Wso2 具有签名和签名验证的SSO不'；行不通

我已经使用WSO2IS 4.6.0和spring saml grails插件成功地配置了SSO，但是当我像这样启用签名和签名验证时： 我在WSO2控制台上看到错误

WARN {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} -  Signature Validation Failed for the SAML Assertion : Signature is invalid.
DEBUG org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} -  org.opensaml.xml.validation.ValidationException: Unable to evaluate key against signature
WARN {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor} -  Signature validation for Authentication Request failed.

我从WSO2密钥库（

wso2carbon.jks

）导出了默认公钥（

wso2carbon

），并将证书插入到我的SP和IdP元数据的

X509Certificate

部分。
以下是我的IdP元数据：

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor entityID="https://localhost:9443/samlsso" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <KeyDescriptor use="signing">
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
                <ds:X509Certificate>***
                </ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </KeyDescriptor>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                         Location="https://localhost:9443/samlsso"
                         ResponseLocation="https://localhost:9443/samlsso"/>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                         Location="https://localhost:9443/samlsso"/>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                         Location="https://localhost:9443/samlsso"/>
</IDPSSODescriptor>
</EntityDescriptor>

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor entityID="local" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:Extensions>
        <idpdisco:DiscoveryResponse xmlns:idpdisco="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="http://localhost:8080/spring-security-saml/login/auth/alias/localhost?disco=true"/>
    </md:Extensions>
    <md:KeyDescriptor use="signing">
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
                <ds:X509Certificate>
                    ****
                </ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/***/saml/SingleLogout/alias/local"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8080/***/saml/SingleLogout/alias/local"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://localhost:8080/***/saml/logout/SingleLogout/local"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/***/saml/SSO/alias/local" index="0" isDefault="true"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://localhost:8080/***/saml/SSO/alias/local" index="1" isDefault="false"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>

***

和SP元数据：

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor entityID="https://localhost:9443/samlsso" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <KeyDescriptor use="signing">
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
                <ds:X509Certificate>***
                </ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </KeyDescriptor>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                         Location="https://localhost:9443/samlsso"
                         ResponseLocation="https://localhost:9443/samlsso"/>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                         Location="https://localhost:9443/samlsso"/>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                         Location="https://localhost:9443/samlsso"/>
</IDPSSODescriptor>
</EntityDescriptor>

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor entityID="local" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:Extensions>
        <idpdisco:DiscoveryResponse xmlns:idpdisco="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="http://localhost:8080/spring-security-saml/login/auth/alias/localhost?disco=true"/>
    </md:Extensions>
    <md:KeyDescriptor use="signing">
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
                <ds:X509Certificate>
                    ****
                </ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/***/saml/SingleLogout/alias/local"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8080/***/saml/SingleLogout/alias/local"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://localhost:8080/***/saml/logout/SingleLogout/local"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/***/saml/SSO/alias/local" index="0" isDefault="true"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://localhost:8080/***/saml/SSO/alias/local" index="1" isDefault="false"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>

****
urn:oasis:names:tc:SAML:1.1:nameid格式：emailAddress
urn:oasis:names:tc:SAML:2.0:nameid格式：transient
urn:oasis:names:tc:SAML:2.0:nameid格式：持久
urn:oasis:names:tc:SAML:1.1:nameid格式：未指定
urn:oasis:names:tc:SAML:1.1:nameid格式：X509SubjectName

我担心的是，我在SP或IdP元数据中使用了错误的证书，或者应该以某种方式对其进行签名

IdP应该使用什么证书，SP元数据应该使用什么证书，我可以检查它们是否有效吗？
如何使用从WSO2密钥库导出的公钥正确获取它？
谢谢大家!

更新：即使元数据中的证书不正确，它也能在5.1.0上工作，看起来是个问题。以下是5.1.0配置：

---

您必须将IDP（服务器）证书作为信任导入SP计算机。。您的IDP托管为https，因此。。在您的自定义证书位置/JDK Cacerts（

Java\jdk1.8.0\u 45\jre\lib\security\Cacerts

）将IDP信任导入SP框，然后您可以尝试以下命令检查您的IDP描述符URL是否可以从SP框访问，如

wget "YOUR_IDP_DESCRIPTOR_URL";

---

为什么不使用最新发布的IS 5.1.0？4.6是一个相当旧的版本，在那里可用的大多数问题现在都已在5.1中修复。0@ChamilaWijayarathna我们将升级到5.1.0，但现在我们是4.6.0。事实上，我在5.1.0上尝试过这个，但即使元数据中的证书不正确，它也能工作，看起来是个问题。最好从is 5.1.0开始。你能在IS 5.1.0中附加SP配置的屏幕截图吗？@Gayan屏幕截图attached@TarasKohut alos确保您在application-security.xml文件中正确映射了密钥和证书。。。例如。