我完成了我的两个项目(即门户网站)使用Spring mvc hibernate和JAVA。MySQL作为数据库,Apache作为服务器。现在我的要求是为这两个门户获得SSO(单点登录)。我之前发布过这个,但只有一个人回复。我再次谷歌并获得了SAML扩展。我得到了一些示例https://github.com/spring-projects/spring-security-saml。并遵循这个https://docs.secureauth.com/display/docs/Spring Security说明为我的门户获得SSO。
我只集成了一个门户和上面链接中给出的过程。在上面的过程链接中,我不理解secureAuth20。xml和后期身份验证。
但当我在服务器上运行时,我一直在获取网页上的错误。错误:
错误
发生错误。消息:未找到实体localhost和角色{urn:oasis:names:tc:SAML:2.0:Metadata}SPSSODescriptor的元数据堆栈跟踪:
组织。opensaml。saml2.metadata。供应商。MetadataProviderException:实体的元数据http://localhost:6060/AxisCustomer/未找到角色{urn:oasis:names:tc:SAML:2.0:metadata}idpsosodecriptor
在我的STS中:
安全ontext.xml
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.1.xsd">
<!-- Enable auto-wiring -->
<context:annotation-config/>
<!-- Scan for auto-wiring classes in spring saml packages -->
<context:component-scan
base-package="org.springframework.security.saml"/>
<!-- Unsecured pages -->
<security:http security="none" pattern="/favicon.ico"/>
<security:http security="none" pattern="/images/**"/>
<security:http security="none" pattern="/css/**"/>
<security:http security="none" pattern="/logout.jsp"/>
<!-- Security for the administration UI -->
<security:http pattern="/saml/web/**"
access-denied-page="/saml/web/metadata/login">
<security:form-login login-processing-url="/saml/web/login" login-
page="/saml/web/metadata/login"
default-target-url="/saml/web/metadata"/>
<security:intercept-url pattern="/saml/web/metadata/login"
access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-url pattern="/saml/web/**" access="ROLE_ADMIN"/>
<security:custom-filter before="FIRST"
ref="metadataGeneratorFilter"/>
</security:http>
<!-- Secured pages with SAML as entry point -->
<security:http entry-point-ref="samlEntryPoint">
<security:intercept-url pattern="/**"
access="IS_AUTHENTICATED_FULLY"/>
<security:custom-filter before="FIRST"
ref="metadataGeneratorFilter"/>
<security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
</security:http>
<!-- Filters for processing of SAML messages -->
<bean id="samlFilter"
class="org.springframework.security.web.FilterChainProxy">
<security:filter-chain-map request-matcher="ant">
<security:filter-chain pattern="/saml/login/**"
filters="samlEntryPoint"/>
<security:filter-chain pattern="/saml/logout/**"
filters="samlLogoutFilter"/>
<security:filter-chain pattern="/saml/metadata/**"
filters="metadataDisplayFilter"/>
<security:filter-chain pattern="/saml/SSO/**"
filters="samlWebSSOProcessingFilter"/>
<security:filter-chain pattern="/saml/SSOHoK/**"
filters="samlWebSSOHoKProcessingFilter"/>
<security:filter-chain pattern="/saml/SingleLogout/**"
filters="samlLogoutProcessingFilter"/>
<security:filter-chain pattern="/saml/discovery/**"
filters="samlIDPDiscovery"/>
</security:filter-chain-map>
</bean>
<!-- Handler deciding where to redirect user after successful login -->
<bean id="successRedirectHandler"
class= "org.springframework.security.web.authentication.
SavedRequestAwareAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/"/>
</bean>
<!-- Handler deciding where to redirect user after failed login -->
<bean id="failureRedirectHandler"
class= "org.springframework.security.web.authentication.
SimpleUrlAuthenticationFailureHandler">
<property name="useForward" value="true"/>
<property name="defaultFailureUrl" value="/error.jsp"/>
</bean>
<!-- Handler for successful logout -->
<bean id="successLogoutHandler" class=
"org.springframework.security.web.authentication.logout.
SimpleUrlLogoutSuccessHandler">
<property name="defaultTargetUrl" value="/logout.jsp"/>
</bean>
<security:authentication-manager alias="authenticationManager">
<!-- Register authentication manager for SAML provider -->
<security:authentication-provider ref="samlAuthenticationProvider"/>
<!-- Register authentication manager for administration UI -->
<security:authentication-provider>
<security:user-service id="adminInterfaceService">
<security:user name="admin" password="admin" authorities
="ROLE_ADMIN"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
<!-- Logger for SAML messages and events -->
<bean id="samlLogger" class=
"org.springframework.security.saml.log.SAMLDefaultLogger"/>
<!-- Central storage of cryptographic keys -->
<bean id="keyManager" class=
"org.springframework.security.saml.key.JKSKeyManager">
<constructor-arg value="classpath:security/samlKeystore.jks"/>
<constructor-arg type="java.lang.String" value="nalle123"/>
<constructor-arg>
<map>
<entry key="apollo" value="nalle123"/>
</map>
</constructor-arg>
<constructor-arg type="java.lang.String" value="apollo"/>
</bean>
<!-- Entry point to initialize authentication, default values taken
from properties file -->
<bean id="samlEntryPoint" class=
"org.springframework.security.saml.SAMLEntryPoint">
<property name="defaultProfileOptions">
<bean class=
"org.springframework.security.saml.websso.WebSSOProfileOptions">
<property name="includeScoping" value="false"/>
</bean>
</property>
</bean>
<!-- IDP Discovery Service -->
<bean id="samlIDPDiscovery"
class="org.springframework.security.saml.SAMLDiscovery">
<property name="idpSelectionPath" value="/WEB-INF/security
/idpSelection.jsp"/>
</bean>
<!-- Filter automatically generates default SP metadata -->
<bean id="metadataGeneratorFilter" class=
"org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
<bean class=
"org.springframework.security.saml.metadata.MetadataGenerator">
<property name="extendedMetadata">
<bean class="
org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="idpDiscoveryEnabled" value="true"/>
</bean>
</property>
</bean>
</constructor-arg>
</bean>
<!-- The filter is waiting for connections on URL suffixed with
filterSuffix and presents SP metadata there -->
<bean id="metadataDisplayFilter" class=
"org.springframework.security.saml.metadata.MetadataDisplayFilter"/>
<!-- IDP Metadata configuration - paths to metadata of IDPs in circle
of trust is here -->
<bean id="metadata" class=
"org.springframework.security.saml.metadata.CachingMetadataManager">
<constructor-arg>
<list>
<!-- IDP metadata -->
<bean class="
org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
<constructor-arg>
<bean class="java.util.Timer"/>
</constructor-arg>
<constructor-arg>
<bean class="
org.opensaml.util.resource.ClasspathResource">
<constructor-arg value="/metadata/idp.xml"/>
</bean>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
<!-- SP metadata -->
<bean class="
org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="
org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
<constructor-arg>
<bean class="java.util.Timer"/>
</constructor-arg>
<constructor-arg>
<bean class="
org.opensaml.util.resource.ClasspathResource">
<constructor-arg value="/metadata
/localhost_sp.xml"/>
</bean>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="
org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="local" value="true"/>
<property name="alias" value="localhost"/>
<property name="securityProfile" value="metaiop"/>
<property name="sslSecurityProfile" value="metaiop"/>
<property name="sslHostnameVerification"
value="allowAll"/>
<property name="signMetadata" value="true"/>
<property name="signingKey" value="apollo"/>
<property name="encryptionKey" value="apollo"/>
<property name="requireArtifactResolveSigned"
value="false"/>
<property name="requireLogoutRequestSigned"
value="false"/>
<property name="requireLogoutResponseSigned"
value="false"/>
<property name="idpDiscoveryEnabled" value="false"/>
</bean>
</constructor-arg>
</bean>
</list>
</constructor-arg>
<!-- OPTIONAL used when one of the metadata files contains
information about this service provider -->
<property name="hostedSPName" value="localhost"/>
<!-- OPTIONAL property: can tell the system which IDP should be used
for authenticating user by default. -->
<property name="defaultIDP" value="http://localhost:6060
/AxisCustomer/"/>
</bean>
<bean id="samlAuthenticationProvider" class=
"org.springframework.security.saml.SAMLAuthenticationProvider">
<!-- OPTIONAL property: can be used to store/load user data after
login -->
<!--
<property name="userDetails" ref="bean" />
-->
</bean>
<!-- Provider of default SAML Context -->
<bean id="contextProvider" class=
"org.springframework.security.saml.context.SAMLContextProviderImpl"/>
<!-- Processing filter for WebSSO profile messages -->
<bean id="samlWebSSOProcessingFilter"
class="org.springframework.security.saml.SAMLProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationSuccessHandler"
ref="successRedirectHandler"/>
<property name="authenticationFailureHandler"
ref="failureRedirectHandler"/>
</bean>
<!-- Processing filter for WebSSO Holder-of-Key profile -->
<bean id="samlWebSSOHoKProcessingFilter" class=
"org.springframework.security.saml.SAMLWebSSOHoKProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationSuccessHandler"
ref="successRedirectHandler"/>
<property name="authenticationFailureHandler"
ref="failureRedirectHandler"/>
</bean>
<!-- Logout handler terminating local session -->
<bean id="logoutHandler"
class= "org.springframework.security.web.authentication.logout.
SecurityContextLogoutHandler">
<property name="invalidateHttpSession" value="false"/>
</bean>
<!-- Override default logout processing filter with the one processing
SAML messages -->
<bean id="samlLogoutFilter" class=
"org.springframework.security.saml.SAMLLogoutFilter">
<constructor-arg index="0" ref="successLogoutHandler"/>
<constructor-arg index="1" ref="logoutHandler"/>
<constructor-arg index="2" ref="logoutHandler"/>
</bean>
<!-- Filter processing incoming logout messages -->
<!-- First argument determines URL user will be redirected toafter
successful global logout -->
<bean id="samlLogoutProcessingFilter" class=
"org.springframework.security.saml.SAMLLogoutProcessingFilter">
<constructor-arg index="0" ref="successLogoutHandler"/>
<constructor-arg index="1" ref="logoutHandler"/>
</bean>
<!-- Class loading incoming SAML messages from httpRequest stream -->
<bean id="processor" class=
"org.springframework.security.saml.processor.SAMLProcessorImpl">
<constructor-arg>
<list>
<ref bean="redirectBinding"/>
<ref bean="postBinding"/>
<ref bean="artifactBinding"/>
<ref bean="soapBinding"/>
<ref bean="paosBinding"/>
</list>
</constructor-arg>
</bean>
<!-- SAML 2.0 WebSSO Assertion Consumer -->
<bean id="webSSOprofileConsumer" class=
"org.springframework.security.saml.websso.WebSSOProfileConsumerImpl"/>
<!-- SAML 2.0 Holder-of-Key WebSSO Assertion Consumer -->
<bean id="hokWebSSOprofileConsumer" class=
"org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>
<!-- SAML 2.0 Web SSO profile -->
<bean id="webSSOprofile" class=
"org.springframework.security.saml.websso.WebSSOProfileImpl"/>
<!-- SAML 2.0 Holder-of-Key Web SSO profile -->
<bean id="hokWebSSOProfile" class=
"org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>
<!-- SAML 2.0 ECP profile -->
<bean id="ecpprofile"
class="org.springframework.security.saml.websso.WebSSOProfileECPImpl"/>
<!-- SAML 2.0 Logout Profile -->
<bean id="logoutprofile" class
="org.springframework.security.saml.websso.SingleLogoutProfileImpl"/>
<bean id="postBinding" class
="org.springframework.security.saml.processor.HTTPPostBinding">
<constructor-arg ref="parserPool"/>
<constructor-arg ref="velocityEngine"/>
</bean>
<bean id="redirectBinding" class
="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding
">
<constructor-arg ref="parserPool"/>
</bean>
<bean id="artifactBinding"
class="org.springframework.security.saml.processor.HTTPArtifactBinding">
<constructor-arg ref="parserPool"/>
<constructor-arg ref="velocityEngine"/>
<constructor-arg>
<bean class ="
org.springframework.security.saml.websso.ArtifactResolutionProfileImpl
">
<constructor-arg>
<bean class="org.apache.commons.httpclient.HttpClient">
<constructor-arg>
<bean class
="org.apache.commons.httpclient.MultiThreadedHttpConnectionManager"/>
</constructor-arg>
</bean>
</constructor-arg>
<property name="processor">
<bean
class="org.springframework.security.saml.processor.SAMLProcessorImpl">
<constructor-arg ref="soapBinding"/>
</bean>
</property>
</bean>
</constructor-arg>
</bean>
<bean id="soapBinding"
class="org.springframework.security.saml.processor.HTTPSOAP11Binding">
<constructor-arg ref="parserPool"/>
</bean>
<bean id="paosBinding"
class="org.springframework.security.saml.processor.HTTPPAOS11Binding">
<constructor-arg ref="parserPool"/>
</bean>
<!-- Initialization of OpenSAML library-->
<bean class="org.springframework.security.saml.SAMLBootstrap"/>
<!-- Initialization of the velocity engine -->
<bean id="velocityEngine"
class="org.springframework.security.saml.util.VelocityFactory"
factory-method="getEngine"/>
<!-- XML parser pool needed for OpenSAML parsing -->
<bean id="parserPool"
class="org.opensaml.xml.parse.StaticBasicParserPool"
init-method="initialize">
<property name="builderFeatures">
<map>
<entry key="http://apache.org/xml/features/dom/defer-
node-expansion" value="false"/>
</map>
</property>
</bean>
<bean id="parserPoolHolder"
class="org.springframework.security.saml.parser.ParserPoolHolder"/>
</beans>
idp。xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor entityID=
"http://localhost:6060/AxisCustomer/"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<IDPSSODescriptor WantAuthnRequestsSigned="true"
protocolSupportEnumeration=
"urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzEL
MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJh
MQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MT
kxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZv
cm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzE
NMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5pii
LkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+
RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhs
YF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8
CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNS
ZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/
r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
/FfwWigmrW0Y0Q==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<ArtifactResolutionService index="0" isDefault="true" Binding=
"urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location=
"http://localhost:8080/opensso/ArtifactResolver/metaAlias/idp"/>
<SingleLogoutService Binding=
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location=
"http://localhost:8080/opensso/IDPSloRedirect/metaAlias/idp"
ResponseLocation=
"http://localhost:8080/opensso/IDPSloRedirect/metaAlias/idp"/>
<SingleLogoutService Binding=
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=
"http://localhost:8080/opensso/IDPSloPOST/metaAlias/idp"
ResponseLocation=
"http://localhost:8080/opensso/IDPSloPOST/metaAlias/idp"/>
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="http://localhost:8080/opensso/IDPSloSoap/metaAlias/idp"/>
<ManageNameIDService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="http://localhost:8080/opensso/IDPMniRedirect/metaAlias/idp"
ResponseLocation=
"http://localhost:8080/opensso/IDPMniRedirect/metaAlias/idp"/>
<ManageNameIDService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=
"http://localhost:8080/opensso/IDPMniPOST/metaAlias/idp"
ResponseLocation=
"http://localhost:8080/opensso/IDPMniPOST/metaAlias/idp"/>
<ManageNameIDService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="http://localhost:8080/opensso/IDPMniSoap/metaAlias/idp"/>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-
format:persistent</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-
format:transient</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-
format:emailAddress</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-
format:unspecified</NameIDFormat>
<SingleSignOnService Binding=
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location=
"http://localhost:8080/opensso/SSORedirect/metaAlias/idp"/>
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location=
"http://localhost:8080/opensso/SSOSoap/metaAlias/idp"/>
<NameIDMappingService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location=
"http://localhost:8080/opensso/NIMSoap/metaAlias/idp"/>
<AssertionIDRequestService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location=
"http://localhost:8080/opensso/AIDReqSoap/IDPRole/metaAlias/idp"/>
<AssertionIDRequestService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI"
Location=
"http://localhost:8080/opensso/AIDReqUri/IDPRole/metaAlias/idp"/>
</IDPSSODescriptor>
</EntityDescriptor>
localhost_sp.xml(下载实体)
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md=
"urn:oasis:names:tc:SAML:2.0:metadata" ID="localhost"
entityID="localhost">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm=
"http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod
Algorithm=
"http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference
URI="#localhost"><ds:Transforms>
<ds:Transform Algorithm=
"http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm=
"http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>AvF5jq5CC2Hj8GIoGUZ5DYcVcoE=</ds:DigestValue>
</ds:Reference></ds:SignedInfo>
<ds:SignatureValue>Jfn6P9Hqp/SKHOQE5MCrjY4Fp7kbJsSZOafCVS5beB
VOuyCvSyTyrMFD5Xx5x0qw6TZSQuG9OFZPEC
T4Sv9fU5cPTQIrxNv7jx88ie8GCjllypaYIaGPn
3YxY819aiilGL/1x4TgSkWsVJUIH8i1iBjYIPnU6rXr0uEO1J
nft2T6uz8tUc01QCliscnNsOhU0ffYcjR
\ApI3tzZxgjR8A5vSDJHphbOScizR
IyXVD8sZfW1d0shtVkFjVYjl6ek4H
9Znlb7J0iHUqT3dqwaB+Y6IMFM8zA+aQGHVoT
36UVyTuifq7IDqGZzQVPYEmOl1jy/3dYeLIcPiGCW+rgmhZ1w==
</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>
MIIDUjCCAjqgAwIBAgIEUOLIQTANBgkqhkiG9w0BAQUFADBrMQswCQYDV
QTANBgkqhkiG9w0BAQUFADBrMQswCQYDV
QQGEwJGSTEQMA4GA1UE
CBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua
2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEM
MAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9s
bG8wHhcNMTMwMTAxMTEyODAxWhcNMjIxMjMwMTEy
ODAxWjBrMQswCQYDVQQGEwJGSTEQMA4GA1UECB
MHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kx
GDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEMMAoGA1
UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBA
QCXqP0wqL2Ai1haeTj0alwsLafhrDtUt00E
5xc7kdD7PISRA270ZmpYMB4W24Uk2QkuwaBp6dI/
yRdUvPfOT45YZrqIxMe2451PAQWtEKWF5Z13
F0J4/lB71TtrzyH94RnqSHXFfvRN8EY/
rzuEzrpZrHdtNs9LRyLqcRTXMMO4z7QghBuxh3K5gu7K
qxpHx6No83WNZj4B3gvWLRWv05nbXh/F9YMe
QClTX1iBNAhLQxWhwXMKB4u1iPQ/KSaal3R26pON
UUmu1qVtU1quQozSTPD8HvsDqGG19v2+/
N3uf5dRYtvEPfwXN3wIY+/R93vBA6lnl5nTctZIRsyg
0Gv5AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAFQwAAY
Ujso1VwjDc2kypK/RRcB8bMAUUIG0hLGL
82IvnKouGixGqAcULwQKIvTs6uGmlgbSG6Gn5ROb2ml
BztXqQ49zRvi5qWNRttir6eyqwRFGOM6A
8rxj3Jhxi2Vb/MJn7XzeVHHLzA1sV5hwl/
2PLnaL2h9WyG9QwBbwtmkMEqUt/dgixKb1Rvby/tBu
RogWgPONNSACiW+Z5o8UdAOqNMZQozD/
i1gOjBXoF0F5OksjQN7xoQZLj9xXefxCFQ69FPcFDeEW
bHwSoBy5hLPNALaEUoa5zPDwlixwRjFQTc5XXaRpgIjy/2gsL8+Y5QRhyXnLqgO67BlLYW
/GuHE=
</ds:X509Certificate>
</ds:X509Data></ds:KeyInfo></md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds=
"http://www.w3.org/2000/09/xmldsig#"><ds:X509Data>
<ds:X509Certificate>MIIDUjCCAjqgAwIBAgIEUOLI
QTANBgkqhkiG9w0BAQUFADBrMQswCQYDV
QQGEwJGSTEQMA4GA1UE
CBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua
2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEM
MAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9s
bG8wHhcNMTMwMTAxMTEyODAxWhcNMjIxMjMwMTEy
ODAxWjBrMQswCQYDVQQGEwJGSTEQMA4GA1UECB
MHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kx
GDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEMMAoGA1
UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBA
QCXqP0wqL2Ai1haeTj0alwsLafhrDtUt00E
5xc7kdD7PISRA270ZmpYMB4W24Uk2QkuwaBp6dI/
yRdUvPfOT45YZrqIxMe2451PAQWtEKWF5Z13
F0J4/lB71TtrzyH94RnqSHXFfvRN8EY/
rzuEzrpZrHdtNs9LRyLqcRTXMMO4z7QghBuxh3K5gu7K
qxpHx6No83WNZj4B3gvWLRWv05nbXh/F9YMe
QClTX1iBNAhLQxWhwXMKB4u1iPQ/KSaal3R26pON
UUmu1qVtU1quQozSTPD8HvsDqGG19v2+/
N3uf5dRYtvEPfwXN3wIY+/R93vBA6lnl5nTctZIRsyg
0Gv5AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAFQwAAY
Ujso1VwjDc2kypK/RRcB8bMAUUIG0hLGL
82IvnKouGixGqAcULwQKIvTs6uGmlgbSG6Gn5ROb2ml
BztXqQ49zRvi5qWNRttir6eyqwRFGOM6A
8rxj3Jhxi2Vb/MJn7XzeVHHLzA1sV5hwl/
2PLnaL2h9WyG9QwBbwtmkMEqUt/dgixKb1Rvby/tBu
RogWgPONNSACiW+Z5o8UdAOqNMZQozD/
i1gOjBXoF0F5OksjQN7xoQZLj9xXefxCFQ69FPcFDeEW
bHwSoBy5hLPNALaEUoa5zPDwlixwRjFQTc5XXaRpgIjy/2gsL8+Y5QRhyXnLqgO67BlLYW
/GuHE=
</ds:X509Certificate>
</ds:X509Data></ds:KeyInfo></md:KeyDescriptor>
<md:SingleLogoutService Binding=
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=
"http://localhost/saml/SingleLogout/alias/localhost"/>
<md:SingleLogoutService Binding=
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-
Redirect" Location=
"http://localhost/saml/SingleLogout/alias/localhost"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-
format:emailAddress</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-
format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-
format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-
format:unspecified</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-
format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://localhost/saml/SSO/alias/localhost" index="0"
isDefault="true"/></md:SPSSODescriptor></md:EntityDescriptor>
请提出您的解决建议。
提前感谢
我知道这是一篇旧帖子,但我也遇到了这个问题,IDP使用了不同的证书用于SSL/TLS连接,用于刷新元数据和用于签署有效负载的证书。所以解决方法是导入两个证书。
我的java8和tomcat 8设置也面临这个问题。检查后,我发现tomcat libs文件夹“bcprov-jdk16-1.46.jar”中缺少一个jar。添加这个罐子后,我再也没有出现这个错误了
该错误意味着Spring SAML已收到IDP发出的具有实体ID的SAML消息”http://localhost:6060/AxisCustomer/“,但在可用的元数据中找不到任何这样的实体。请确保您的元数据bean包含具有此ID的实体。或者只需附加所有元数据文档,我就可以查看了。
我建议您使用以下元数据定义:
<!-- IDP Metadata configuration - paths to metadata of IDPs in circle of trust is here -->
<bean id="metadata" class=
"org.springframework.security.saml.metadata.CachingMetadataManager">
<constructor-arg>
<list>
<!-- IDP metadata -->
<bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
<constructor-arg>
<bean class="java.util.Timer"/>
</constructor-arg>
<constructor-arg>
<bean class="org.opensaml.util.resource.ClasspathResource">
<constructor-arg value="/metadata/idp.xml"/>
</bean>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
<!-- SP metadata -->
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
<constructor-arg>
<bean class="java.util.Timer"/>
</constructor-arg>
<constructor-arg>
<bean class="org.opensaml.util.resource.ClasspathResource">
<constructor-arg value="/metadata/localhost_sp.xml"/>
</bean>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="local" value="true"/>
<property name="alias" value="localhost"/>
<property name="securityProfile" value="metaiop"/>
<property name="sslSecurityProfile" value="metaiop"/>
<property name="sslHostnameVerification" value="allowAll"/>
<property name="signMetadata" value="true"/>
<property name="signingKey" value="apollo"/>
<property name="encryptionKey" value="apollo"/>
<property name="requireArtifactResolveSigned" value="false"/>
<property name="requireLogoutRequestSigned" value="false"/>
<property name="requireLogoutResponseSigned" value="false"/>
<property name="idpDiscoveryEnabled" value="false"/>
</bean>
</constructor-arg>
</bean>
</list>
</constructor-arg>
<!-- OPTIONAL used when one of the metadata files contains
information about this service provider -->
<property name="hostedSPName" value="localhost"/>
<!-- OPTIONAL property: can tell the system which IDP should be used
for authenticating user by default. -->
<property name="defaultIDP" value="http://localhost:6060/AxisCustomer/"/>
</bean>
确保引用的idp.xml文件位于项目的/元数据/idp.xml中(您应该已经有一个名为localhost_sp.xml文件),并且idp.xml中的实体IDhttp://localhost:6060/AxisCustomer/
我正在尝试通过SAML请求将SSO集成到我们的ASP. NET应用程序中。我正在使用KentorAuthService库来实现这一点。使用kentor库是否是从其他身份提供者(例如(一次登录、快速身份等)进行身份验证的解决方案,或者我应该专门基于身份提供者实施。
关于SAML及其通过Shibboleth的实现,我有很多问题。我已经做了大量的研究,我想澄清一些事情。我有一个与服务器通信的移动应用程序。我们的一个企业客户,我们称之为StackOverflow大学,希望使用Shibboleth(或者我应该说SAML?)为我们的系统提供SSO。他们已经给我们发送了所有学生的电子邮件地址和基本资料。使用OAuth2,我们确切地知道如何提供SSO,但是,使用SAML,
我正在研究SSO的一些新用法。基本上,我正在尝试找到如何拦截SAML请求的方法,该请求通过某种IdP代理或第三方服务从服务提供商发送到身份提供商,该服务将保存SAML请求并为用户提供一些附加功能。所需的过程可能如下所示: 用户从SP调用SAML请求-例如单击登录按钮 用户被重定向到第3方服务,例如,小型调查(这是理论示例) 提交调查后,用户被重定向到IdP并应继续登录 我对SimpleSAMLph
新单点登录和SAML,所以我不确定我问这个问题是否正确假设作为身份提供者,用户来到我的网站并单击服务提供者链接。然后我会提示他输入用户ID和密码。假设他成功地被认证为user1@xyz.com。然后我将该用户发送到提供SAML令牌的服务提供商。假设服务提供商期望用户是user1而不是user1@xyz.com。我需要创建某种映射吗?我怎么知道服务提供商期望什么,在这种情况下是user1而不是use
我正在尝试使用OpenProject OmniAuth SAML单点登录插件设置SSO(单点登录)与OpenProject的集成。我已经配置了相关的详细信息。生成元数据并向Shibboleth支持的IDP注册。该插件在openproject登录表单上显示了一个额外的登录按钮。单击它将正确重定向到IDP的登录页面。在提供凭据之后,它正确地重定向到我提到的AssertionConsumerServic
对于Spring MVC应用程序,通常如何使用SAML 2.0实现SSO? 我的应用程序需要实现SSO,以便用户无需使用我的应用程序创建新帐户即可登录。 我的理解是,如果我错了,请纠正我,我需要一个服务提供商与第三方使用的身份提供商进行通信,以便交换元数据。但我该如何实现这一过程呢? 此外,Spring MVC应用程序端需要什么? 提前感谢:D