Spring security 将Spring SAML集成为SP，将SimpleSAMPHP集成为IdP（HoK配置文件）

我正在尝试使用springsaml作为SP，simplesamphp作为IdP来实现HoK概要文件

SP获取客户端证书，然后向IdP发送以下身份验证请求，无问题：

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest
    AssertionConsumerServiceURL="https://sp.com/saml/HoKSSO"
    Destination="https://localhost:8443/simplesaml/saml2   /idp/SSOService.php"
    ForceAuthn="false" ID="a5ba2704fgc63887442i9i1298904fh"
    IsPassive="false" IssueInstant="2015-10-04T11:26:47.393Z"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://sp.com/saml/metadata</saml2:Issuer>
</saml2p:AuthnRequest>

Spring SAML调试日志如下：

8532 [http-nio-443-exec-9] DEBUG   - Evaluating security policy of type 'org.opensaml.ws.security.provider.BasicSecurityPolicy' for decoded message
8532 [http-nio-443-exec-9] DEBUG   - Evaluating simple signature rule of type: org.opensaml.saml2.binding.security.SAML2HTTPPostSimpleSignRule
8532 [http-nio-443-exec-9] DEBUG   - HTTP request was not signed via simple signature mechanism, skipping
8532 [http-nio-443-exec-9] INFO    - SAML protocol message was not signed, skipping XML signature processing
8532 [http-nio-443-exec-9] DEBUG   - Successfully decoded message.
8532 [http-nio-443-exec-9] DEBUG   - Checking SAML message intended destination endpoint against receiver endpoint
8533 [http-nio-443-exec-9] DEBUG   - Intended message destination endpoint: https://cmks.irannid.ir/saml/HoKSSO
8533 [http-nio-443-exec-9] DEBUG   - Actual message receiver endpoint: https://cmks.irannid.ir/saml/HoKSSO
8533 [http-nio-443-exec-9] DEBUG   - SAML message intended destination endpoint matched recipient endpoint
8533 [http-nio-443-exec-9] DEBUG   - Found endpoint org.opensaml.saml2.metadata.impl.AssertionConsumerServiceImpl@38620660 for request URL https://cmks.irannid.ir/saml/HoKSSO based on location attribute in metadata
8534 [http-nio-443-exec-9] DEBUG   - Authentication attempt using org.springframework.security.saml.SAMLAuthenticationProvider
8534 [http-nio-443-exec-9] DEBUG   - Verifying issuer of the Response
8535 [http-nio-443-exec-9] DEBUG   - Processing Holder-of-Key subject confirmation
8535 [http-nio-443-exec-9] DEBUG   - HoK SubjectConfirmation invalidated by confirmation data not being of KeyInformationDataType type
8535 [http-nio-443-exec-9] DEBUG   - Validation of authentication statement in assertion failed, skipping

错误为：HoK SubjectConfirmation因确认数据不属于KeyInformationDataType类型而无效。Spring SAML似乎在响应中找不到KeyInfo

有人能帮我解决这个问题吗

多谢各位

编辑：

通过与示例HoK SSO响应进行比较，可以看出SimpleSAMLphp没有向SubjectConfirmationData标记添加xsi:type=“saml:KeyInfoConfirmationDataType”。这可能是上述例外的原因吗

---

它是SAML2.0 HoK配置文件中SubjectConfirmationData标记的必需属性吗？

最后我找到了解决方案：

SimpleSAMLphp没有将xsi:type=“saml:KeyInfoConfirmationDataType”添加到“SubjectConfirmationData”标记中，因为标准没有强制要求它：

329  3.1 Holder of Key
330  URI: urn:oasis:names:tc:SAML:2.0:cm:holder-of-key
331  One or more <ds:KeyInfo> elements MUST be present within the <SubjectConfirmationData>
332  element. An xsi:type attribute MAY be present in the <SubjectConfirmationData> element and, if
333  present, MUST be set to saml:KeyInfoConfirmationDataType (the namespace prefix is arbitrary but
334  must reference the SAML assertion namespace). 

329 3.1钥匙夹
330 URI:urn:oasis:names:tc:SAML:2.0:cm:key持有者
331一个或多个元素必须存在于
332要素。元素中可能存在xsi:type属性，如果
333存在，必须设置为saml:keyinformationdatatype（名称空间前缀是任意的，但是
334必须引用SAML断言名称空间）。

我更改了simplesamlphp代码并手动添加了缺少的属性。（我仍然不确定我是否添加了正确的位置，但现在它已经起作用了！） 但新的问题是谁必须解决这个问题？Spring SAML还是SimpleSAMPHP

通过此更改，Spring SAML检测到SubjectConfirmationData标记包含一个或多个元素，然后找到嵌入在响应中的客户端证书，并尝试将其与TLS客户端身份验证期间收到的证书进行比较

尽管这两个证书是相同的，Spring SAML说它们不匹配，因为其中一个有换行符，而另一个没有

我唯一剩下的问题是：

---

哪种方法与标准兼容？在base64编码证书中添加换行符或删除换行符，甚至与换行符进行比较？

您好，我正好遇到了这个问题，我也遇到了一个例外，您可以在此处将更改（代码）添加到simplesamlphp吗？我不知道如何手动添加缺少的属性？！

8532 [http-nio-443-exec-9] DEBUG   - Evaluating security policy of type 'org.opensaml.ws.security.provider.BasicSecurityPolicy' for decoded message
8532 [http-nio-443-exec-9] DEBUG   - Evaluating simple signature rule of type: org.opensaml.saml2.binding.security.SAML2HTTPPostSimpleSignRule
8532 [http-nio-443-exec-9] DEBUG   - HTTP request was not signed via simple signature mechanism, skipping
8532 [http-nio-443-exec-9] INFO    - SAML protocol message was not signed, skipping XML signature processing
8532 [http-nio-443-exec-9] DEBUG   - Successfully decoded message.
8532 [http-nio-443-exec-9] DEBUG   - Checking SAML message intended destination endpoint against receiver endpoint
8533 [http-nio-443-exec-9] DEBUG   - Intended message destination endpoint: https://cmks.irannid.ir/saml/HoKSSO
8533 [http-nio-443-exec-9] DEBUG   - Actual message receiver endpoint: https://cmks.irannid.ir/saml/HoKSSO
8533 [http-nio-443-exec-9] DEBUG   - SAML message intended destination endpoint matched recipient endpoint
8533 [http-nio-443-exec-9] DEBUG   - Found endpoint org.opensaml.saml2.metadata.impl.AssertionConsumerServiceImpl@38620660 for request URL https://cmks.irannid.ir/saml/HoKSSO based on location attribute in metadata
8534 [http-nio-443-exec-9] DEBUG   - Authentication attempt using org.springframework.security.saml.SAMLAuthenticationProvider
8534 [http-nio-443-exec-9] DEBUG   - Verifying issuer of the Response
8535 [http-nio-443-exec-9] DEBUG   - Processing Holder-of-Key subject confirmation
8535 [http-nio-443-exec-9] DEBUG   - HoK SubjectConfirmation invalidated by confirmation data not being of KeyInformationDataType type
8535 [http-nio-443-exec-9] DEBUG   - Validation of authentication statement in assertion failed, skipping

329  3.1 Holder of Key
330  URI: urn:oasis:names:tc:SAML:2.0:cm:holder-of-key
331  One or more <ds:KeyInfo> elements MUST be present within the <SubjectConfirmationData>
332  element. An xsi:type attribute MAY be present in the <SubjectConfirmationData> element and, if
333  present, MUST be set to saml:KeyInfoConfirmationDataType (the namespace prefix is arbitrary but
334  must reference the SAML assertion namespace).