【问题标题】:Facing issue while importing SAML SSO IDP metadata in SP (service provider)在 SP(服务提供商)中导入 SAML SSO IDP 元数据时面临问题
【发布时间】:2017-03-25 10:58:57
【问题描述】:

我正在使用 Spring SAML 扩展来连接 ping 联合 IDP 服务器。我导出了 ping federate IDP 元数据 xml 并将其放入我们的应用程序(并在 securityContext.xml 文件中引用相同的文件)。现在,当我尝试启动我的应用程序时,spring saml 会抛出以下异常:

Caused by: org.opensaml.saml2.metadata.provider.MetadataProviderException: Error filtering metadata from C:\Drive E\workspace\enigma_master\etc\saml\idp.xml
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.processNonExpiredMetadata(AbstractReloadingMetadataProvider.java:399)
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.processNewMetadata(AbstractReloadingMetadataProvider.java:355)
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:261)
... 100 more
Caused by: org.opensaml.saml2.metadata.provider.FilterException: Signature trust establishment failed for metadata entry
at org.opensaml.saml2.metadata.provider.SignatureValidationFilter.verifySignature(SignatureValidationFilter.java:327)
at org.opensaml.saml2.metadata.provider.SignatureValidationFilter.processEntityDescriptor(SignatureValidationFilter.java:178)
at org.opensaml.saml2.metadata.provider.SignatureValidationFilter.doFilter(SignatureValidationFilter.java:156)
at org.opensaml.saml2.metadata.provider.AbstractMetadataProvider.filterMetadata(AbstractMetadataProvider.java:493)
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.processNonExpiredMetadata(AbstractReloadingMetadataProvider.java:395)
... 102 more

我在我的 samlkeystore 文件中导入了证书(标签 <ds:X509Certificate> 下的证书),但仍然是同样的问题。我用谷歌搜索了错误并按照建议:

  • 我试图从 idp xml 文件中删除 <ds:Signature> 标记。
  • 通过在 ExtendedMetadataDelegate bean 中将属性 metadataTrustCheck 设置为 false 来禁用签名验证

以上方法对我有用。但我不想从 IDP xml 文件中修改/删除标签,它应该按原样工作。请让我知道我做错了什么? 另外我想知道元数据xml中<ds:Signature>标签的用途以及为什么即使在samlKeystore文件中导入证书后它也不起作用。 <ds:SignedInfo>,<ds:CanonicalizationMethod>,<ds:SignatureMethod>,<ds:Reference>,<ds:Transform>,<ds:DigestMethod>,<ds:DigestValue>,<ds:SignatureValue>等每个子标签的含义是什么。

示例 IDP 元数据 xml 文件

<md:EntityDescriptor ID="jsR9U9qdN-Tjy-hyM5k.nrQmQxF" cacheDuration="PT1440M" entityID="adeptia" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#jsR9U9qdN-Tjy-hyM5k.nrQmQxF">
<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>slepuncWspzM7KpqKkvsk0SVL8k5yse7FmATDYZhgqE=</ds:DigestValue>
</ds:Reference></ds:SignedInfo>
<ds:SignatureValue>oSkTcfU4DUYPXwtgnN8bjAOnkqgFCojef087d0F4ra1nsrWBOQVC1xesSambwAdOiCtnnhxQqp4b2LeUSazdb0bI5A0U65Wc2MeoyfC/5nAfiso3DCNBaz4vRrlkvzm7MlHyvDzTO0T/+lSVhfIVWbEZ58iXjUdyPgbCBSlY6+GLOW3UfdYV73ewNEyWuaAjJrC4qNgTrTZwBiVD2WNM4qWgRkBxzJz+cgZLbvu/5XRfnNgeYT6OEAR2322okH01GtuuPYB7jgwM2TXJhH6eVR6FapCtJ5aUwUywCdg3YyvzzEqHWW8fDnTLNEbZbokpqbtTwvncMaOb1hhVfZr1pQ==</ds:SignatureValue>
</ds:Signature><md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="true"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDNDCCAhygAwIBAgIGAVgFivO1MA0GCSqGSIb3DQEBCwUAMFsxCzAJBgNVBAYTAklOMQswCQYDVQQIEwJVUDEOMAwGA1UEBxMFTm9pZGExDTALBgNVBAoTBFBpbmcxDTALBgNVBAsTBFBpbmcxETAPBgNVBAMTCFBpbmdDZXJ0MB4XDTE2MTAyNzA5NDkwMloXDTE3MTAyNzA5NDkwMlowWzELMAkGA1UEBhMCSU4xCzAJBgNVBAgTAlVQMQ4wDAYDVQQHEwVOb2lkYTENMAsGA1UEChMEUGluZzENMAsGA1UECxMEUGluZzERMA8GA1UEAxMIUGluZ0NlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDW1OC4pSwb11rUhA8JoZtkqXebWWaw9lZgXQmqFlIpMSbmeTNayQ+cAAtO+4QNLbtmZta1wEs+XJ4ho3Yy7EoaE+ebmiGnwBtqzq9ZHYqqT9RJ8kOaqZpYo/uXAtVPHE4/kH8xLY+lToF+EL4QG1gbi3CO/yTWMPnkGZOJDpcFvTRFWXCmLqgxvjrpt82bG58CUHiwx26vJO7q8OiMqiVIzzzrVqTR0XmyKtiV+5AfK5Qdl7Z9o8zMKl8O4+d/lWfhV21bcU/aj4Wcr3Os3SQm37OP9T4qhSFOWhGe+JOmW+dDUAFg/EeU0yOUF7/xaOk3D2No+SsrJiPogdVCGO2lAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAICZDjz9Hfccvqdo7LopyG+0bKor+Ybh60bzcTPblXSv5v7Zy4JRfQF/k0CbmV7bBTvZ+kgDWXZP4YakfIWivSEDnT+xnVkF+sRlOtLmwmJ3UDRVqRhR8V3aq7YkH4ltzG7B3oS05wpTrYHnb4xgOHx+isX4YzHVP+gHblU36Fo32vhLNoVi1G+7nlZY3iuug6Y9NU7HnppS8vMcRJn8dOvEykmPu/jiq72gcZIhnaszXIx7mJAy9qsg1iNuwSwjVhCRuP+o7xyUpaamlMxRRP2h3LpWGveXcidBe40uI6uFxE+ggE09F29GRCb7X9pPub+C+cnxg/rIKmrqxe/j1wU=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:ArtifactResolutionService index="0" Location="https://localhost:9031/idp/ARS.ssaml2" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" isDefault="true"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:9031/idp/SSO.saml2"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:9031/idp/SSO.saml2"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://localhost:9031/idp/SSO.saml2"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://localhost:9031/idp/SSO.saml2"/><saml:Attribute Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/><saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/></md:IDPSSODescriptor><md:ContactPerson contactType="administrative"/></md:EntityDescriptor>

【问题讨论】:

  • 我也面临这个问题..你解决了这个问题吗?

标签: java spring-saml


【解决方案1】:

这个问题通常是由于缺少安装Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for JDK/JRE 8引起的

还要仔细检查证书是否确实正确导入到samlKeystore.jks

【讨论】:

    【解决方案2】:

    我发布此内容以防万一。

    我也遇到了这个问题,我已经添加了 IDP 的元数据文件并将他们的证书导入到我的应用程序密钥库中。但仍然存在签名信任验证问题。我确实在 Intellij 中格式化了 IDP 中的 metadata.xml,这确实搞砸了。一旦我将他们的元数据文件原封不动地导入后,一切正常。

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 1970-01-01
      • 2017-02-06
      • 2016-12-14
      • 1970-01-01
      • 1970-01-01
      • 2023-04-08
      • 2018-07-29
      • 1970-01-01
      相关资源
      最近更新 更多