问题:
WSO2 Identity Server OAuth2承载SAML断言
阙阳夏
我在使用WSO2身份服务器时遇到了一个问题。
我有一个使用SAML2的Web服务器在身份服务器中进行SSO。登录后,身份服务器返回saml响应消息:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response Destination="http://localhost:8080/travelocity.com/home.jsp" ID="lfkelagpefmnohdlcalkpoeobnahpjapkfljnoah" InResponseTo="mieoddeiiebbaphejlfdgaiojbnogmpnnhijaema" IssueInstant="2016-01-02T17:31:47.863Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">localhost</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#lfkelagpefmnohdlcalkpoeobnahpjapkfljnoah"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>HCnAalpftzdBW6dZbB+0nJf2A7c=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>QKXtIMRFkw/eqAX1b30PGbCHqPTYrlOEGl0UobvK/hqaYz+2wuoJfMz9t0BS5CFYUT/OqAsv9eR2IVTDUq+Wp17xOu48yAPI9gl9L1gH9YZ4+k12y19C3WbAgTwaZ+IOqa9a01N5nWAKa3G38rhX58KAX31FgILvFT6aegQYXMU=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:Assertion ID="jajekgbkamaadloajjnhckhdofjdiicgkcfbjbmd" IssueInstant="2016-01-02T17:31:47.863Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#jajekgbkamaadloajjnhckhdofjdiicgkcfbjbmd"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>pDzChf9Ote3Ljws9ErogUQxfN0I=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ZFw9zwyuB2xJuChBdkQArV+yb2NW0LcTkoZK+GuhTRqoD/Ndk880U18cRT4am/Ut1qxIR90ec9pqosCd9ax/UZzu/ZZ69mNfn0xB6Uni/1MQ9G+FijjmuTHPWK2jyO1PrkbK7OUNTD1UgQxQGaMufbuWR2BsNFWnRbLBB5PG8e0=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin@carbon.super</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="mieoddeiiebbaphejlfdgaiojbnogmpnnhijaema" NotOnOrAfter="2016-01-02T17:36:47.863Z" Recipient="http://localhost:8080/travelocity.com/home.jsp"/></saml2:SubjectConfirmation><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="mieoddeiiebbaphejlfdgaiojbnogmpnnhijaema" NotOnOrAfter="2016-01-02T17:36:47.863Z" Recipient="https://localhost:9443/oauth2/token"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2016-01-02T17:31:47.863Z" NotOnOrAfter="2016-01-02T17:36:47.863Z"><saml2:AudienceRestriction><saml2:Audience>travelocity.com</saml2:Audience><saml2:Audience>https://localhost:9443/oauth2/token</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2016-01-02T17:31:47.864Z" SessionIndex="fed8981e-65b5-4a07-b7b0-b5b2dfcd1c35"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion></saml2p:Response>
我从SAML2响应中提取Assertion标签并使用base 64对其进行编码,并将请求发送到标识服务器,以使用OAuth2 SAML Aseertion请求OAuth2承载令牌。但是我在服务器中收到了以下异常消息:
[2016-01-02 12:33:34,938] ERROR {org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler} - Error while validating the signature.
org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key
at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:78)
at org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler.validateGrant(SAML2BearerGrantHandler.java:451)
at org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer.issue(AccessTokenIssuer.java:154)
at org.wso2.carbon.identity.oauth2.OAuth2Service.issueAccessToken(OAuth2Service.java:196)
at org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint.getAccessToken(OAuth2TokenEndpoint.java:245)
at org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint.issueAccessToken(OAuth2TokenEndpoint.java:111)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:188)
at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:104)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:204)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:101)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:94)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:249)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:289)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:209)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:646)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:265)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.wso2.carbon.ui.filters.CSRFPreventionFilter.doFilter(CSRFPreventionFilter.java:88)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.wso2.carbon.ui.filters.CRLFPreventionFilter.doFilter(CRLFPreventionFilter.java:59)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)
at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1739)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1698)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
我只在Identity Server中设置SAML2服务提供程序,并使用默认的常驻身份提供程序作为Identity Server中的身份提供程序。
我是在OAuth2 SAML断言流中做错了什么,还是在服务器中缺少了一些配置<非常感谢你。
共有1个答案
翟淇
您需要从SAML2响应中提取断言标记,并将其转换为base64 URL编码。请按照以下步骤操作。
- 您需要删除换行符
- URL编码
- 将base 64编码为客户端ID和客户端机密
(注意:您可以直接将其转换为base 64 URL encode,无需使用两步执行此操作)
然后使用下面的curl命令
curl -k -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<Assertion_provided_by_client>&scope=PRODUCTION" -H "Authorization: Basic <Base64 encoded consumer key:consumer secret>, Content-Type: application/x-www-form-urlencoded" https://<IP of the APIM server>:9443/oauth2/token
当断言签名私钥的公钥和验证公钥不匹配时,会发生此错误。因此,在这种情况下,API管理器端用于验证发送SAML断言的公钥与Identity Server用于签署SAML断言的私钥不匹配。
另一个选项是将他们提供给您的证书添加到wso2carbon。jks(记住别名)。
请参阅下面的参考资料以获取更多信息。
[1] https://docs.wso2.com/display/AM190/Exchanging具有OAuth2-SAML扩展授权类型的SAML2承载令牌
[2]https://docs.wso2.com/display/IS510/SAML2承载断言配置文件的OAuth 2.0与WSO2 TraSpeed
[3]http://xacmlinfo.org/2014/10/31/saml2-bearer-assertion-profile-for-oauth-2-0/
类似资料:
-
我有一个Java Web应用程序,我想将其作为服务提供商并实现SAML。我不确定如何做这件事的工作流程。 我已经阅读了这个SO问题,但仍然无法完全理解。在问题中,他们说他们需要向IDP发送请求,如果我是对的,称为断言。 如何创建断言?我在那里看到了样品。但是在哪里传递登录凭据呢? 另外,我如何在IDP注册我的应用程序,我是否需要安装IDP为此提供的一些证书?工作流程是什么? 谢谢
-
我正在使用多个SP实现单点登录。以下是我的基本理解: 1) 浏览器(用户)向服务提供商(SP)请求资源 2)SP重定向(使用SAML请求)到身份提供程序(IdP) 3)由于这是第一次登录,用户将向(IdP)提供其有效凭据 4)然后,IdP将浏览器(带有包含SAML令牌的SAML响应)重定向到SP页面。 现在,假设我有服务提供商A和服务提供商B。一个用户已经完成了关于服务提供商A的步骤。从服务提供商
-
我们有一个产品有一个客户,当我们作为服务提供商并且idp在客户端时,我们使用Spring Security SAML为该客户实现了SAML流。 现在,我们有另一个客户也希望身份验证与 SAML 一起使用,并且我们希望同一 SP 为此客户实现 SAML 流,第二个客户还将有 2 个用于 SAML 的流,一个用于移动设备,另一个用于使用相同 IDP 的其他设备。两个客户的 IDP 是不同的。 问题 两
-
我试图从开发人员的角度理解IdP发起的SSO的基本流程。我还试图从随。NET集成工具包。 基于此链接:http://documentation.pingidentity.com/display/PF610/OpenToken 适配器配置 问:PingFederate 服务器如何解析 SAML 断言?我是否必须从 SP 服务器对其进行编码?还是PingFederate服务器的设置会进行解析? 我现在
-
我有一个webservice操作,其中我将获得SAML断言作为请求体的一部分。我跟踪XSD: saml:断言是指:< br>
-
我的任务是通过Sustainsys(Kentor)库为我目前正在进行的项目设置SAML 2.0单点登录。这是我一直遵循的文档。该网站是一个webforms应用程序,因此我使用Sustainsys库的HTTPModule部分。我已将IDP(Okta)配置为将SAML2.0断言发送到文档中声明endpoint为/SAML或/SAML/Acs的网站。该网站是Kentico CMS网站,CMS提供了一个A