Vik*_*ara 8 adfs2.0 spring-saml
我正在努力将Spring SAML Extension集成到我们的应用程序中,并将SSO与我们客户的ADFS2.0之一作为IDP,我们从我们的应用程序生成服务提供程序元数据并将ADFS元数据导入我们的appliaction.When我选择客户端idp然后单击开始单一符号并提供正确的客户端凭据,我们将看到SAML响应,如下所示:
Saml回应.
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
Destination="https://sso.spire2grow.com:8443/<our application>/saml/SSO" ID="_d7fa7cb7-a858-4d4e-aa4c-bf7a5d11e485"
InResponseTo="a2icei36d347di68gi33534cc13fd1" IssueInstant="2014-09-30T14:17:21.819Z" Version="2.0"><Issuer
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Clients ADFS trust services URL></Issuer><samlp:Status><samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Responder"></samlp:StatusCode></samlp:Status></samlp:Response>
但我也看到以下异常被抛出,因为服务提供商无法验证消息.
异常消息:
[351545]2014-09-30 19:47:21,714 DEBUG - SAML message intended destination endpoint matched recipient endpoint
[351545]2014-09-30 19:47:21,714 DEBUG - Authentication attempt using org.springframework.security.saml.SAMLAuthenticationProvider
[351545]2014-09-30 19:47:21,715 DEBUG - Error validating SAML message
org.opensaml.common.SAMLException: Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Responder, status message is null
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:113)
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:84)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
如果我在这里做任何事情,请指出任何人.
更新:
看到为这个问题提供的答案后,我看到了ADFS的以下错误.
Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSignatureAlgorithmMismatchException: MSIS7093: The message is not signed with expected signature algorithm. Message is signed with signature algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1. Expected signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256. at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.ValidateSignatureRequirements(SamlMessage samlMessage) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
但看到这一点后,我们确实将依赖信任方的签名算法更改为rsa-sha256,但仍然显示相同的消息.
我们需要rsa-sha256的真正证书吗?自签名证书能正常工作吗?
Vla*_*fer 11
ADFS的例外情况是,SAML消息未使用它预期的RSA-SHA256进行签名,但使用了RSA-SHA1.
确保将ADFS中Spring SAML的中继方的签名算法设置为SHA-1.您可以在http://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x-SNAPSHOT/reference/htmlsingle/#chapter-idp-guide-adfs-sp的最后一个要点中找到详细信息.
VALUE = "瓮:绿洲:名称:TC:SAML:2.0:状态:抢答"
请参阅SAML核心规范.它说:
urn:oasis:names:tc:SAML:2.0:status:Responder由于SAML响应者或SAML权限部分的错误,无法执行请求.
即ADFS服务器无法解释或回答请求.IdP应该告诉你问题是什么.
小智 5
Spring Security SAML 扩展默认不支持 SHA-256。您可以扩展org.springframework.security.saml.SAMLBootstrap该类以提供 SHA-256。
覆盖postProcessBeanFactory方法
public class Bootstrap extends SAMLBootstrap {
@Override
public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory) throws BeansException {
super.postProcessBeanFactory(beanFactory);
BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration
.getGlobalSecurityConfiguration();
config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256);
}
| 归档时间: |
|
| 查看次数: |
25933 次 |
| 最近记录: |