我使用Spring SAML实现了SSO,一切正常.它与以下IDP一起使用到现在为止:1)idp.ssocircle.com 2)openidp.feide.no
现在我正在使用salesforce.com作为我的身份提供商进行测试.由于没有上传服务提供商元数据的规定,我在其IdP上完成了以下配置设置:
给我的entityID和Assertion Consumer Service URL.我还上传了我的SP证书.我已经下载了它的元数据(idp元数据),如下所示(隐藏敏感信息):
<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://ABC-dev-ed.my.salesforce.com" validUntil="2024-04-11T13:55:57.307Z">
<md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>XXXXXXXXX</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://ABC-dev-ed.my.salesforce.com/idp/endpoint/HttpPost"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://ABC-dev-ed.my.salesforce.com/idp/endpoint/HttpRedirect"/>
现在,当我尝试测试我的SP时,首先它将我重定向到IDP(salesforce),询问我输入的凭据,但之后我被重定向回我的Assertion消费者服务URL(这是我的SP)但这里有例外生成了这样说
HTTP状态401 - 此请求需要HTTP身份验证(身份验证失败:传入SAML消息无效).
我尝试了以下但没有工作:( - 虽然没有必要,但我已经从salesforce下载了证书文件并将其导入我的keystore.jks,以确保该密钥用于签名验证.(由于IDP元数据中已存在证书信息,因此不必要).
这是我在日志文件中找到的内容(仅在成功的AuthnRequest之后添加必要的信息):
AuthNRequest;SUCCESS;127.0.0.1
.....STARTED_FAILING_HERE.....
Attempting to extract credential from an X509Data
Found 1 X509Certificates
Found 0 X509CRLs
Single certificate was present, treating as end-entity certificate
Credentials successfully extracted from child {http://www.w3.org/2000/09/xmldsig#}X509Data by provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
A total of 1 credentials were resolved …salesforce spring-security single-sign-on saml-2.0 spring-saml