【问题标题】:Spring Security SAML with PingIdentity/ PingFederation, InResponseToField of the Response doesn't correspond to sent message带有 PingIdentity/PingFederation 的 Spring Security SAML,响应的 InResponseToField 与发送的消息不对应
【发布时间】:2018-02-28 07:46:51
【问题描述】:

经过 1 周的 Spring Security SAML Sample App to Ping (PingIdentity) 集成工作,我几乎完成了......现在我有一个“响应的 InResponseToField 与发送的消息不对应”错误(如下)。这是请求和响应,您可以看到要匹配的 ID 和响应,不是吗?

Request *** 

2017-09-20 11:02:07 DEBUG PROTOCOL_MESSAGE:74 - 
<?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://hostwithapp:8443/app1/saml/SSO" Destination="https://hostwithping:9031/idp/SSO.saml2" ForceAuthn="false" ID="a1je2ba47j27cdid2h74507gii19bgj" IsPassive="false" IssueInstant="2017-09-20T09:02:07.956Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
   <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">app1</saml2:Issuer>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
         <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
         <ds:Reference URI="#a1je2ba47j27cdid2h74507gii19bgj">
            <ds:Transforms>
               <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>rnJ2+WxLofXdY71JMpCyzvxjeI8=</ds:DigestValue>
         </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>EHlnvY+rGsrq/KjFo7nhAjkirmy+HXpfPLSBr+FuCCm85fr3Z+yJupvYJlMXtwl/PM6NN3kXEecGA1oanUjnshb5o85QNY1v/PucZccGUr+kxWRc2F3YnDOazAjt8WXV5R1QJIPlf8Hank/7nqgylt35cftWitmcFuth0SSaT9N/gWXj7FvhwvEyO38Hh5W9OEQrZlPBimI6g2LdhM8IjuzXQYdmP5rADu0WQbIx48oRnVMKpaiG/7D7GxVDtT+5F/0Jr/cDo/slhAv3LjhGbuqoX0tUIngdUM+egODW6KnHHj9GAYdTM7XGBlLuIgGPeOQUpbPrf0WtzswzHVqXpw==</ds:SignatureValue>
      <ds:KeyInfo>
         <ds:X509Data>
            <ds:X509Certificate>MIIDQDCCAiigAwIBAgIGAVzUOBXsMA0GCSqGSIb3DQEBCwUAMGExCzAJBgNVBAYTAkFUMSgwJgYD
VQQKEx9ldzd1aXB3bTA3LmludGVncmF0aW9uLnVuaXFhLmF0MSgwJgYDVQQDEx9ldzd1aXB3bTA3
LmludGVncmF0aW9uLnVuaXFhLmF0MB4XDTE3MDYyMzA5MTEwNFoXDTE4MDYyMzA5MTEwNFowYTEL
MAkGA1UEBhMCQVQxKDAmBgNVBAoTH2V3N3VpcHdtMDcuaW50ZWdyYXRpb24udW5pcWEuYXQxKDAm
BgNVBAMTH2V3N3VpcHdtMDcuaW50ZWdyYXRpb24udW5pcWEuYXQwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCdJmnFfxRHfQvhT1nHRnR2E9k6BUOCChFh0LbtCqOW4DNgpCJMA61RhoAp
4Ao5uWBkOUkf15NCM2sYmrEZtV4AM5X4XBmwkvukwdoTDXPrL7HHpJi96L8+NUeKtw3Hq36x8mF/
jUvzuCzDOmwz0EhUgkSGy8GeKHY74NuhivXnPNo+EiD15oH+m/BotSQnTd6yUd++ZstNqjcyH0kV
VECm0HmxMDQ1P+lGJnGRmzgu0uvYPriv5weP2zF3QxFbR+vs/CtJQtPNbcvOxtFVR+x8qKR/Bc2L
KszFpGJM7rv6LeMusZAVk3m4W5ONrKeplCvPtuhp0iBd0snz6hVzH0/7AgMBAAEwDQYJKoZIhvcN
AQELBQADggEBAHOZdhv8DybvI14C0cwyxH2Eq9z+aeoa7LzZF/wclh5jgZUuWIcCMTEuEMzPc1rD
Ga10Ex3Z8t8qrhAcs7u8OytiLpvZi1+csQFb7O7fRP8xmrkGAytRNNppYtAzue9hnR1W8UkJLzFT
d+iYZ6rE6MwoF6ASR83T8Mk9/EeWh/llDZOJPIH8qR391PaEphDiLCMxPenMce8IKTkFx+ytSbx/
6T2Gjyx9NStV66dgs/h7v0qPr5EKdE+vBMrpnqdi1+4B5HYzk9eT5WI1aZZOd5BRi2clLi8l/d5z
S0elU8bWfMjpk01XbgAFYIizYRpjMZ01X40zGpBNW6rEwq9kMuY=</ds:X509Certificate>
         </ds:X509Data>
      </ds:KeyInfo>
   </ds:Signature>
</saml2p:AuthnRequest>



Response ***
2017-09-20 11:02:09 DEBUG BaseSAML2MessageDecoder:115 - Extracting ID, issuer and issue instant from status response
2017-09-20 11:02:09 INFO  stdout:71 - 2017-09-20 11:02:09 DEBUG PROTOCOL_MESSAGE:113 - 
2017-09-20 11:02:09 INFO  stdout:71 - <?xml version="1.0" encoding="UTF-8"?><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="vr.9BGHJqgMjrb_LZuq261qE9M8" InResponseTo="a1je2ba47j27cdid2h74507gii19bgj" IssueInstant="2017-09-20T09:02:01.717Z" Version="2.0">
2017-09-20 11:02:09 INFO  stdout:71 -    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">app1</saml:Issuer>
2017-09-20 11:02:09 INFO  stdout:71 -    <samlp:Status>
2017-09-20 11:02:09 INFO  stdout:71 -       <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
2017-09-20 11:02:09 INFO  stdout:71 -    </samlp:Status>
2017-09-20 11:02:09 INFO  stdout:71 -    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="mbPkcKjMO1j2AuxzPEbK-5DY73T" IssueInstant="2017-09-20T09:02:01.748Z" Version="2.0">
2017-09-20 11:02:09 INFO  stdout:71 -       <saml:Issuer>app1</saml:Issuer>
2017-09-20 11:02:09 INFO  stdout:71 -       <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
2017-09-20 11:02:09 INFO  stdout:71 - <ds:SignedInfo>
2017-09-20 11:02:09 INFO  stdout:71 - <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
2017-09-20 11:02:09 INFO  stdout:71 - <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
2017-09-20 11:02:09 INFO  stdout:71 - <ds:Reference URI="#mbPkcKjMO1j2AuxzPEbK-5DY73T">
2017-09-20 11:02:09 INFO  stdout:71 - <ds:Transforms>
2017-09-20 11:02:09 INFO  stdout:71 - <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
2017-09-20 11:02:09 INFO  stdout:71 - <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
2017-09-20 11:02:09 INFO  stdout:71 - </ds:Transforms>
2017-09-20 11:02:09 INFO  stdout:71 - <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
2017-09-20 11:02:09 INFO  stdout:71 - <ds:DigestValue>EBqN6ZmIBFy69PsA3vxAMhvKPdSLiwUykRPlMnsxrnU=</ds:DigestValue>
2017-09-20 11:02:09 INFO  stdout:71 - </ds:Reference>
2017-09-20 11:02:09 INFO  stdout:71 - </ds:SignedInfo>
2017-09-20 11:02:09 INFO  stdout:71 - <ds:SignatureValue>
2017-09-20 11:02:09 INFO  stdout:71 - lEDbj7QYOpoAF6Zf6g7mD1J1i01iGHJZiSeZ5EmAvH+yyylrtZDzwvpikrXTiBrTjoJzYm0a6qSC
2017-09-20 11:02:09 INFO  stdout:71 - SupHKG5gviH3HA2Ghcmz/pneF6lqtcIW1WpznyBPYzNsRZreDT4ZCkJBNmh1vRS8VNkgPtXHYIp6
2017-09-20 11:02:09 INFO  stdout:71 - SaDvvUOnIjBRaDcbsaIzsCetek+0uDI456I3z+FfT9lIXMEqbfkeUxXSdwqK3BPA4a1GkUCYNG7K
2017-09-20 11:02:09 INFO  stdout:71 - ens068ul0GxbXNFYgdLN/NOG3m+rCIJaVzhgbBNGHtMxVTxnyPyvz6exAUYHJAGv5aYCDVYfFber
2017-09-20 11:02:09 INFO  stdout:71 - YXKG5dZldhUO2yoxOVCaPgCd7MZjAwA0uN3U3g==
2017-09-20 11:02:09 INFO  stdout:71 - </ds:SignatureValue>
2017-09-20 11:02:09 INFO  stdout:71 - </ds:Signature>
2017-09-20 11:02:09 INFO  stdout:71 -       <saml:Subject>
2017-09-20 11:02:09 INFO  stdout:71 -          <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">userid</saml:NameID>
2017-09-20 11:02:09 INFO  stdout:71 -          <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
2017-09-20 11:02:09 INFO  stdout:71 -             <saml:SubjectConfirmationData InResponseTo="a1je2ba47j27cdid2h74507gii19bgj" NotOnOrAfter="2017-09-20T09:52:01.748Z" Recipient="https://hostwithapp:8443/app1/saml/SSO"/>
2017-09-20 11:02:09 INFO  stdout:71 -          </saml:SubjectConfirmation>
2017-09-20 11:02:09 INFO  stdout:71 -       </saml:Subject>
2017-09-20 11:02:09 INFO  stdout:71 -       <saml:Conditions NotBefore="2017-09-20T08:12:01.748Z" NotOnOrAfter="2017-09-20T09:52:01.748Z">
2017-09-20 11:02:09 INFO  stdout:71 -          <saml:AudienceRestriction>
2017-09-20 11:02:09 INFO  stdout:71 -             <saml:Audience>app1</saml:Audience>
2017-09-20 11:02:09 INFO  stdout:71 -          </saml:AudienceRestriction>
2017-09-20 11:02:09 INFO  stdout:71 -       </saml:Conditions>
2017-09-20 11:02:09 INFO  stdout:71 -       <saml:AuthnStatement AuthnInstant="2017-09-20T09:02:01.748Z" SessionIndex="mbPkcKjMO1j2AuxzPEbK-5DY73T">
2017-09-20 11:02:09 INFO  stdout:71 -          <saml:AuthnContext>
2017-09-20 11:02:09 INFO  stdout:71 -             <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
2017-09-20 11:02:09 INFO  stdout:71 -          </saml:AuthnContext>
2017-09-20 11:02:09 INFO  stdout:71 -       </saml:AuthnStatement>
2017-09-20 11:02:09 INFO  stdout:71 -       <saml:AttributeStatement>
2017-09-20 11:02:09 INFO  stdout:71 -          <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
2017-09-20 11:02:09 INFO  stdout:71 -             <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">APP-ESB-UIP-ADMIN</saml:AttributeValue>
..
2017-09-20 11:02:09 INFO  stdout:71 -             <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">CN=APP-BM,C</saml:AttributeValue>
2017-09-20 11:02:09 INFO  stdout:71 -             <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">all-authenticated</saml:AttributeValue>
2017-09-20 11:02:09 INFO  stdout:71 -          </saml:Attribute>
2017-09-20 11:02:09 INFO  stdout:71 -       </saml:AttributeStatement>
2017-09-20 11:02:09 INFO  stdout:71 -    </saml:Assertion>
2017-09-20 11:02:09 INFO  stdout:71 - </samlp:Response>

根据 Vladimir 的建议,我尝试将 ping 和 app1 放在单独的主机上。我尝试了 Spring Cookie 重命名注入。但这似乎并没有改变我的 HAR 文件中的任何 cookie 名称。我是这样做的,对吗?不知道应该如何初始化 sessionRepository....

<bean id="sessionRepository"             
      class="org.springframework.session.MapSessionRepository">

</bean>


<!-- avoid spring ping cookie conflict to run poc spring app and ping on same host -->

<bean id="sessionRepositoryFilter"             
      class="org.springframework.session.web.http.SessionRepositoryFilter">
  <constructor-arg ref="sessionRepository"/>
  <property name="httpSessionStrategy">
    <bean class="org.springframework.session.web.http.CookieHttpSessionStrategy">
      <property name="cookieName" value="myCookieName" />
    </bean>
  </property>
</bean> 

HAR 文件在这里:http://jmp.sh/nmJhefs

Cookies I see are ping1
"name": "PF",
"value": "8dq7R8jflRT2lMbeOkYK34tHdGUwOS50Ncl4r74qH4QM"

ping2:
"name": "PF",
"value": "8dq7R8jflRT2lMbeOkYK34"

Wildfly Web Session
"name": "JSESSIONID",
"value": "Z9HSNymqBc6SXLnn68CZcdT2",

【问题讨论】:

    标签: spring spring-security saml-2.0


    【解决方案1】:

    这个问题通常是由于请求生成时存储的 JSESSIONID cookie 与接收响应时发现的 JSESSIONID 不同造成的。原因是使用不同的主机名来发送请求和接收响应。

    Ping Identity 和您的应用程序都有可能部署在 localhost 上吗?如果不是,请确保您为初始化请求而打开的主机名(例如 http://localhost:8080/saml/login)与 PingIdentity 发送响应的主机名相同。

    同样错误的过去问题:

    【讨论】:

    • 全部在本地主机上(ping 服务器和 wildfly/eclipse 上的示例应用程序,jdk7)。在 idp.xml 和 sp.xml 以及所有 ping 配置(idp sp 连接和 sp idp 连接)中搜索“localhost”,只找到完全限定的主机名。所以我相信我不会混用 127.0.0.1、localhost 和/或 fq 主机名。也删除了所有的cookies并再次尝试,同样的错误。
    • 听起来像stackoverflow.com/questions/27778889/… - 确保您的“本地主机”应用程序不会覆盖彼此的 cookie。
    • spring security saml 1.0.2,WebSSOProfileConsumerImpl.java 的第 96 行,如果我调用 ((org.springframework.security.saml.storage.HttpSessionStorage) context.getMessageStorage()).getAllMessages()。 size(),我得到 0。所以不知何故,我在 HttpSessionStorage 中的缓存被刷新了,对吧?
    • 另一方面,如果我转到加载消息缓存的位置,WebSSOProfileImpl.java 第 109 行,我看到 ((org.springframework.security.saml.storage.HttpSessionStorage) context.getMessageStorage( )).getAllMessages().iterator().next() > (java.lang.String) a549ghi0dggb530827ccjg3bi9igg46 (java.lang.String) a549ghi0dggb530827ccjg3bi9igg46 (java.lang.String) a549ghi0dggb530827ccjg3bi9igg46 和(java.lang.String) a549ghi0dggb530827ccjg3bi9igg46
    • 所以假设您和其他人是正确的,cookie 被覆盖或 URL 与 SAML 流错误关联,我在哪里可以在 spring security saml2 代码库中调试它? ...仅供参考,我在上面添加了一个链接到我的 HAR 文件(来自 chrome),并配置了 securityContext.xml Spring 会话拦截器...
    猜你喜欢
    • 2018-02-26
    • 2019-11-25
    • 2017-12-25
    • 2022-08-19
    • 2018-07-23
    • 2019-01-16
    • 2015-01-03
    • 2017-11-17
    • 2015-03-13
    相关资源
    最近更新 更多