssueInstant="2017-11-21T18:27:17Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="My Service" Version="2.0">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://mycompany.com/</saml:Issuer>
<ds:Signature Id="Signature1">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#id-1305fe524135c3980b2446c10dec5f08">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>PgekvX9t5tSi2t……..KMSXBPFMlhjcpk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>m0/……………….J5bmNQ==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MII………………o6jkYDUjhprKdQ+m4=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
</samlp:AuthnRequest>
2017-11-21 13:27:17,222 tid:pSs3mUSSSSSSSSSSSSSSSXLK4 DEBUG [org.sourceid.websso.servlet.ProtocolControllerServlet] [qtp2106609649-286] ---REQUEST (GET)/idp/SSO.saml2 from 123.123.123.3:
---PARAMETERS---
SAMLRequest:
3VZJl6LYEt7nr/BYi1p4U……<shortened request for readability>…….zdsjP10u10KWIGwjw6it3/9v4/+l78B
RelayState:
/myAppDashboard/index.html?sso_user=user1%40myidp.com&tenant_domain=xyz.com#/
2017-11-21 13:27:17,222 tid:pSs3mUSSSSSSSSSSSSSSSXLK4 DEBUG [org.sourceid.saml20.bindings.BindingFactory] [qtp2106609649-286] GET
with Params: [SAMLRequest, RelayState]
assume binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
from: 123.123.123.3
Referer: https://mycompany.com/saml2/login/?email=user1%40myidp.com&tenantIdentifier=undefined(https://mycompany.com/saml2/login/?email=user1%40myidp.com&tenantIdentifier=undefined)
AuthType: null
Content-Type: null
2017-11-21 13:27:17,225 tid:pSs3mUSSSSSSSSSSSSSSSXLK4 DEBUG [org.sourceid.saml20.bindings.LoggingInterceptor] [qtp2106609649-286] Received InMessageContext:
InMessageContext
XML: https://mycompany.com/saml2/acs/" Destination="https://idp.com/idp/SSO.saml2" ID="id-1305fe524135c3980b2446c10dec5f08" IssueInstant="2017-11-21T18:27:17Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="My Service" Version="2.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig# (http://www.w3.org/2000/09/xmldsig) " xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
https://mycompany.com/ (https://mycompany.com/%3c/saml:Issuer) >
http://www.w3.org/2001/10/xml-exc-c14n#"/>
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
http://www.w3.org/2001/10/xml-exc-c14n#"/>
http://www.w3.org/2001/04/xmlenc#sha256"/>
PgekvX9t5tSi2t/………………J5bmNQ==
MIIDpjCC……………………Q+m4=
entityId: https://mycompany.com/ (https://mycompany.com/) (SP)
virtualServerId: XYZSSO2.0
Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
relayState: /myAppDashboard/index.html?sso_user=user1%40myidp.com&tenant_domain=xyz.com#/
SignatureStatus: NOT_PRESENT
Binding says to sign: true
2017-11-21 13:27:17,226 tid:pSs3mUSSSSSSSSSSSSSSSXLK4 DEBUG [org.sourceid.util.log.internal.TrackingIdSupport] [qtp2106609649-286] [cross-reference-message] entityid:null subject:null
2017-11-21 13:27:17,226 tid:pSs3mUSSSSSSSSSSSSSSSXLK4 ERROR [org.sourceid.saml20.profiles.idp.HandleAuthnRequest] [qtp2106609649-286] Exception occurred during request processing
org.sourceid.saml20.profiles.StatusResponseException: Signature required
……..
…….
2017-11-21 13:27:17,251 tid:pSs3mUSSSSSSSSSSSSSSSXLK4 DEBUG [org.sourceid.servlet.HttpServletRespProxy] [qtp2106609649-286] flush cookies: adding Cookie{PF=hashedValue:pSs3mUSSSSSSSSSSSSSSSXLK4; path=/; maxAge=-1; domain=null}
2017-11-21 13:27:17,252 tid:pSs3mUSSSSSSSSSSSSSSSXLK4 DEBUG [org.sourceid.saml20.bindings.LoggingInterceptor] [qtp2106609649-286] Transported Response. OutMessageContext:
OutMessageContext
XML: https://mycompany.com/saml2/acs/" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
XYZSSO2.0
http://www.w3.org/2000/09/xmldsig#">
http://www.w3.org/2001/10/xml-exc-c14n#"/>
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
http://www.w3.org/2001/10/xml-exc-c14n#"/>
http://www.w3.org/2001/04/xmlenc#sha256"/>
vRc7z0pcj5wzfn/………….UV3nYqUjgsnwHx9tziUqFwmAI=
Signature required
entityId: https://mycompany.com/ (https://mycompany.com/) (SP)
virtualServerId: XYZSSO2.0
Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
relayState: /myAppDashboard/index.html?sso_user=user1%40myidp.com&tenant_domain=xyz.com#/
Endpoint: https://mycompany.com/saml2/acs/ (https://mycompany.com/saml2/acs/)
SignaturePolicy: BINDING_DEFAULT
2017-11-21 13:27:18,348 DEBUG [org.sourceid.servlet.HttpServletRespProxy] [qtp2106609649-101] adding lazy cookie Cookie{PF=hashedValue:E0oc11111111111111VkfIwa0I; path=/; maxAge=-1; domain=null} replacing null
2017-11-21 13:27:18,348 tid:E0oc11111111111111VkfIwa0I DEBUG [org.sourceid.websso.servlet.IntegrationControllerServlet] [qtp2106609649-101] GET: https://idp.com/idp/startSSO.ping
2017-11-21 13:27:17222 tid:PSS3mussLK4调试[org.sourceid.webso.servlet.ProtocolControllerServlet][qtp2106609649-286]——从123.123.123.3请求(GET)/idp/SSO.saml2:
---参数---
SAMLRequest:
3VZJl6LYEt7nr/BYi1p4U…………zdsjP10u10KWIGwjw6it3/9v4/+l78B
重新分类:
/myAppDashboard/index.html?sso_user=user1%40myidp.com&tenant_domain=xyz.com#/
2017-11-21 13:27:17222 tid:PSS3mussxlk4调试[org.sourceid.saml20.bindings.BindingFactory][qtp2106609649-286]获取
带参数:[SAMLRequest,RelayState]
假设绑定:urn:oasis:names:tc:SAML:2.0:bindings:HTTP重定向
起始:123.123.123.3
推荐人:https://mycompany.com/saml2/login/?email=user1%40myidp.com&tenantIdentifier=undefined(https://mycompany.com/saml2/login/?email=user1%40myidp.com&tenantIdentifier=undefined)
AuthType:null
内容类型:null
2017-11-21 13:27:17225 tid:PSS3mussxlk4调试[org.sourceid.saml20.bindings.LoggingInterceptor][qtp2106609649-286]在MessageContext中收到:
InMessageContext
XML:https://mycompany.com/saml2/acs/“目的地=”https://idp.com/idp/SSO.saml2“ID=“ID-1305fe524135c3980b2446c10dec5f08”IssueInstant=“2017-11-21T18:27:17Z”ProtocolBinding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”ProviderName=“我的服务”Version=“2.0”xmlns:ds=”http://www.w3.org/2000/09/xmldsig# (http://www.w3.org/2000/09/xmldsig) "xmlns:saml=“urn:oasis:names:tc:saml:2.0:assertion”xmlns:samlp=“urn:oasis:names:tc:saml:2.0:protocol”>
https://mycompany.com/ (https://mycompany.com/%3c/saml:Issuer) >
http://www.w3.org/2001/10/xml-exc-c14n#"/>
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256“/>
http://www.w3.org/2000/09/xmldsig#enveloped-签名“/>
http://www.w3.org/2001/10/xml-exc-c14n#"/>
http://www.w3.org/2001/04/xmlenc#sha256"/>
PgekvX9t5tSi2t/…J5bmNQ==
MIIDpjCC………Q+m4=
entityId:https://mycompany.com/ (https://mycompany.com/)(SP)
virtualServerId:XYZSSO2.0
绑定:urn:oasis:names:tc:SAML:2.0:bindings:HTTP重定向
relayState:/myAppDashboard/index.html?sso_user=user1%40myidp.com&tenant_domain=xyz.com#/
签名者斯塔斯:不在场
签名:对
2017-11-21 13:27:17226 tid:PSS3mussxlk4调试[org.sourceid.util.log.internal.TrackingIdSupport][qtp2106609649-286][交叉引用消息]实体ID:null主题:null
2017-11-21 13:27:17226 tid:PSS3mussxlk4错误[org.sourceid.saml20.profiles.idp.HandleAuthnRequest][qtp2106609649-286]请求处理期间发生异常
org.sourceid.saml20.profiles.StatusResponseException:需要签名
……..
…….
2017-11-21 13:27:17251 tid:PSS3mussxlk4调试[org.sourceid.servlet.httpservletresproxy][qtp2106609649-286]刷新Cookie:添加Cookie{PF=hashedValue:PSS3mussxlk4;路径=/;最大年龄=-1;域=null}
2017-11-21 13:27:17252 tid:PSS3mussxlk4调试[org.sourceid.saml20.bindings.LoggingInterceptor][qtp2106609649-286]传输响应。OutMessageContext:
OutMessageContext
XML:https://mycompany.com/saml2/acs/“xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol”>
XYZSSO2.0
http://www.w3.org/2000/09/xmldsig#">
http://www.w3.org/2001/10/xml-exc-c14n#"/>
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256“/>
http://www.w3.org/2000/09/xmldsig#enveloped-签名“/>
http://www.w3.org/2001/10/xml-exc-c14n#"/>
http://www.w3.org/2001/04/xmlenc#sha256"/>
vRc7z0pcj5wzfn/…UV3nYqUjgsnwHx9tziUqFwmAI=
需要签名
entityId:https://mycompany.com/ (https://mycompany.com/)(SP)
virtualServerId:XYZSSO2.0
绑定:urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
relayState:/myAppDashboard/index.html?sso_user=user1%40myidp.com&tenant_domain=xyz.com#/
终点:https://mycompany.com/saml2/acs/ (https://mycompany.com/saml2/acs/)
SignaturePolicy:绑定\u默认值
2017-11-21 13:27:18348调试[org.sourceid.servlet.httpservletresproxy][qtp2106609649-101]添加惰性cookie cookie{PF=hashedValue:E0OC11111111VKFIWA0i;path=/;maxAge=-1;domain=null}替换null
2017-11-21 13:27:18348 tid:E0OC11111111VKFIWA0i调试[org.sourceid.webso.servlet.IntegrationControllerServlet][qtp2106609649-101]获取:https://idp.com/idp/startSSO.ping
需要帮助我们如何解决此问题,可以在Ping Federate上设置任何旋钮/标志以使其工作。PingFed似乎正在通过重定向绑定等待您的消息(您正在发出GET请求)但是您在请求中包括签名,就像Post绑定一样。PingFederate希望SigAlg和签名作为URL参数,以及重定向URL中的SAMLRequest。您需要更正生成SAML身份验证请求的方式 URL应如下所示: {IDP target URL}?SAMLRequest={URL\u encoded\u SAML\u auth\u req}&Signature={Signature}&Rel