具有PingIdentity/PingFederation的Spring Security SAML
当我将Spring Security SAML示例应用程序与PingIdentity集成时,它对我不起作用。在重定向到idp、登录Ping ok、获得良好的saml断言、重定向回Spring Security Sample saml应用程序之后,我在Spring安全堆栈中得到了一个无休止的循环,其中有一个拒绝访问的错误。以及Ping中的org.sourceid错误。Ping日志中的错误是(就在创建良好的SAML断言之前):具有PingIdentity/PingFederation的Spring Security SAML,spring,spring-security,saml-2.0,Spring,Spring Security,Saml 2.0,当我将Spring Security SAML示例应用程序与PingIdentity集成时,它对我不起作用。在重定向到idp、登录Ping ok、获得良好的saml断言、重定向回Spring Security Sample saml应用程序之后,我在Spring安全堆栈中得到了一个无休止的循环,其中有一个拒绝访问的错误。以及Ping中的org.sourceid错误。Ping日志中的错误是(就在创建良好的SAML断言之前): org.sourceid.saml20.profiles.StatusR
org.sourceid.saml20.profiles.StatusResponseException:未知断言ConsumerServiceURLhttps://xxxwm07.integration.company.at:9031/sp/ACS.saml2
Spring中的拒绝访问错误为:
2017-09-18 09:48:00信息stdout:71–2017-09-18 09:48:00调试HttpSessionStorage:93–将消息a2iiedhi69h081391e3biag591i7a2f存储到会话FVAX79n-FXIXNIAPURLE2V
2017-09-18 09:48:00调试HttpSessionStorage:93–将消息a2iiedhi69h081391e3biag591i7a2f存储到会话FVAX79n-fxixNnIApUrrLe2V
2017-09-18 09:48:00信息标准:71–2017-09-18 09:48:00信息样本错误记录器:127–AuthNRequest;成功;10.69.208.181;app1;身份;;;
2017-09-18 09:48:00信息样本故障记录器:127–AuthNRequest;成功;10.69.208.18;app1;身份;;;
2017-09-18 09:48:00信息标准日期:71–2017-09-18 09:48:00调试SecurityContextPersistenceFilter:97–请求处理完成后,SecurityContextHolder现在已清除
2017-09-18 09:48:01信息标准:71–2017-09-18 09:48:01调试AntPathRequestMatcher:103–检查请求的匹配:'/index.jsp';反对“/favicon.ico”
2017-09-18 09:48:01信息标准:71–2017-09-18 09:48:01调试AntPathRequestMatcher:103–检查请求的匹配:'/index.jsp';针对“/images/**”
2017-09-18 09:48:01信息标准:71–2017-09-18 09:48:01调试AntPathRequestMatcher:103–检查请求的匹配:'/index.jsp';反对“/css/**”
2017-09-18 09:48:01信息标准:71–2017-09-18 09:48:01调试AntPathRequestMatcher:103–检查请求的匹配:'/index.jsp';针对“/logout.jsp”
2017-09-18 09:48:01信息标准:71–2017-09-18 09:48:01调试AntPathRequestMatcher:103–检查请求的匹配:'/index.jsp';针对“/saml/web/**”
2017-09-18 09:48:01信息标准:71–2017-09-18 09:48:01调试过滤器链路径:337–/index.jsp,位于附加过滤器链中8个位置中的第1个位置;正在启动筛选器:“SecurityContextPersistenceFilter”
2017-09-18 09:48:01信息标准:71–2017-09-18 09:48:01调试HttpSessionSecurityContextRepository:139–HttpSession为SPRING\u安全上下文返回空对象
2017-09-18 09:48:01信息标准日期:71–2017-09-18 09:48:01调试HttpSessionSecurityContextRepository:85–HttpSession:org.apache.catalina.session中没有可用的SecurityContext。StandardSessionFacade@2f3ea906. 将创建一个新的。
2017-09-18 09:48:01信息标准:71–2017-09-18 09:48:01调试过滤器链路径:337–/index.jsp,位于附加过滤器链中8的第2位;正在启动筛选器:“FilterChainProxy”
2017-09-18 09:48:01信息标准:71–2017-09-18 09:48:01调试AntPathRequestMatcher:103–检查请求的匹配:'/index.jsp';针对“/saml/login/**”
2017-09-18 09:48:01信息标准:71–2017-09-18 09:48:01调试AntPathRequestMatcher:103–检查请求的匹配:'/index.jsp';针对“/saml/logout/**”
2017-09-18 09:48:01信息标准:71–2017-09-18 09:48:01调试AntPathRequestMatcher:103–检查请求的匹配:'/index.jsp';针对“/saml/metadata/**”
2017-09-18 09:48:01信息标准:71–2017-09-18 09:48:01调试AntPathRequestMatcher:103–检查请求的匹配:'/index.jsp';针对“/saml/sso/**”
2017-09-18 09:48:01信息标准:71–2017-09-18 09:48:01调试AntPathRequestMatcher:103–检查请求的匹配:'/index.jsp';反对“/saml/sshok/**”
2017-09-18 09:48:01信息标准:71–2017-09-18 09:48:01调试AntPathRequestMatcher:103–检查请求的匹配:'/index.jsp';针对“/saml/singlelogout/**”
2017-09-18 09:48:01信息标准:71–2017-09-18 09:48:01调试AntPathRequestMatcher:103–检查请求的匹配:'/index.jsp';针对“/saml/discovery/**”
2017-09-18 09:48:01信息标准:71–2017-09-18 09:48:01调试筛选器ChainProxy:180–/index.jsp没有匹配的筛选器
2017-09-18 09:48:01信息标准:71–2017-09-18 09:48:01调试过滤器链路径:337–/index.jsp,位于附加过滤器链中8的第3位;正在启动筛选器:“RequestCacheAwarRefilter”
2017-09-18 09:48:01信息标准输出:71–2017-09-18 09:48:01调试默认保存请求:309–路径信息:均为null(属性等于)
2017-09-18 09:48:01信息标准输出:71–2017-09-18 09:48:01调试DefaultSavedRequest:309–queryString:均为null(属性等于)
2017-09-18 09:48:01信息标准:71–2017-09-18 09:48:01调试默认保存请求:325–请求URI:arg1=/app1/;arg2=/app1/(属性等于)
2017-09-18 09:48:01信息标准:71–2017-09-18 09:48:01调试默认保存请求:325–服务器端口:arg1=8443;arg2=8443(属性等于)
2017-09-18 09:48:01信息标准:71–2017-09-18 09:48:01调试默认保存请求:325–请求URL:arg1=https://xxxwm07.integration.company.at:8443/app1/; arg2=https://xxxwm07.integration.company.at:8443/app1/ (财产相等)
2017-09-18 09:48:01信息标准:71–2017-09-18 09:48:01调试默认保存请求:325–方案:arg1=https;arg2=https(属性等于)
2017-09-18 09:48:01信息标准:71–2017-09-18 09:48:01调试默认保存请求:325–服务器名:arg1=xxxwm07.integration.company.at;arg2=xxxwm07.integration.company.at(属性等于)
2017-09-18 09:48:01信息标准:71–2017-09-18 09:48:01调试默认保存请求:325–上下文路径:arg1=/app1;arg2=/app1(属性等于)
2017-09-18 09:48:01信息标准:71–2017-09-18 09:48:01调试DefaultSavedRequest:325–servletPath:arg1=/index.jsp;arg
<bean id="metadata"
class="org.springframework.security.saml.metadata.CachingMetadataManager">
<constructor-arg>
<list>
<!-- IDP Metadata configuration -->
<bean
class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean
class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
<constructor-arg>
<bean class="java.util.Timer" />
</constructor-arg>
<constructor-arg>
<bean class="org.opensaml.util.resource.ClasspathResource">
<constructor-arg value="/metadata/idp.xml" />
</bean>
</constructor-arg>
<property name="parserPool" ref="parserPool" />
</bean>
</constructor-arg>
<constructor-arg>
<bean
class="org.springframework.security.saml.metadata.ExtendedMetadata" />
</constructor-arg>
<property name="metadataTrustCheck" value="false" />
</bean>
<!-- SP Metadata configuration -->
<bean
class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean
class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
<constructor-arg>
<bean class="java.util.Timer" />
</constructor-arg>
<constructor-arg>
<bean class="org.opensaml.util.resource.ClasspathResource">
<constructor-arg value="/metadata/sp.xml" />
</bean>
</constructor-arg>
<property name="parserPool" ref="parserPool" />
</bean>
</constructor-arg>
<constructor-arg>
<bean
class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="local" value="true" />
<property name="securityProfile" value="pkix" />
<property name="sslSecurityProfile" value="pkix" />
<property name="sslHostnameVerification" value="default" />
<property name="signMetadata" value="false" />
<property name="signingKey" value="ping" />
<property name="encryptionKey" value="mykey" />
<property name="tlsKey" value="ping" />
<property name="requireArtifactResolveSigned" value="false" />
<property name="requireLogoutRequestSigned" value="false" />
<property name="requireLogoutResponseSigned" value="false" />
<property name="idpDiscoveryEnabled" value="false" />
<property name="idpDiscoveryURL" value="http://www.google.com" />
<property name="idpDiscoveryResponseURL" value="http://www.google.com" />
</bean>
</constructor-arg>
</bean>
</list>
</constructor-arg>
<!-- OPTIONAL used when one of the metadata files contains information
about this service provider -->
<!-- <property name="hostedSPName" value=""/> -->
<!-- OPTIONAL property: can tell the system which IDP should be used for
authenticating user by default. -->
<!-- <property name="defaultIDP" value="http://localhost:8080/opensso"/> -->
</bean>
<md:EntityDescriptor ID="jWQF6vBDwO-0.YYnI3YL91qXp-O"
cacheDuration="PT1440M" entityID="pingidentity" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"
WantAuthnRequestsSigned="false">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDQD...q9kMuY=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIID...q9kMuY=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:ArtifactResolutionService index="0"
Location="https://xxxwm07.integration.company.at:9031/idp/ARS.ssaml2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" isDefault="true" />
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://xxxwm07.integration.company.at:9031/idp/SLO.saml2" />
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://xxxwm07.integration.company.at:9031/idp/SLO.saml2" />
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="https://xxxwm07.integration.company.at:9031/idp/SLO.saml2" />
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://xxxwm07.integration.company.at:9031/idp/SLO.ssaml2" />
<md:SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://xxxwm07.integration.company.at:9031/idp/SSO.saml2" />
<md:SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://xxxwm07.integration.company.at:9031/idp/SSO.saml2" />
<md:SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="https://xxxwm07.integration.company.at:9031/idp/SSO.saml2" />
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://xxxwm07.integration.company.at:9031/idp/SSO.saml2" />
<saml:Attribute Name="subject"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" />
</md:IDPSSODescriptor>
<md:AttributeAuthorityDescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:AttributeService
Location="https://xxxwm07.integration.company.at:9031/idp/attrsvc.ssaml2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" />
</md:AttributeAuthorityDescriptor>
<md:ContactPerson contactType="administrative" />
<md:EntityDescriptor ID="U.NC.JbPpTmbfH8OQy8l9EhyRBl"
cacheDuration="PT1440M" entityID="app1" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIID....kMuY=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIID....uY=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:ArtifactResolutionService index="0"
Location="https://xxxwm07.integration.company.at:9031/sp/ARS.ssaml2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" isDefault="true" />
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://xxxwm07.integration.company.at:9031/sp/SLO.saml2" />
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://xxxwm07.integration.company.at:9031/sp/SLO.saml2" />
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="https://xxxwm07.integration.company.at:9031/sp/SLO.saml2" />
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://xxxwm07.integration.company.at:9031/sp/SLO.ssaml2" />
<md:AssertionConsumerService index="0"
Location="https://xxxwm07.integration.company.at:9031/sp/ACS.saml2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" isDefault="true" />
<md:AssertionConsumerService index="1"
Location="https://xxxwm07.integration.company.at:9031/sp/ACS.saml2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" />
<md:AssertionConsumerService index="2"
Location="https://xxxwm07.integration.company.at:9031/sp/ACS.saml2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" />
<md:AttributeConsumingService index="0">
<md:ServiceName xml:lang="en">AttributeContract
</md:ServiceName>
<md:RequestedAttribute Name="subject" />
</md:AttributeConsumingService>
</md:SPSSODescriptor>
<md:ContactPerson contactType="administrative" />
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
ID="app1" entityID="app1">
<md:SPSSODescriptor AuthnRequestsSigned="true"
WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDQDCCAiigAwIBAg...wq9kMuY=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDQDCCAiigAwIBAgIGAVzUOBXsMA0GCSqGSIb3DQEBCwUAMGExCzAJBgNVBAYTAkFUMSgwJgYD
VQQKEx9ldzd1aXB3bTA3LmludGVncmF0...q9kMuY=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://host1:8443/app1/saml/SingleLogout" />
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://host1:8443/app1/saml/SingleLogout" />
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
</md:NameIDFormat>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://host1:8443/app1/saml/SSO"
index="0" isDefault="true" />
</md:SPSSODescriptor>
</md:EntityDescriptor>
https://xxxwm07.integration.company.at:9031/sp/ACS.saml2