【发布时间】:2021-11-03 17:58:25
【问题描述】:
这是我的服务提供商元数据 这是我的服务提供商元数据
<?xml version="1.0"?>
<md:EntityDescriptor entityID="https://localhost:5200" validUntil="2022-08-30T19:10:29Z"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<!-- insert ds:Signature element (omitted) -->
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIID2TCCAsGgAwIBAgIUIAXntTTcs4IGVz8v8KpHAz46QfMwDQYJKoZIhvcNAQEL
BQAwfDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRQwEgYDVQQHDAtZb3JiYSBM
aW5kYTEWMBQGA1UECgwNTWluZExvZ2ljIElOQzEYMBYGA1UECwwPKi5taW5kbG9n
aWMuYXBwMRgwFgYDVQQDDA8qLm1pbmRsb2dpYy5hcHAwHhcNMjEwODE3MTEyMDEw
bvDj7E3wzI80gp7uU3KqU3UNswzsgcwSkwRTGS9sKkNnS62efQXKHRtR7fBwbOqU
Y9bSXiTiSbd9zOvdVd+gGAqOqOB1o+jB55AvjtkzXhaoyBaQM1vStP7OCw0yFhNf
fOKTM7EdAzTXoV4hJtUo0CMcUTFMP8PBnMHWQ5A6jZ8iBCXStcQ5Y71YhPUxa6dh
I7rPk/j8+/qKbKyAhOSRvCiQY5xbAY12rW07WJ1JcWk7jvT7Kx4pll5Mh1G3lOcC
AwEAAaNTMFEwHQYDVR0OBBYEFN2ugfhPaQ2Gyj/5aedoNN1eriDDMB8GA1UdIwQY
MBaAFN2ugfhPaQ2Gyj/5aedoNN1eriDDMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
hvcNAQELBQADggEBAAqn3aU/U7PA59yjHLjFb8LzMMoAS+b9Fu0d9JNym9K1ugzf
dq/SgBS7MVrhz2bE/n3VQfnv+tjSLqQNwhyHmFy36Z43Q/BYrbofL6RSSrnozFz6
uUYkuFFeCd857OyKOxKv33wD6EE6rNZqI7wEmKov2U7RNToxHD5NmeH0lTBHmBTH
UWp/yLQkTlMZYUDfOCBxlF2+bGS1hzdXPOELN3RZNRk9M61NHyISfE7VpqIlI1Ro
x4DUK89TKDG/mLl985h+sTuPMmIMpl1ozXrJWhKucoqjSfMTh/MLQTQS1lHmeAFH
npro/M9yy1Uwrz4K93nju5kNLLZL7NRzddjHOYs=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:AssertionConsumerService index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:5200/map"/>
<md:AttributeConsumingService index="0">
<md:ServiceName xml:lang="en">Example.com Employee Portal</md:ServiceName>
<md:RequestedAttribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="E-Mail Address"/>
<md:RequestedAttribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en">Localtest.com Inc.</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en">Localtest.com</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en">https://localhos:5200/</md:OrganizationURL>
</md:Organization>
</md:EntityDescriptor>
这是我的 SERVICE PROVIDER 倡议请求
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="id-16f33a7e-4381-4d40-9fdd-1949dd679e86" Version="2.0" IssueInstant="2021-09-09T07:58:45Z " Destination="https://saml.mlads.mindlogic.app/adfs/ls/" Consent="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://localhost:5200</Issuer> <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/> <samlp:RequestedAuthnContext> <samlp:AuthnContextClassRef xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:Password</samlp:AuthnContextClassRef> </samlp:RequestedAuthnContext> </samlp:AuthnRequest>
我放气并编码 base 64,但我的 adfs 服务器抛出错误
压缩数据
nZJtS8MwEMe / Ssj7NunWPTR0g7EhDFTGFF / 4LiSpC + Sh5lKc39600zGQDRECgf /升/ ve7u9TArWnZqosHt1fvnYKIjtY4YENggbvgmOeggTluFbAo2NPq4Z6Ncsra4KMX3mC03SywllkxbcZjPlNZOZ4XWSlLmlWNTHpVVlJOZ5WaTzF6UQG0dwucPFIqQKe2DiJ3MUl0VGS0SueZzthkzsrJK8Jok7i043FIO8TYAiOkJ8yt4RJyq500 / k2LnLct4bIBYoBgtPYOVO97rY0iLwYlwTc + WB6ZslyblZRBAeAlqge + cBrK7XFwABV6RLz8QTRecHPwENlkRGlNTmbJ9TT2x + Sx3ey80eIT3Q31 / 41Kzq7fe1Ry2GoaQVTHeI5eimuTmPeq + fvKL3q8 + Uww0XsneZeuDx9kTa7XT3DkNjv5 / U + XXW == P>
错误详情:解码时发现无效数据。
ADFS 错误日志
在联合被动请求期间遇到错误。
附加数据 协议名称: 依赖方:
Exception details:
System.IO.InvalidDataException: Found invalid data while decoding.
at System.IO.Compression.Inflater.DecodeDynamicBlockHeader()
at System.IO.Compression.Inflater.Decode()
at System.IO.Compression.Inflater.Inflate(Byte[] bytes, Int32 offset, Int32 length)
at System.IO.Compression.DeflateStream.Read(Byte[] array, Int32 offset, Int32 count)
at Microsoft.IdentityModel.Web.DeflateCookieTransform.Decode(Byte[] encoded)
at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.DecodeMessageInternal(String message)
at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage)
at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.CreateFromNameValueCollection(Uri baseUrl, NameValueCollection collection)
at Microsoft.IdentityServer.Protocols.Saml.HttpRedirectSamlBindingSerializer.ReadMessage(Uri requestUrl, NameValueCollection form)
at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)`
【问题讨论】:
-
在服务提供者元数据中对吗?@AkshayGaonkar
-
服务提供者元数据和服务提供者发起的请求都无效。使用 Validate XML with the XSD schema 验证元数据。使用Validate SAML AuthN Request 验证服务提供者发起的请求
-
我已经验证了元数据和授权请求,但我仍然面临@AkshayGaonkar 的同样问题
-
现在帖子中编辑的 XML 是有效的。你能提供更多关于错误细节的信息吗?
-
@AkshayGaonkar 我从 adfs 添加了额外的日志