我使用Spring SAML实现了SSO,一切正常.它与以下IDP一起使用到现在为止:1)idp.ssocircle.com 2)openidp.feide.no
现在我正在使用salesforce.com作为我的身份提供商进行测试.由于没有上传服务提供商元数据的规定,我在其IdP上完成了以下配置设置:
给我的entityID和Assertion Consumer Service URL.我还上传了我的SP证书.我已经下载了它的元数据(idp元数据),如下所示(隐藏敏感信息):
<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://ABC-dev-ed.my.salesforce.com" validUntil="2024-04-11T13:55:57.307Z">
<md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>XXXXXXXXX</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://ABC-dev-ed.my.salesforce.com/idp/endpoint/HttpPost"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://ABC-dev-ed.my.salesforce.com/idp/endpoint/HttpRedirect"/>
现在,当我尝试测试我的SP时,首先它将我重定向到IDP(salesforce),询问我输入的凭据,但之后我被重定向回我的Assertion消费者服务URL(这是我的SP)但这里有例外生成了这样说
HTTP状态401 - 此请求需要HTTP身份验证(身份验证失败:传入SAML消息无效).
我尝试了以下但没有工作:( - 虽然没有必要,但我已经从salesforce下载了证书文件并将其导入我的keystore.jks,以确保该密钥用于签名验证.(由于IDP元数据中已存在证书信息,因此不必要).
这是我在日志文件中找到的内容(仅在成功的AuthnRequest之后添加必要的信息):
AuthNRequest;SUCCESS;127.0.0.1
.....STARTED_FAILING_HERE.....
Attempting to extract credential from an X509Data
Found 1 X509Certificates
Found 0 X509CRLs
Single certificate was present, treating as end-entity certificate
Credentials successfully extracted from child {http://www.w3.org/2000/09/xmldsig#}X509Data by provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
A total of 1 credentials were resolved …salesforce spring-security single-sign-on saml-2.0 spring-saml
我在Tomcat 7上使用Spring Security SAML 2.0示例webapp并对其进行了修改以尝试使其针对Ping Identity服务进行身份验证.webapp正在与服务进行通信,它正在发回一个断言,但在尝试验证签名时失败,如下面的调试输出所示:
- Attempting to verify signature and establish trust using KeyInfo-derived credentials
- Signature contained no KeyInfo element, could not resolve verification credentials
- Failed to verify signature and/or establish trust using any KeyInfo-derived credentials
- Attempting to verify signature using trusted credentials
- Failed to verify signature using either KeyInfo-derived or directly trusted credentials
- Validation of received assertion failed, assertion will be skipped
org.opensaml.xml.validation.ValidationException: Signature is not trusted or invalid
我知道它无法验证签名,并且我已获得Ping Identity管理员使用的证书,但我不确定如何将其包含在应用程序中.我已经尝试使用JDK的keytool程序将它添加到示例应用程序附带的JKS(密钥库)中,但它似乎无法在那里找到它.我也尝试将它添加到服务提供商的元数据xml文件中,如下所示:
<md:KeyDescriptor …我正在尝试将Spring Saml库集成到示例Web应用程序中,使用Shibboleth作为IDP.我可以加载登录页面,登录并显示索引页面.
问题是,当我点击其他链接时,webapp会将我重定向到登录页面,然后IDP会识别我并重定向到所请求的页面(如果网络速度很快,则很难看到这一点).这就像我没有登录Spring安全性.
我检查了日志,发现了这个:
org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession为SPRING_SECURITY_CONTEXT org.springframework.security.web.context.HttpSessionSecurityContextRepository返回了null对象 - 没有来自HttpSession的SecurityContext:org.apache.catalina.session.StandardSessionFacade@fde8fb.将创建一个新的.
这是web.xml
<!-- The definition of the Root Spring Container shared by all Servlets and Filters -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring/root-context.xml
/WEB-INF/spring/security/securityContext.xml
</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- Creates the Spring Container shared by all Servlets and Filters -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- Processes application requests -->
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/appServlet/servlet-context.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<!-- Custom error pages …我试图找出涉及Spring Security和SAML的问题.我们正在尝试使用Spring Security(spring-security-core-3.1.1.RELEASE.jar)和SAML(spring-security-saml2-core-1.0.0-RC1-SNAPSHOT.jar)来修改我们的产品SAML SP.编辑:这是我的安全相关上下文xml的(我认为!)相关部分.如您所见,它与此示例XML几乎完全相同.
<!-- Entry point to initialize authentication, default values taken from properties file -->
<bean id="samlEntryPoint" class="com.myproduct.samlsp.impl.PSSAMLEntryPoint">
<property name="defaultProfileOptions">
<bean class="org.springframework.security.saml.websso.WebSSOProfileOptions">
<property name="includeScoping" value="false"/>
</bean>
</property>
</bean>
<!-- Unsecured pages -->
<security:http security="none" pattern="/saml/web/**"/>
<security:http security="none" pattern="/logout.jsp"/>
<security:http security="none" pattern="/favicon.ico"/>
<security:http security="none" pattern="/images/**"/>
<security:http security="none" pattern="/scripts/**"/>
<security:http security="none" pattern="/flash/**"/>
<security:http security="none" pattern="/loggedout.html"/>
<!-- Secured pages -->
<security:http entry-point-ref="samlEntryPoint">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
<security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
<security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
</security:http>
<!-- IDP Discovery Service -->
<bean id="samlIDPDiscovery" …我正在尝试按照此处引用的所有步骤执行 Spring Security SAML 示例应用程序:http://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x-SNAPSHOT/reference/htmlsingle/#quick-开始步骤。但是,当我尝试测试单点登录时,会打开一个错误页面,并显示消息:“未配置 IDP,请使用至少一个 IDP 更新包含的元数据”。难道我做错了什么 ?感谢您的帮助 !
这是我的堆栈跟踪:
Avertissement: StandardWrapperValve[jsp]: PWC1406: Servlet.service() for servlet jsp threw exception
org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP
at org.springframework.security.saml.metadata.MetadataManager.getDefaultIDP(MetadataManager.java:781)
at org.springframework.security.saml.context.SAMLContextProviderImpl.populatePeerEntityId(SAMLContextProviderImpl.java:157)
at org.springframework.security.saml.context.SAMLContextProviderImpl.getLocalAndPeerEntity(SAMLContextProviderImpl.java:127)
at org.springframework.security.saml.SAMLEntryPoint.commence(SAMLEntryPoint.java:146)
at org.springframework.security.web.access.ExceptionTranslationFilter.sendStartAuthentication(ExceptionTranslationFilter.java:186)
at org.springframework.security.web.access.ExceptionTranslationFilter.handleSpringSecurityException(ExceptionTranslationFilter.java:168)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:131)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:186)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87) …我需要有多个PRE_AUTHSpring Security过滤器.特别是PRE_AUTH除了PRE_AUTH在Spring Security 3.0的SAML扩展中配置的两个过滤器之外,我还需要使用过滤器.现有的SAML配置如下.
<security:http entry-point-ref="samlEntryPoint">
<!-- snip intercepts -->
<security:custom-filter after="BASIC_AUTH_FILTER" ref="samlProcessingFilter"/>
<security:custom-filter before="PRE_AUTH_FILTER" ref="samlEntryPoint"/>
<security:custom-filter position="PRE_AUTH_FILTER" ref="metadataFilter"/>
<security:custom-filter after="LOGOUT_FILTER" ref="samlLogoutFilter"/>
<security:custom-filter before="LOGOUT_FILTER" ref="samlLogoutProcessingFilter"/>
</security:http>
PRE_AUTH需要在任一现有过滤器之前检查附加过滤器(即:使用此身份验证方法进行身份验证的用户不应有机会使用SAML.
我考虑过以下方式改变它.
<!-- snip -->
<security:custom-filter before="PRE_AUTH_FILTER" ref="newPreAuthFilter"/>
<security:custom-filter position="PRE_AUTH_FILTER" ref="samlEntryPoint"/>
<security:custom-filter after="PRE_AUTH_FILTER" ref="metadataFilter"/>
<!-- snip -->
这是否有效,或者是否需要更复杂的解决方案.
Spring Security SAML坚持在SAML身份验证请求(ProtocolBinding属性)中请求Artifact绑定:
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="http://sp.com/saml/SSO/alias/defaultAlias"
Destination="https://idp.com/idp"
ForceAuthn="false"
ID="a4acj06d42fdc0d3494h859g3f7005c"
IsPassive="false"
IssueInstant="2012-12-05T17:07:18.271Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Version="2.0"
>
我该如何配置POST绑定?谢谢你的回答!
- 安德烈亚斯
在使用预配置的服务提供程序元数据时,在spring安全性中,是否应该有2个bean定义用于扩展元数据委托?一个用于IDP元数据,一个用于SP元数据?
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
<constructor-arg>
<value type="java.io.File">classpath:security/localhost_sp.xml</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="local" value="true"/>
<property name="alias" value="default"/>
<property name="securityProfile" value="metaiop"/>
<property name="sslSecurityProfile" value="pkix"/>
<property name="signingKey" value="apollo"/>
<property name="encryptionKey" value="apollo"/>
<property name="requireArtifactResolveSigned" value="false"/>
<property name="requireLogoutRequestSigned" value="false"/>
<property name="requireLogoutResponseSigned" value="false"/>
<property name="idpDiscoveryEnabled" value="true"/>
<property name="idpDiscoveryURL"
value="https://www.server.com:8080/context/saml/discovery/alias/default"/>
<property name="idpDiscoveryResponseURL"
value="https://www.server.com:8080/context/saml/login/alias/default?disco=true"/>
</bean>
</constructor-arg>
</bean>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
<constructor-arg>
<value type="java.io.File">classpath:security/idp.xml</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata"/>
</constructor-arg>
</bean>
我已经使用 Spring Security SAML 实现了 SSO。这是目前对我有用的内容:
当我尝试访问 SP 上的任何资源时,如果我尚未登录,我将被重定向到我的 IdP(在我的情况下为 idp.ssocircle.com)。在 IDP 成功验证后,我被重定向回 SP 并授权传入的 SAML 响应并为相应的用户创建会话。一切都很酷,直到这里!但是,当我从 IDP 注销(通过从外部单击 idp.ssocircle.com 注销)时,我应该无法访问我的 SP,这在我的情况下没有发生。现在我想做的是编写一个新的过滤器,在处理 SP 上的任何请求之前检查 IDP 上的有效会话。我已经搜索了很多,但找不到任何解决我的问题的方法。
请提供有关如何实现此过滤器的输入,或者是否有其他方法可以做到这一点?任何建议表示赞赏。
如果要实现为IDP,是否可以使用Spring SAML?
我过去曾作为服务提供商使用过它,并且在阅读文档时尚不清楚我是否可以将其用作IDP。
注意-我最初要求用户提出另一个问题的意见,我将问题改写为上述形式,但仍然保留,因此我再次询问。
spring-saml ×10
spring ×6
saml-2.0 ×5
saml ×4
java ×2
security ×2
binding ×1
opensaml ×1
salesforce ×1
x509 ×1