我与作为IDP我们产生了服务提供商元数据从我们appliaction和进口ADFS元客户的ADFS2.0我们的一个appliaction SSO内和集成Spring SAML推广工作数据到我们的appliaction.When我选择客户IDP并点击启动单点登录,并给予适当的客户证书,我们看到了SAML响应如下:问题而与春SAML扩展集成ADFS
SAML响应。
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
Destination="https://sso.spire2grow.com:8443/<our application>/saml/SSO" ID="_d7fa7cb7-a858-4d4e-aa4c-bf7a5d11e485"
InResponseTo="a2icei36d347di68gi33534cc13fd1" IssueInstant="2014-09-30T14:17:21.819Z" Version="2.0"><Issuer
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Clients ADFS trust services URL></Issuer><samlp:Status><samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Responder"></samlp:StatusCode></samlp:Status></samlp:Response>
但我也看到下面的异常被抛出,因为服务提供者无法验证消息。
异常消息:
[351545]2014-09-30 19:47:21,714 DEBUG - SAML message intended destination endpoint matched recipient endpoint
[351545]2014-09-30 19:47:21,714 DEBUG - Authentication attempt using org.springframework.security.saml.SAMLAuthenticationProvider
[351545]2014-09-30 19:47:21,715 DEBUG - Error validating SAML message
org.opensaml.common.SAMLException: Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Responder, status message is null
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:113)
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:84)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
可以在任何一个请指出,如果我在这里mising任何事情。
UPDATE:
看到提供了这个问题 答案后,我从ADFS看到下面的错误。
Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSignatureAlgorithmMismatchException: MSIS7093: The message is not signed with expected signature algorithm. Message is signed with signature algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1. Expected signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256. at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.ValidateSignatureRequirements(SamlMessage samlMessage) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
但看到这一点,我们做了依赖信任方的签名算法更改为RSA-SHA256,但仍然显示了同样的消息之后。
我们是否需要rsa-sha256的正版证书?自签名证书是否正常工作?
任何想法,为什么弹簧安全SAML不能处理ADFS SHA-256的签名? – samottenhoff 2015-08-24 17:35:59
默认情况下ADFS需要SHA-256,但默认情况下OpenSAML/Spring-Security-SAML使用SHA-1。你必须改变一个或另一个来使它们匹配。更好的选择是使用SHA-256,所以你必须像这样改变你的实现:http://stackoverflow.com/questions/25982093/setting-the-extendedmetadata-signingalgorithm-field/26004147#26004147 – 2015-12-23 12:29:13