问题:
OpenAM ITfoxtec Saml2签名响应无效?
郑声
我正在尝试将OpenAM Saml SSO集成到我的。net 5应用程序。ITfoxtec。Saml2用于处理SP上的身份验证。尝试登录时,会发送有效的post samlResponse。但在验证响应时,我得到以下异常。
ERROR|Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware|An unhandled exception has occurred while executing the request. ITfoxtec.Identity.Saml2.Cryptography.InvalidSignatureException: Signature is invalid.
at ITfoxtec.Identity.Saml2.Saml2Request.ValidateXmlSignature(SignatureValidation documentValidationResult)
at ITfoxtec.Identity.Saml2.Saml2Request.Read(String xml, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2Response.Read(String xml, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2AuthnResponse.Read(String xml, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2PostBinding.Read(HttpRequest request, Saml2Request saml2RequestResponse, String messageName, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2PostBinding.UnbindInternal(HttpRequest request, Saml2Request saml2RequestResponse, String messageName)
at ITfoxtec.Identity.Saml2.Saml2Binding`1.Unbind(HttpRequest request, Saml2Response saml2Response)
确认签名算法正确(http://www.w3.org/2000/09/xmldsig#rsa-sha1)
当手动验证saml响应时(通过浏览器插件saml Chrome面板),我注意到签名处存在一些编码问题
我有什么遗漏吗?
请求:
<saml2p:AuthnRequest
Destination="..."
ID="_b8fad14a-506b-4496-aa35-f09c4174e76f" IssueInstant="2021-10-25T12:59:21.212Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer>...</saml2:Issuer></saml2p:AuthnRequest>
回应:
<samlp:Response Destination="..."
ID="s2b5ecaf8f0265680dc4dcdd853678d3fb0fae7410" InResponseTo="_b8fad14a-506b-4496-aa35-f09c4174e76f"
IssueInstant="2021-10-25T12:59:21Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">...</saml:Issuer>
<samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"></samlp:StatusCode>
</samlp:Status>
<saml:Assertion ID="s21d821b22e63d329f2ae5284b1dcfab415b825ebf" IssueInstant="2021-10-25T12:59:21Z"
Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>...</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#s21d821b22e63d329f2ae5284b1dcfab415b825ebf">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>DUXzMtgGm0bCJD88pdxmElxNsxs=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
SGKlcZKLqzLL2MxNld4/4lGC8C/p2AULruK+HIha8sGvdEnU4zvdYhC701q6LpjHLwKLVcwgv+pG
ATzkzIZDmZ6SzXljQXtOwTwy4yT7gblbnL4W3gEqxceDtxs4MDjNQ+k/bJQlD32egA+ThteJyNby
Cztkf8LR2S5MLCyDjPX93DgQ97zo+tr4vUsIlExK2MiQQlTNBgvR0tZqvvTAOCva20dBacc5FaW+
qmUe7+lPeRzCnWp1Lag2KpSIJs7Uuc/Tp3uHw9Jys/g+ZYRQLESRpGEiPNLB602CMF4a8xOMUdlz
VUW5ECdywnnrZfVdJmKcPg725YJVmUGzS6K1QA==
</ds:SignatureValue>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
MIIDaDCCAlCgAwIBAgIDcB/YMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNVBAYTAlVLMRAwDgYDVQQI
EwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQKEwlGb3JnZVJvY2sxDzANBgNVBAsT
Bk9wZW5BTTENMAsGA1UEAxMEdGVzdDAeFw0xNjAzMTgxMTU2MjhaFw0yNjAzMTYxMTU2MjhaMGUx
CzAJBgNVBAYTAlVLMRAwDgYDVQQIEwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQK
EwlGb3JnZVJvY2sxDzANBgNVBAsTBk9wZW5BTTENMAsGA1UEAxMEdGVzdDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAKNbl89eP6B8kZATNSPe3+OZ3esLx31hjX+dakHtPwXCAaCKqJFw
jwKdxyRuPdsVG+8Dbk3PGhk26aJrSE93EpxeqmQqxNPMeD+N0/8pjkuVYWwPIQ/ts2iTiWOVn7wz
lE4ASfvupqOR5pjuYMWNo/pd4L7QNjUCKoAt9H11HMyiP+6roo/EYgX4AH7OAhfUMncYsopWhkW/
ze9z8wTXc8BAEgDmt8zFCez1CtqJB/MlSBUGDgk8oHYDsHKmx05baBaOBQ8LRGP5SULSbRtu34eL
FootBIn0FvUZSnwTiSpbaHHRgWrMOVm07oSLWBuO3h/bj38zBuuqqVsAK8YuyoECAwEAAaMhMB8w
HQYDVR0OBBYEFHxfAbr6PQ5Xgc+jVx+AGTPnnpWZMA0GCSqGSIb3DQEBCwUAA4IBAQAZBMJ29/2i
dv1ztC6ArHtB4kw/nHHwthXFwtWAN7sRPB8tLW7fD8aJ43RQr5107Bg1Lgkmt+FZxpafqUC/mukj
IzGzbW0COMSOTcWUGss+HxK6M6Fl9aOzKJMct1uOSpPFgjItcGqydGZXR2FH93vXWoAotUwtZ119
IixIdxpOJwYJg0HFn+GEfpU1PmiLfq2/uwqJ0hGCNfNcm9puagzhQrcDFOnolxjnYPSfSkU5wxlG
o99yE5eJwoHXXU7csaZVttmx7sPj1lUENogXUM6JMqzSyEIm1XCOCL8rZJkZ781W5CwZhuJTNzV3
1sBREs8FaaCeksu7Y48BmkUqw6E9
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="...">zC7qyfpyMwFtp24en9Y97+hEEptH</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="_b8fad14a-506b-4496-aa35-f09c4174e76f"
NotOnOrAfter="2021-10-25T13:09:21Z" Recipient="..."/></saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2021-10-25T12:49:21Z" NotOnOrAfter="2021-10-25T13:09:21Z">
<saml:AudienceRestriction>
<saml:Audience>...</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2021-10-25T12:18:36Z"
SessionIndex="s27d56759d777a5ce71e5b97601c1563c4137ced01">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
...
</saml:AttributeStatement>
</saml:Assertion></samlp:Response>
元数据:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor entityID="http://devopenam02.dev.coteng.com:8080/OpenAM-14.6.2" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
MIIDaDCCAlCgAwIBAgIDcB/YMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNVBAYTAlVLMRAwDgYDVQQIEwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQKEwlGb3JnZVJvY2sxDzANBgNVBAsTBk9wZW5BTTENMAsGA1UEAxMEdGVzdDAeFw0xNjAzMTgxMTU2MjhaFw0yNjAzMTYxMTU2MjhaMGUxCzAJBgNVBAYTAlVLMRAwDgYDVQQIEwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQKEwlGb3JnZVJvY2sxDzANBgNVBAsTBk9wZW5BTTENMAsGA1UEAxMEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKNbl89eP6B8kZATNSPe3+OZ3esLx31hjX+dakHtPwXCAaCKqJFwjwKdxyRuPdsVG+8Dbk3PGhk26aJrSE93EpxeqmQqxNPMeD+N0/8pjkuVYWwPIQ/ts2iTiWOVn7wzlE4ASfvupqOR5pjuYMWNo/pd4L7QNjUCKoAt9H11HMyiP+6roo/EYgX4AH7OAhfUMncYsopWhkW/ze9z8wTXc8BAEgDmt8zFCez1CtqJB/MlSBUGDgk8oHYDsHKmx05baBaOBQ8LRGP5SULSbRtu34eLFootBIn0FvUZSnwTiSpbaHHRgWrMOVm07oSLWBuO3h/bj38zBuuqqVsAK8YuyoECAwEAAaMhMB8wHQYDVR0OBBYEFHxfAbr6PQ5Xgc+jVx+AGTPnnpWZMA0GCSqGSIb3DQEBCwUAA4IBAQAZBMJ29/2idv1ztC6ArHtB4kw/nHHwthXFwtWAN7sRPB8tLW7fD8aJ43RQr5107Bg1Lgkmt+FZxpafqUC/mukjIzGzbW0COMSOTcWUGss+HxK6M6Fl9aOzKJMct1uOSpPFgjItcGqydGZXR2FH93vXWoAotUwtZ119IixIdxpOJwYJg0HFn+GEfpU1PmiLfq2/uwqJ0hGCNfNcm9puagzhQrcDFOnolxjnYPSfSkU5wxlGo99yE5eJwoHXXU7csaZVttmx7sPj1lUENogXUM6JMqzSyEIm1XCOCL8rZJkZ781W5CwZhuJTNzV31sBREs8FaaCeksu7Y48BmkUqw6E9
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
...
</IDPSSODescriptor>
</EntityDescriptor>
共有1个答案
谷梁子昂
ITfoxtec Identity Saml2包不读取EntityDescriptor/KeyDescriptor元素中的IdP签名证书,不支持该元素。IdP证书在EntityDescriptor/IDPSSODescriptor/KeyDescriptor元素中读取。
TestedCore示例的有效IdP元数据示例:
类似资料:
-
我正在与DocuSign API进行集成,目前正在沙箱中进行测试。我希望添加对响应签名的支持,并决定在将对象添加到对象之前先在移动设备上测试这一点,以查看示例文档当前在移动设备上的显示方式。 当我在iPhone中查看文档时,它已经自动显示响应版本,而无需进行任何更改: 我现在想知道如果这是自动发生的,我是否需要进行任何更改,但我找不到任何文档表明这是一个自动设置。 在我的沙盒设置中,我确实有的移动
-
我试图遵循以下规范来验证SAML响应的签名:https://www.w3.org/tr/xmldsig-core/#sec-pkcs1 下面是我的工作流程:我得到SAML响应。我去掉签名信封,我把它规范化,我检查摘要,然后我检查签名。我能够成功地计算转换的SAML响应的SHA1摘要,并对其进行验证。然而,RSA-SHA1签名检查仍然无法实现。 SAML响应包含签名方法算法:http://www.w
-
2016年8月1日11:34:39 AM org.apache.catalina.core.standardWrapperValve在路径为[/travelocity.com]的上下文中为servlet[jsp]调用严重:servlet.service()引发了异常[SAML响应的签名验证失败],根本原因为org.wso2.carbon.identity.sso.agent.exception.s
-
我有一个Java web应用程序。我想为我的应用程序实现SAML单点登录登录。我有这个GitHub onelogin程序来发送请求并获得响应。但它没有正常工作。我在那里创建了一个帐户。但我没有企业账户。当我运行应用程序时,它将进入onelogin登录页面。我试图登录,但在响应中没有返回任何权限,表明我没有权限。如果我也提供了错误的凭据,那么它不会给出任何SAML响应。 所以我决定创建一个断言并签名
-
问题内容: 我通过按下按钮来调用此函数… Firebug显示我得到了这个JSON响应(我知道这是有效的)[为清楚起见,被截断了] Firebug显示错误“无效标签 https://test.com/incident.do?JSON&callback=jsonp1279049933243&sysparm_action=getRecords 第1行 我怎样才能解决这个问题?谢谢! 问题答案: 您的响应
-
PDF创建步骤: 通过添加空签名字段名称创建pdf:suhasb@gmail.com和nikhil.courser@gmail.com,使用原始的hello.pdf输出文件名hello_tag.pdf运行程序>tagpdfsignaturefields.java 从hello_tag.pdf文件中提取签名字段suhasb@gmail.com进行首次签名,输出文件名为hello_signd.pdf