当前位置: 首页 > 知识库问答 >
问题:

“HTTP状态401-身份验证失败:传入的SAML消息无效”,Salesforce作为实现SSO的IdP

堵宪
2023-03-14

我已经使用Spring SAML实现了SSO,一切都运行良好。到目前为止,它与以下IDP合作:1)idp.ssocircle.com 2)openidp . feide . no

现在,我正在使用 salesforce.com 作为我的标识提供者进行测试。由于没有上传服务提供商元数据的规定,我在其 IdP 上完成了以下配置设置:

提供了我的entityID和断言使用者服务URL。我还上传了我的SP证书。我下载了它的元数据(idp元数据),如下所示(隐藏敏感信息):

<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://ABC-dev-ed.my.salesforce.com" validUntil="2024-04-11T13:55:57.307Z">
<md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
  <md:KeyDescriptor use="signing">
     <ds:KeyInfo>
        <ds:X509Data>
           <ds:X509Certificate>XXXXXXXXX</ds:X509Certificate>
        </ds:X509Data>
     </ds:KeyInfo>
  </md:KeyDescriptor>
  <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
  <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://ABC-dev-ed.my.salesforce.com/idp/endpoint/HttpPost"/>
  <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://ABC-dev-ed.my.salesforce.com/idp/endpoint/HttpRedirect"/>

现在,当我尝试测试我的SP时,它首先将我重定向到IDP(salesforce),要求我在其中输入凭据,但随后我被重定向回断言消费者服务URL(这是我的SP),但在这里生成了一个异常,表示:

HTTP状态401-此请求需要HTTP身份验证(身份验证失败:传入的SAML消息无效)。

我尝试了以下方法,但没有成功:(-虽然没有必要,但我已经从salesforce下载了证书文件并将其导入到我的keystore.jks,以确保密钥用于签名验证。(由于IDP元数据中已经存在证书信息,因此没有必要)。

以下是我在日志文件中发现的内容(仅在成功的AuthnRequest后添加必要的信息):

AuthNRequest;SUCCESS;127.0.0.1
.....STARTED_FAILING_HERE.....
Attempting to extract credential from an X509Data
Found 1 X509Certificates
Found 0 X509CRLs
Single certificate was present, treating as end-entity certificate
Credentials successfully extracted from child {http://www.w3.org/2000/09/xmldsig#}X509Data by provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
A total of 1 credentials were resolved
Registry could not locate evaluable criteria for criteria class org.opensaml.xml.security.keyinfo.KeyInfoCriteria
Attempting to validate signature using key from supplied credential
Creating XMLSignature object
Validating signature with signature algorithm URI: http://www.w3.org/2000/09/xmldsig#rsa-sha1
Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
Signature validated with key from supplied credential
Signature validation using candidate credential was successful
Successfully verified signature using KeyInfo-derived credential
Attempting to establish trust of KeyInfo-derived credential
Failed to validate untrusted credential against trusted key
Failed to establish trust of KeyInfo-derived credential
Failed to verify signature and/or establish trust using any KeyInfo-derived credentials
Attempting to verify signature using trusted credentials
Attempting to validate signature using key from supplied credential
Creating XMLSignature object
Validating signature with signature algorithm URI: http://www.w3.org/2000/09/xmldsig#rsa-sha1
Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
Signature did not validate against the credential's key
Signature validation using candidate validation credential failed
org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key
at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:79)
at org.opensaml.xml.signature.impl.BaseSignatureTrustEngine.verifySignature(BaseSignatureTrustEngine.java:142)
at org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine.validate(ExplicitKeySignatureTrustEngine.java:110)
at org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine.validate(ExplicitKeySignatureTrustEngine.java:49)
at org.opensaml.ws.security.provider.BaseTrustEngineRule.evaluate(BaseTrustEngineRule.java:104)
at org.opensaml.ws.security.provider.BaseTrustEngineRule.evaluate(BaseTrustEngineRule.java:91)
at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.doEvaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:128)
at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.evaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:107)
at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:51)
at org.opensaml.ws.message.decoder.BaseMessageDecoder.processSecurityPolicy(BaseMessageDecoder.java:132)
at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:83)
at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70)
at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:105)
at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:77)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:403)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:301)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:162)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:140)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:309)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
Failed to verify signature using either KeyInfo-derived or directly trusted credentials
Validation of protocol message signature failed for context issuer 'https://ABC-dev-ed.my.salesforce.com', message type: {urn:oasis:names:tc:SAML:2.0:protocol}Response
Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Incoming SAML message is invalid
Updated SecurityContextHolder to contain null Authentication
Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@153a591

有人能通过查看上面的日志告诉我哪里出错了吗?任何帮助都将不胜感激。

谢谢

阿比拉什

共有1个答案

松锐藻
2023-03-14

您的 IDP 对数字签名使用的密钥与在元数据中定义的密钥不同。

您应该检查收到的SAML消息,并在元素签名中查找元素X509Certificate。将证书内容提取到单独的文件中,例如sales-force-sign.cer

然后您需要将证书导入samlKeystore.jks,您可以在Spring SAML手册的第4.5章(密钥管理)中找到关于如何做的详细信息。请务必记下导入密钥时使用的别名。

最后一步,您需要告诉Spring SAML使用新导入的密钥对您的IDP进行签名验证,为此您应该更新您的securityContext.xml并使用属性signingKey和您之前用于导入密钥的别名的值更新您的IDP的ExtendedMetadta。它看起来类似于:

  <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
      <constructor-arg>
          <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
              <constructor-arg>
                  <value type="java.io.File">classpath:salesforce_metadata.xml</value>
              </constructor-arg>
              <property name="parserPool" ref="parserPool"/>
          </bean>
      </constructor-arg>
      <constructor-arg>
          <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
              <property name="signingKey" value="sf-proxy"/>
          </bean>
      </constructor-arg>
  </bean>

同样,你可以在手册中找到所有这些的细节。

或者,您可以简单地将从消息中提取的密钥添加到IDP元数据中。只需手动更新XML文件并使用use=“signing”添加另一个KeyDescriptor。这样做可能更快。

 类似资料:
  • 我做了spring saml教程中描述的所有事情,除了添加 在pom.xml中克服一个W3.DOM类找不到的问题。当我运行示例项目时,我在浏览器中得到,同时。 第2天:运行,并将替换为新生成的samlkeystore.jks。: 那么我有: 然后使用在使用时输入的密码更改密码: 则控制台显示: 因此,我将更改为: 控制台显示: 我不明白为什么SP从IdP元数据中获得公钥,却仍然需要IdP的ca.c

  • 我正试图将我的spinnaker应用程序与OKTA集成。我在Okta创建了应用程序。 Spinnaker仪表板应用程序配置: 我已经相应地配置了gate-local.yml文件。 SAML: 当我点击url时,我会被重定向到Okta登录页面。一旦我成功登录,我会得到错误消息如下

  • http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.3.xsd“>

  • 我想在这里指出:我已经添加了SHA1指纹。我该怎么解决这个? *不确定这是否有帮助,但我已经一步一步地遵循了本教程

  • 请帮忙。我有一个 SP,以及一个用于远程 IDP 的公钥。我上传了 spring sam 的示例,并对其进行了更改,公钥被添加到带有别名的 jks 文件中(使用键工具,命令列表显示 cer 已导入),并且它指向带有签名键的 idp 扩展元数据。但最终验证失败了。 org.opensaml.ws.security.安全策略异常:协议消息签名验证失败

  • 我们现在正在进行的项目是使用SAML令牌通过ADFS进行单点登录<此项目应遵循以下基本规则: 1。代理使用其凭据登录到windows 2。代理登录到web应用程序(依赖方) 3。web应用程序应重定向到ADFS中的STS(Active Directory是身份提供程序),并使用代理在其windows身份验证(无缝身份验证)中使用的凭据登录 4。因此,不应显示STS登录页面,并且应验证用户身份。之后