【问题标题】:SAML Spring Sample: Signature did not validate against the credential's keySAML Spring 示例:签名未针对凭证的密钥进行验证
【发布时间】:2016-12-02 18:51:38
【问题描述】:

我正在使用带有公司 ADFS idp 的 SAML Spring 示例。生成的元数据适用于 SSOCircle,但不适用于 ADFS,我收到的错误消息如下:

 Attempting to verify signature using trusted credentials
 Attempting to validate signature using key from supplied credential
 Creating XMLSignature object
 Validating signature with signature algorithm URI: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
 Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
 Signature verification failed.
 Signature did not validate against the credential's key
 Signature validation using candidate validation credential failed
rg.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key

我的安全元数据配置是:

<!-- IDP Metadata configuration - paths to metadata of IDPs in circle of trust is here -->
    <bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
        <constructor-arg>
            <list>

                <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                    <constructor-arg>
                        <bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
                            <constructor-arg>
                                <bean class="java.util.Timer"/>
                            </constructor-arg>
                            <constructor-arg>
                                <bean class="org.opensaml.util.resource.ClasspathResource">
                                 <constructor-arg value="/metadata/whatever_sp.xml"/> 
                                </bean>
                            </constructor-arg>
                            <property name="parserPool" ref="parserPool"/>
                        </bean>
                    </constructor-arg>                  
                    <constructor-arg ref="extendedMetadataSP" />
                    <property name="metadataTrustCheck" value="false"/>
                </bean>


                <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                    <constructor-arg>
                    <bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
                        <constructor-arg>
                            <bean class="java.util.Timer"/>
                        </constructor-arg>
                        <constructor-arg>
                            <bean class="org.opensaml.util.resource.ClasspathResource">
                                <constructor-arg value="/metadata/ADFSfederationMetadata.xml"/>
                            </bean>
                        </constructor-arg>
                        <property name="parserPool" ref="parserPool"/>
                    </bean>
                    </constructor-arg>
                    <constructor-arg ref="extendedMetadataIDP" />
                    <property name="metadataTrustCheck" value="false"/>                 
                </bean>

                <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                    <constructor-arg>
                    <bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
                        <constructor-arg>
                            <bean class="java.util.Timer"/>
                        </constructor-arg>
                        <constructor-arg>
                            <bean class="org.opensaml.util.resource.ClasspathResource">
                                <constructor-arg value="/metadata/ssoCircleIdp.xml"/>
                            </bean>
                        </constructor-arg>
                        <property name="parserPool" ref="parserPool"/>
                    </bean>
                    </constructor-arg>
                    <constructor-arg ref="extendedMetadataIDP" />
                    <property name="metadataTrustCheck" value="false"/>                 
                </bean>

            </list>
        </constructor-arg>      
        </bean>

</bean>



   <!-- Extended metadata properties -->
    <bean id="extendedMetadataSP" class="org.springframework.security.saml.metadata.ExtendedMetadata">
        <property name="local" value="true"/>
        <property name="securityProfile" value="metaiop"/>
        <property name="sslSecurityProfile" value="pkix"/>
        <property name="signingKey" value="apollo"/>
        <property name="encryptionKey" value="apollo"/>
        <property name="signMetadata" value="false" />
        <property name="signingAlgorithm" value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />

    </bean>

我从 ADFS 得到的 SAML 响应如下:

<?xml version="1.0" encoding="UTF-8"?><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://localhost:8443/s
pring-security-saml2-sample/saml/SSO" ID="_58365a14-2ed8-4d68-8e8e-fe72618c82d9" InResponseTo="afj64ji85gba3991249die24d5eiii" IssueInstant="2016-07-28T11:00:18.094Z" Version="2.0">
   <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">[MYIDP]</Issuer>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
         <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
         <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
         <ds:Reference URI="#_58365a14-2ed8-4d68-8e8e-fe72618c82d9">
            <ds:Transforms>
               <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
            <ds:DigestValue>eUzL1nPviOFVEi6A/XcplZJR3gBpg/gXWdtK/37iNCk=</ds:DigestValue>
         </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>P+O4GMaYLrBnB/QkqTWI/b1ju3OShaJXPgMUWlTUdxGfcXLCBukmBO+pUH3V5F71f6G0qcYihGkXisVnk+kYrJ+ieGSAl4CgLok32OXVrafEAD9NVGCideabiJSr7MHBc1bWmlWBMJxPeYBDcH5e1+b/4uFwG3HBs6AHiDObVWZ97mQ
5ZnqwuS2m9zfunVKtAJOS1l3JkhXIBqU3OGD9fAriIMFxc+RygAZxbIq4pvXqSD4mP7aB6UlWE7jdcr5R+CmxmDWBEcQgjCSiAWUGQoEOC4EXkRXWc//3TEOjD19mMn4nepJA3Ko6jJfObS0peXfQKKhz3ink0lEbm1qCgA==</ds:SignatureValue>
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
         <ds:X509Data>
            <ds:X509Certificate>MIIF1DCCBLygAwIBAgIQbhhm1o92bv+YAd21fED0rDANBgkqhkiG9w0BAQsFADB6MQswCQYDVQQGEwJVUzELMAkGA1UECBMCVkExEDAOBgNVBAcTB0hlcm5kb24xITAfBgNVBAoTGE5ldHdvcmsgU29sdXRpb25zIEwuTC5D
LjEpMCcGA1UEAxMgTmV0d29yayBTb2x1dGlvbnMgT1YgU2VydmVyIENBIDIwHhcNMTQxMDI5MDAwMDAwWhcNMTgwMTAzMjM1OTU5WjCB8DELMAkGA1UEBhMCR0IxETAPBgNVBBETCEJTMzcgNUhaMQ0wCwYDVQQIEwRBdm9uMRAwDgYDVQQHEwdCcmlzdG9sMQ0wCwYD
VQQJEwRZYXRlMRUwEwYDVQQJEwxTdGF0aW9uIFJvYWQxHzAdBgNVBAkTFlVuaXQgMSBCYWRtaW50b24gQ291cnQxGzAZBgNVBAoTEkFQQUsgR3JvdXAgTGltaXRlZDELMAkGA1UECxMCSVQxITAfBgNVBAsTGFNlY3VyZSBMaW5rIFNTTCBXaWxkY2FyZDEZMBcGA1UE
AxQQKi5zd29yZC1hcGFrLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANlGeYyoUeZj2QwtmjfpZzZy0IRZLK4aBeaQw4uwevLyJMOBaPTFWXj6aEDmr9kEcKiSUhcbSFSltvS/e88Vh5ZxrL2X75g5kUzgCAw9lY6aTYEAEpFm7pix47YIgJsPf1VM
wtVbw4MBrDnVYoC/kuXZ7okeglYPnv4TtmSRSq5MF2+HRs/Fhv8JtDl0bt/Tz9//vyi48S7KAeaPSqvVxZ7qyHov7FLCRspjGY9JuuI/uEGv2+ohaDYmnhyLFeaSfHPotg0gWTAowblUSigtk/6CAH2lUfKopPGvAE/egR79vPofaNxHooaZuxnPQ6ylW3dwcDK67Ve1
BS1QvLO3nXkCAwEAAaOCAd0wggHZMB8GA1UdIwQYMBaAFCAzzbdh9qWGT9zJ13NqvApRZZjsMB0GA1UdDgQWBBTTLIw41beIX7xgjN5kHorN+6Ib2jAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYD
VR0gBG4wbDBgBgwrBgEEAYYOAQIBAwEwUDBOBggrBgEFBQcCARZCaHR0cDovL3d3dy5uZXR3b3Jrc29sdXRpb25zLmNvbS9sZWdhbC9TU0wtbGVnYWwtcmVwb3NpdG9yeS1jcHMuanNwMAgGBmeBDAECAjBJBgNVHR8EQjBAMD6gPKA6hjhodHRwOi8vY3JsLm5ldHNv
bHNzbC5jb20vTmV0d29ya1NvbHV0aW9uc09WU2VydmVyQ0EyLmNybDB7BggrBgEFBQcBAQRvMG0wRAYIKwYBBQUHMAKGOGh0dHA6Ly9jcnQubmV0c29sc3NsLmNvbS9OZXR3b3JrU29sdXRpb25zT1ZTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2Nz
cC5uZXRzb2xzc2wuY29tMBsGA1UdEQQUMBKCECouc3dvcmQtYXBhay5jb20wDQYJKoZIhvcNAQELBQADggEBADXCuYBzSLijLp8gQjkHl2NGb7VahaJTV4jD/pM0CV+6ERk5o7W6ufFH+ok7vONlukdQxT67GzEFnl7S+WgTxOTbYBQs4xMRsnY7G44yBLEtTjlw5UlN
kKPJXNnfFhrAy260sV5cqtP+hclNZ3TLTadwYVqdvv9D53aWP2gjZVE4RpUhI1DM0z9zk7FP7PyYsuhkILSwMst/YoPBOgs6C7/3nuMTh4IqCcYowSgcNdBiY8Vm+M5X6v/PqkPBvVPvE8s8xxrIfFIyNT4VdvKz1UGuT+yeI+4N3oeou3mCD0ENstzjxkRgPGOQbm45
2rlKIhki4ep90winKO4EectPUCM=</ds:X509Certificate>
         </ds:X509Data>
      </KeyInfo>
   </ds:Signature>
   <samlp:Status>
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
   </samlp:Status>
</samlp:Response>

我的 SP 元数据是:

<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="[blah]" entityID="[blah]"><md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDZTCCAk2gAwIBAgIESm9pPTANBgkqhkiG9w0BAQsFADBiMQswCQYDVQQGEwJVSzEQMA4GA1UE
CBMHQnJpc3RvbDENMAsGA1UEBxMEWWF0ZTEOMAwGA1UEChMFU3dvcmQxDTALBgNVBAsTBEFwYWsx
EzARBgNVBAMTCkZpcnN0IExhc3QwIBcNMTYwMTE0MTUzMjE4WhgPMjI4OTEwMjgxNTMyMThaMGIx
CzAJBgNVBAYTAlVLMRAwDgYDVQQIEwdCcmlzdG9sMQ0wCwYDVQQHEwRZYXRlMQ4wDAYDVQQKEwVT
d29yZDENMAsGA1UECxMEQXBhazETMBEGA1UEAxMKRmlyc3QgTGFzdDCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAKyy2k8uLwA2sLMDV7AbqNzq8vh3n+FwxQiBFnly8EY1TbBmFa6I2u0L
1scYeGh/DudAWhj4nqhY2r44Q4GdmKvxGGFMKlrxDbzL3sfWW+OepwU25vd+wUk1OKxoYuK0cNmK
u3HkMgbXjTf4zLTuHSVuGXBh2p1cONTJVQYXzo8JqNSWRe5cmbqeESmzxsfctvv1/nfo5CHOuI6A
ol5R818d86SSGD1VADDmsSLTnw1GxTlzsp2637/0AIp119qamdBlmV6rl4MLcornWGnMDtHeN0iK
Q1x5Y9z9wVxr2Mz+PWUQP7qzlpr3mFwIRiFjCKpkHjfVOEHu+lRncaaPqhsCAwEAAaMhMB8wHQYD
VR0OBBYEFPe7nLb+sAec0J4f9cFj1Z3Q+zqvMA0GCSqGSIb3DQEBCwUAA4IBAQB28cgzoItNYtNp
LxvcRi/Y6aSkY/U+3uxke5GiEqMdsA7k+tn1ut7AcmmJnWQee7UjJJECwSxLHm2NIi9oukYtJi5R
lLjMMxWapREVg65HFZtH3HobkppOInQPxPxxKX1f0IdbAXthO5e8pYdTNVCRtLAXU0djPJFIwmhS
YgD2iyfHOOCX6BxjXiE9aYsykUH+S8PyFoIic9bbPziufTNW+Sa01kPzN6RYe4SukOXfvVlmR0eU
vvlyq9mAnAYVqbWUmYQkn+gokAxE/Uj4sACx75uzPx29VyiehQfkw5GgCDQMV6iXzRgLZThFp9+w
mYOs8uZDgNIFC/gFI6JeVdvh</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDZTCCAk2gAwIBAgIESm9pPTANBgkqhkiG9w0BAQsFADBiMQswCQYDVQQGEwJVSzEQMA4GA1UE
CBMHQnJpc3RvbDENMAsGA1UEBxMEWWF0ZTEOMAwGA1UEChMFU3dvcmQxDTALBgNVBAsTBEFwYWsx
EzARBgNVBAMTCkZpcnN0IExhc3QwIBcNMTYwMTE0MTUzMjE4WhgPMjI4OTEwMjgxNTMyMThaMGIx
CzAJBgNVBAYTAlVLMRAwDgYDVQQIEwdCcmlzdG9sMQ0wCwYDVQQHEwRZYXRlMQ4wDAYDVQQKEwVT
d29yZDENMAsGA1UECxMEQXBhazETMBEGA1UEAxMKRmlyc3QgTGFzdDCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAKyy2k8uLwA2sLMDV7AbqNzq8vh3n+FwxQiBFnly8EY1TbBmFa6I2u0L
1scYeGh/DudAWhj4nqhY2r44Q4GdmKvxGGFMKlrxDbzL3sfWW+OepwU25vd+wUk1OKxoYuK0cNmK
u3HkMgbXjTf4zLTuHSVuGXBh2p1cONTJVQYXzo8JqNSWRe5cmbqeESmzxsfctvv1/nfo5CHOuI6A
ol5R818d86SSGD1VADDmsSLTnw1GxTlzsp2637/0AIp119qamdBlmV6rl4MLcornWGnMDtHeN0iK
Q1x5Y9z9wVxr2Mz+PWUQP7qzlpr3mFwIRiFjCKpkHjfVOEHu+lRncaaPqhsCAwEAAaMhMB8wHQYD
VR0OBBYEFPe7nLb+sAec0J4f9cFj1Z3Q+zqvMA0GCSqGSIb3DQEBCwUAA4IBAQB28cgzoItNYtNp
LxvcRi/Y6aSkY/U+3uxke5GiEqMdsA7k+tn1ut7AcmmJnWQee7UjJJECwSxLHm2NIi9oukYtJi5R
lLjMMxWapREVg65HFZtH3HobkppOInQPxPxxKX1f0IdbAXthO5e8pYdTNVCRtLAXU0djPJFIwmhS
YgD2iyfHOOCX6BxjXiE9aYsykUH+S8PyFoIic9bbPziufTNW+Sa01kPzN6RYe4SukOXfvVlmR0eU
vvlyq9mAnAYVqbWUmYQkn+gokAxE/Uj4sACx75uzPx29VyiehQfkw5GgCDQMV6iXzRgLZThFp9+w
mYOs8uZDgNIFC/gFI6JeVdvh</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:8443/spring-security-saml2-sample/saml/SingleLogout"/><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:8443/spring-security-saml2-sample/saml/SingleLogout"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:8443/spring-security-saml2-sample/saml/SSO" index="0" isDefault="true"/><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://localhost:8443/spring-security-saml2-sample/saml/SSO" index="1"/></md:SPSSODescriptor></md:EntityDescriptor>

请注意我没有修改 samlKeystore.jks。我不确定我做错了什么,有人可以解释一下吗?

正如我之前提到的,上传到 SSOCircle 的同一个 SP 可以正常工作。相反,在 ADFS 中,我遇到了签名问题。

ADFS 需要 sha256,实际上我也尝试使用 CustomSAMLBootstrap 设置算法来实现 SAMLBootstrap,但仍然没有运气。我真的被卡住了,一无所知,请帮忙!

【问题讨论】:

    标签: java spring spring-security saml spring-saml


    【解决方案1】:

    ADFS 需要 sha256

    我有一个 Spring SAML 实现,该实现当前与 3 个 ADFS 实例集成,并且每个依赖方信任都设置为使用 SHA-1 而不是 SHA-256。使用 SHA-256 是您的要求吗?

    请注意我没有修改 samlKeystore.jks

    您的 ADFS 实例是否使用自签名证书?如果是这样,您需要将公共 .cer 文件导入您的 JKS 以使 SAML 工作。我发现this 视频对于学习如何在 Windows 中导航 go get 和导入证书非常有帮助。

    此外,如果您使用的是项目附带的 JKS,则您在 SAML 实施中使用的是自签名证书。您需要像这样导出证书:

    --export cert for import into adfs
    keytool -export -keystore samlKeystore.jks -alias youralias -file youralias.cer
    

    并将其导入 ADFS。

    【讨论】:

    • 你是对的,SHA-256 不是必需的,它是默认值。尽管我被要求留在 sha-256 上。另一个问题是最初不包含证书的 IPD xml。因此,当@blur0224 建议将证书导入我的密钥库时,这里的 OPS 团队为我提供了更好的包含证书的 xml,无需手动导入。所以现在凭证是有效的,但我对 sha-1 sha-256 有问题,但我猜这是另一个故事(“响应具有无效的状态代码”)
    猜你喜欢
    • 2018-09-09
    • 2014-09-07
    • 2014-12-28
    • 2021-12-18
    • 2014-12-20
    • 1970-01-01
    • 2019-05-20
    • 2012-08-17
    • 2020-02-14
    相关资源
    最近更新 更多