Spring security Spring SAML与WSO2 Identity server集成，SAML消息ID未重新确认_Spring Security_Wso2_Wso2is_Spring Saml

Spring security Spring SAML与WSO2 Identity server集成，SAML消息ID未重新确认

spring-security wso2

Spring security Spring SAML与WSO2 Identity server集成，SAML消息ID未重新确认,spring-security,wso2,wso2is,spring-saml,Spring Security,Wso2,Wso2is,Spring Saml,我以Spring SAML为例（参见第4.2节），它与开源登录页面SSO一起工作，并尝试添加支持，以将WSO2 Identity Server用作额外的IDP服务。为此，我更改了spring SAML示例项目，为IS添加了元数据xml文件，并将IS元数据的条目添加到securityContext.xml中在运行spring应用程序时，我现在看到了一个使用IS登录的选项，当我重定向到WSO2时，我可以成功登录到它。但是，spring应用程序在IS SAML响应上抛出一个异常，该异常与InRes

我以Spring SAML为例（参见第4.2节），它与开源登录页面SSO一起工作，并尝试添加支持，以将WSO2 Identity Server用作额外的IDP服务。为此，我更改了spring SAML示例项目，为IS添加了元数据xml文件，并将IS元数据的条目添加到securityContext.xml中

在运行spring应用程序时，我现在看到了一个使用IS登录的选项，当我重定向到WSO2时，我可以成功登录到它。但是，spring应用程序在IS SAML响应上抛出一个异常，该异常与InResponseToField不匹配

2015-01-05 09:54:12,845 line="org.springframework.security.saml.log.SAMLDefaultLogger.log(SAMLDefaultLogger.java:127)" thread="http-nio-8080-exec-4" class="org.springframework.security.saml.log.SAMLDefaultLogger" AuthNResponse;FAILURE;0:0:0:0:0:0:0:1;com:vdenotaris:spring:sp;localhost;;;org.opensaml.common.SAMLException: InResponseToField of the Response doesn't correspond to sent message ae2dab0fb8b0g8e49971b91a73e91i

在调试应用程序时，响应消息似乎未被识别为与请求消息属于同一会话。我说，从这两条日志消息中，第一条是在发送AuthRequest时记录的，第二条是在收到响应时记录的：

2015-01-05 09:53:20,867 line="org.springframework.security.saml.storage.HttpSessionStorage.storeMessage(HttpSessionStorage.java:93)" thread="http-nio-8080-exec-1" class="org.springframework.security.saml.storage.HttpSessionStorage" Storing message ae2dab0fb8b0g8e49971b91a73e91i to session 26D3B7D9E33F26A7A5092BF6909B9D13
...
2015-01-05 09:54:10,731 line="org.springframework.security.saml.storage.HttpSessionStorage.retrieveMessage(HttpSessionStorage.java:117)" thread="http-nio-8080-exec-4" class="org.springframework.security.saml.storage.HttpSessionStorage" Message ae2dab0fb8b0g8e49971b91a73e91i not found in session BBF256F284F55D774E6997600E9B3388

IS SAML的响应是：

<?xml version="1.0" encoding="UTF-8"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://localhost:8080/saml/SSO" ID="adlbklpnldoanfphalcaahhacooinnldcejjjioe" InResponseTo="ae2dab0fb8b0g8e49971b91a73e91i" IssueInstant="2015-01-05T09:53:38.063Z" Version="2.0">
   <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer>
   <saml2p:Status>
      <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
   </saml2p:Status>
   <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="ebhfkdhlgbhclcklefjigfddoikklhjlanlbolel" IssueInstant="2015-01-05T09:53:38.065Z" Version="2.0">
      <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer>
      <saml2:Subject>
         <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">smit005</saml2:NameID>
     <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml2:SubjectConfirmationData InResponseTo="ae2dab0fb8b0g8e49971b91a73e91i" NotOnOrAfter="2015-01-05T09:58:38.063Z" Recipient="http://localhost:8080/saml/SSO"/>
     </saml2:SubjectConfirmation>
  </saml2:Subject>
  <saml2:Conditions NotBefore="2015-01-05T09:53:38.065Z" NotOnOrAfter="2015-01-05T09:58:38.063Z">
     <saml2:AudienceRestriction>
        <saml2:Audience>com:vdenotaris:spring:sp</saml2:Audience>
     </saml2:AudienceRestriction>
  </saml2:Conditions>
  <saml2:AuthnStatement AuthnInstant="2015-01-05T09:53:38.068Z" SessionIndex="406d4530-6fcf-4edf-b876-a68de4b4ea79">
     <saml2:AuthnContext>
            <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
     </saml2:AuthnContext>
  </saml2:AuthnStatement>
  <saml2:AttributeStatement/>
   </saml2:Assertion>
</saml2p:Response>


本地服务器
本地服务器
smit005
com:vdenotaris:spring:sp
urn:oasis:name:tc:SAML:2.0:ac:classes:Password

作为参考，我附加了我为WSO2 IS添加的元数据xml文件（我必须给它一个entityID“localhost”，因为WSO2坚持要返回这个文件（它默认使用主机名））


MIICCCAZ6GAWIBAGIES343GJANBGKQHKIG9W0BaqufadBVMQSWCQYDVQGEWJVuzelmakga1UE
CAWCQ0ExfjaubgNvBacMDU1VDW50YWluiFzPZxxDtalBGNvBaoMBFDTziXejaqBGNvBamCwxV
Y2FSAG9ZDAEFW0xMDAYMTKWNZAYMJZAFW0ZNTAYMTMWnZAYMJZAMFUXCZAJBGNVBAYTALVTMQSW
CQYDVQQIDAJDQTEWMBQGA1EBWWNTW91BNRHAW4GVMLLDZENMASGA1ECGWEV1NPMJESBAGA1UE
AWWJBG9JYWXOB3N0MIGFMA0GCSQGSIB3DQEBAQA4GNADCBIQKBGQCUP/oV1vWc8/TkQSiAvTou
SMZOM4ASB2ILTR2QKOZNI5AVFU818MPOLZWLLJVVAA5RAADPBECB+48FjbBe0hseUdN5
HpwvnH/DW8ZCGVK53I6或Q7HLCV1ZHTUOCKGHZ/ATrhyPq+QKTMFXNRS4RKGJTZXACCU7OQID
AQABOXIWEDAOBGNVHQ8BAF8EBAMCBPAWDQYJKOZHIHVCNAQEFBQADGYEAW5WPR7Cr1LADQ+IrR44i
QlRG5ITCZXY9hI0PygLP2rHANh+PYFTMXBUONYKNGYHM6FJFLBW2UZHQTY1JMRPPRJORMYK5SJR
O4d1DeGHT/YNIJS9JOGRKV4XHECKWLTIVDABIDWHETVZJYMSKCYYSFCVUHPQK8QC/E/Wq8uHSCo=
urn:oasis:names:tc:SAML:2.0:nameid格式：持久
urn:oasis:names:tc:SAML:2.0:nameid格式：transient
urn:oasis:names:tc:SAML:1.1:nameid格式：emailAddress
urn:oasis:names:tc:SAML:1.1:nameid格式：未指定

根据请求，我已在上保存了浏览器HTTP消息的日志。

Spring SAML和您的IDP WSO2服务器都部署在同一个域-localhost上。情况就是这样：

Spring SAML创建一个HTTP会话（JSESSIONID-
```
82F3ECD1A1E4F9B7DB0134F3129267A5
```
）并初始化单点登录
WSO2接受请求并对用户进行身份验证，但创建自己的会话（JSESSIONID-
```
C34B21931C53080487B5B9BA6EB490D2
```
）并将用户重定向回Spring SAML
运行Spring SAML的容器接收带有JSSessionID的cookie（
```
C34B21931C53080487B5B9BA6EB490D2
```
），但由于它不识别这样的会话，所以它创建了一个新会话（
```
E712A8422009613F6FD3901327690726
```
）
Spring SAML尝试根据原始请求验证收到的SAML消息，但由于原始会话现在已消失，因此找不到该消息

解决此问题的最简单方法是更改Spring SAML或WSO2的会话cookie名称。您还可以在不同的域上部署应用程序（例如，在主机文件-

/etc/hosts

或

%systemroot%\system32\drivers\etc\hosts

中为您的本地主机提供一个别名）

您可以在单点登录过程中包含通过浏览器的HTTP消息转储吗，我添加了一个指向浏览器消息日志的链接。这确实是问题所在，最后我将wso2设置为在VM中运行。这比让它使用另一个域更容易。@vladimír-schäfer，我们如何设法更改Spring SAML的会话cookie名称？作为Spring安全性的一部分-请参见此处

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                     entityID="localhost"
                     validUntil="2023-09-23T06:57:15.396Z">
   <md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" >
    <md:KeyDescriptor use="signing">
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
                <ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UE
                    CAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxv
                    Y2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQsw
                    CQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UE
                    AwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTou
                    sMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5
                    HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQID
                    AQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44i
                    QlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJR
                    O4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:9443/samlsso" ResponseLocation="https://localhost:9443/samlsso"/>
        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:9443/samlsso"/>
        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:9443/samlsso"/>
       <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
       <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
       <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
       <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
   </md:IDPSSODescriptor>
</md:EntityDescriptor>