【发布时间】:2021-03-04 01:58:51
【问题描述】:
我设置了一个 Shibboleth IdP,我正在使用 samltest.id 对其进行测试
如果我不启用签名验证,一切正常。如果我取消注释 metadata-providers.xml 中的相关行,IdP 将不会启动。消息是:
错误 [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:537] - 元数据解析器 FileBackedHTTPMetadataResolver SAMLtest:过滤来自 https://samltest.id/saml/sp 的元数据时出错 org.opensaml.saml.metadata.resolver.filter.FilterException:元数据根元素未签名,需要签名。
我的 metadata_provider.xml 如下所示:
<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"
xmlns:resource="urn:mace:shibboleth:2.0:resource"
xmlns:security="urn:mace:shibboleth:2.0:security"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd
urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd
urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd">
<MetadataProvider id="SAMLtest"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/SAMLtest.xml"
metadataURL="https://samltest.id/saml/sp">
<!-- You should always check the signature and freshness of remote
metadata. It's commented out until you get the basics working.-->
<MetadataFilter xsi:type="SignatureValidation"
certificateFile="%{idp.home}/credentials/signet.crt" />
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/>
</MetadataProvider>
</MetadataProvider>
我正在使用最新版本的 Shibboleth 3。
我怀疑这是微不足道的事情,但我无法弄清楚。是不是 samltest.id 没有签署他们的元数据,所以无法启用 SignatureValidation?他们为什么要写它应该启用呢?
【问题讨论】: