Spring security 将Spring SAML集成为SP,将SimpleSAMPHP集成为IdP(HoK配置文件)
我正在尝试使用springsaml作为SP,simplesamphp作为IdP来实现HoK概要文件 SP获取客户端证书,然后向IdP发送以下身份验证请求,无问题:Spring security 将Spring SAML集成为SP,将SimpleSAMPHP集成为IdP(HoK配置文件),spring-security,single-sign-on,spring-saml,simplesamlphp,saml-2.0,Spring Security,Single Sign On,Spring Saml,Simplesamlphp,Saml 2.0,我正在尝试使用springsaml作为SP,simplesamphp作为IdP来实现HoK概要文件 SP获取客户端证书,然后向IdP发送以下身份验证请求,无问题: <?xml version="1.0" encoding="UTF-8"?> <saml2p:AuthnRequest AssertionConsumerServiceURL="https://sp.com/saml/HoKSSO" Destination="https://localhost:844
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest
AssertionConsumerServiceURL="https://sp.com/saml/HoKSSO"
Destination="https://localhost:8443/simplesaml/saml2 /idp/SSOService.php"
ForceAuthn="false" ID="a5ba2704fgc63887442i9i1298904fh"
IsPassive="false" IssueInstant="2015-10-04T11:26:47.393Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://sp.com/saml/metadata</saml2:Issuer>
</saml2p:AuthnRequest>
Spring SAML调试日志如下:
8532 [http-nio-443-exec-9] DEBUG - Evaluating security policy of type 'org.opensaml.ws.security.provider.BasicSecurityPolicy' for decoded message
8532 [http-nio-443-exec-9] DEBUG - Evaluating simple signature rule of type: org.opensaml.saml2.binding.security.SAML2HTTPPostSimpleSignRule
8532 [http-nio-443-exec-9] DEBUG - HTTP request was not signed via simple signature mechanism, skipping
8532 [http-nio-443-exec-9] INFO - SAML protocol message was not signed, skipping XML signature processing
8532 [http-nio-443-exec-9] DEBUG - Successfully decoded message.
8532 [http-nio-443-exec-9] DEBUG - Checking SAML message intended destination endpoint against receiver endpoint
8533 [http-nio-443-exec-9] DEBUG - Intended message destination endpoint: https://cmks.irannid.ir/saml/HoKSSO
8533 [http-nio-443-exec-9] DEBUG - Actual message receiver endpoint: https://cmks.irannid.ir/saml/HoKSSO
8533 [http-nio-443-exec-9] DEBUG - SAML message intended destination endpoint matched recipient endpoint
8533 [http-nio-443-exec-9] DEBUG - Found endpoint org.opensaml.saml2.metadata.impl.AssertionConsumerServiceImpl@38620660 for request URL https://cmks.irannid.ir/saml/HoKSSO based on location attribute in metadata
8534 [http-nio-443-exec-9] DEBUG - Authentication attempt using org.springframework.security.saml.SAMLAuthenticationProvider
8534 [http-nio-443-exec-9] DEBUG - Verifying issuer of the Response
8535 [http-nio-443-exec-9] DEBUG - Processing Holder-of-Key subject confirmation
8535 [http-nio-443-exec-9] DEBUG - HoK SubjectConfirmation invalidated by confirmation data not being of KeyInformationDataType type
8535 [http-nio-443-exec-9] DEBUG - Validation of authentication statement in assertion failed, skipping
错误为:HoK SubjectConfirmation因确认数据不属于KeyInformationDataType类型而无效。Spring SAML似乎在响应中找不到KeyInfo
有人能帮我解决这个问题吗
多谢各位
编辑:
通过与示例HoK SSO响应进行比较,可以看出SimpleSAMLphp没有向SubjectConfirmationData标记添加xsi:type=“saml:KeyInfoConfirmationDataType”。这可能是上述例外的原因吗
它是SAML2.0 HoK配置文件中SubjectConfirmationData标记的必需属性吗?最后我找到了解决方案: SimpleSAMLphp没有将xsi:type=“saml:KeyInfoConfirmationDataType”添加到“SubjectConfirmationData”标记中,因为标准没有强制要求它:
329 3.1 Holder of Key
330 URI: urn:oasis:names:tc:SAML:2.0:cm:holder-of-key
331 One or more <ds:KeyInfo> elements MUST be present within the <SubjectConfirmationData>
332 element. An xsi:type attribute MAY be present in the <SubjectConfirmationData> element and, if
333 present, MUST be set to saml:KeyInfoConfirmationDataType (the namespace prefix is arbitrary but
334 must reference the SAML assertion namespace).
329 3.1钥匙夹
330 URI:urn:oasis:names:tc:SAML:2.0:cm:key持有者
331一个或多个元素必须存在于
332要素。元素中可能存在xsi:type属性,如果
333存在,必须设置为saml:keyinformationdatatype(名称空间前缀是任意的,但是
334必须引用SAML断言名称空间)。
我更改了simplesamlphp代码并手动添加了缺少的属性。(我仍然不确定我是否添加了正确的位置,但现在它已经起作用了!)
但新的问题是谁必须解决这个问题?Spring SAML还是SimpleSAMPHP
通过此更改,Spring SAML检测到SubjectConfirmationData标记包含一个或多个元素,然后找到嵌入在响应中的客户端证书,并尝试将其与TLS客户端身份验证期间收到的证书进行比较
尽管这两个证书是相同的,Spring SAML说它们不匹配,因为其中一个有换行符,而另一个没有
我唯一剩下的问题是:
哪种方法与标准兼容?在base64编码证书中添加换行符或删除换行符,甚至与换行符进行比较?您好,我正好遇到了这个问题,我也遇到了一个例外,您可以在此处将更改(代码)添加到simplesamlphp吗?我不知道如何手动添加缺少的属性?!
8532 [http-nio-443-exec-9] DEBUG - Evaluating security policy of type 'org.opensaml.ws.security.provider.BasicSecurityPolicy' for decoded message
8532 [http-nio-443-exec-9] DEBUG - Evaluating simple signature rule of type: org.opensaml.saml2.binding.security.SAML2HTTPPostSimpleSignRule
8532 [http-nio-443-exec-9] DEBUG - HTTP request was not signed via simple signature mechanism, skipping
8532 [http-nio-443-exec-9] INFO - SAML protocol message was not signed, skipping XML signature processing
8532 [http-nio-443-exec-9] DEBUG - Successfully decoded message.
8532 [http-nio-443-exec-9] DEBUG - Checking SAML message intended destination endpoint against receiver endpoint
8533 [http-nio-443-exec-9] DEBUG - Intended message destination endpoint: https://cmks.irannid.ir/saml/HoKSSO
8533 [http-nio-443-exec-9] DEBUG - Actual message receiver endpoint: https://cmks.irannid.ir/saml/HoKSSO
8533 [http-nio-443-exec-9] DEBUG - SAML message intended destination endpoint matched recipient endpoint
8533 [http-nio-443-exec-9] DEBUG - Found endpoint org.opensaml.saml2.metadata.impl.AssertionConsumerServiceImpl@38620660 for request URL https://cmks.irannid.ir/saml/HoKSSO based on location attribute in metadata
8534 [http-nio-443-exec-9] DEBUG - Authentication attempt using org.springframework.security.saml.SAMLAuthenticationProvider
8534 [http-nio-443-exec-9] DEBUG - Verifying issuer of the Response
8535 [http-nio-443-exec-9] DEBUG - Processing Holder-of-Key subject confirmation
8535 [http-nio-443-exec-9] DEBUG - HoK SubjectConfirmation invalidated by confirmation data not being of KeyInformationDataType type
8535 [http-nio-443-exec-9] DEBUG - Validation of authentication statement in assertion failed, skipping
329 3.1 Holder of Key
330 URI: urn:oasis:names:tc:SAML:2.0:cm:holder-of-key
331 One or more <ds:KeyInfo> elements MUST be present within the <SubjectConfirmationData>
332 element. An xsi:type attribute MAY be present in the <SubjectConfirmationData> element and, if
333 present, MUST be set to saml:KeyInfoConfirmationDataType (the namespace prefix is arbitrary but
334 must reference the SAML assertion namespace).