SAML消息有錯誤的簽名

Question

我有一個運行在Windows Server 2012 r2上的流星應用程序，iis 8.5作爲我的應用程序的反向代理（也嘗試在ubuntu上使用nginx），我嘗試使用saml與ADFS 2.0進行身份驗證。

我不斷收到以下錯誤：

Event 303, AD FS 2.0 
The Federation Service encountered an error while processing the SAML authentication request. 

Additional Data 
Exception details: 
MicrosoftidentityModel.Protocols.XmISignature.SignatureVerificationFailedException: M5I50038: SAML Message has wrong signature. Issuer: 
at MicrosoftldentityServer.Protocols.Saml.Contract.SamIContractUtility,CreateSamIMessage(MSISSamlBindingMessage message) 
at Microsoft.IdentityServer.Service.Sam1Protocol.Sam1ProtocolService.CreateErrorMessage(CreateErrorMe.ssageRequest 
createErrorMessageRequest)r 
at Microsoft.IdentityServer.Service.Sam1Protocol.SarnIProtocolService.ProcessRequest(Message requestMessage) 
Log Name: 
AD FS 2.0/Admin 
Source: 
AD FS 2.0 
Logged: 
10/04/2016 09:0S:1 
Event ID: 
303 
Task Category: 
None 
Level: 
Error 
Keywords: 
AD F 
User: 
NETWORK SERVICE 
Computer: 

我試過到目前爲止根據https://social.technet.microsoft.com/Forums/en-US/4acc04b7-aac7-43e9-ba50-9570503045f9/msis0038-saml-message-has-wrong-signature?forum=windowsazureaditpro

不幸的是安裝kb2896713，沒有運氣。

有人有什麼想法嗎？問題的根源是什麼？

編輯

，這是開源的使用：Rocket.Chat https://github.com/RocketChat/Rocket.Chat/tree/develop/packages/meteor-accounts-saml

Answer 1

1. 我會建議使用此工具https://www.samltool.com/self_signed_certs.php
2. 您可以驗證您的請求生成證書，密鑰在這裏簽名https://www.samltool.com/validate_logout_req.php
3. 編碼/解碼url的工具http://meyerweb.com/eric/tools/dencoder/
4. 安裝SAML示蹤劑看到火狐SAML請求/響應https://addons.mozilla.org/ru/firefox/addon/saml-tracer/
5. 工具來解碼/編碼SAML消息https://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php

SAML.prototype.requestToUrl =函數（請求，操作，回調）{

console.log("requestToUrl:"); 
request = request.replace(/(\r\n|\n|\r)/gm,""); 
console.log("Logout request:" + request); 

var self = this; 
var result; 
zlib.deflateRaw(request, function (err, buffer) { 
if (err) { 
    return callback(err); 
} 

var base64 = buffer.toString('base64'); 
var target = self.options.entryPoint; 

if (operation === 'logout') { 
    if (self.options.idpSLORedirectURL) { 
    target = self.options.idpSLORedirectURL; 
    } 
} 

if (target.indexOf('?') > 0) 
    target += '&'; 
else 
    target += '?'; 

var samlRequest = { 
    SAMLRequest: base64 
}; 

var relayState; 

// TBD. We should really include a proper RelayState here 
if (operation === 'logout') { 
    relayState = self.options.issuer; 
} else { 
    relayState = self.options.provider; 
} 

// URL Encode the bytes 
var encodedRequest = encodeURIComponent(base64); 
console.log("encodedRequest:"+encodedRequest); 
var encodedRelayState = encodeURIComponent(relayState); 
var finalSignatureValue = ""; 

var encodedSigAlg = encodeURIComponent("http://www.w3.org/2000/09/xmldsig#rsa-sha1"); 
var strSignature = "SAMLRequest=" + encodedRequest.replace(/(\r\n|\n|\r)/gm,""); 
strSignature += "&RelayState=" + encodedRelayState; 
strSignature += "&SigAlg=" + encodedSigAlg; 

var signer = crypto.createSign('RSA-SHA1'); 
signer.update(strSignature); 
var signature = signer.sign(self.options.privateKey, 'base64'); 
console.log("signature:" + signature); 

var b = new Buffer(signature); 
var s = b.toString('base64'); 
var encodedSignature = encodeURIComponent(signature); 
console.log("encodedSignature:" + encodedSignature); 

var finalSignatureValue = "&SigAlg=" + encodedSigAlg + "&Signature=" + encodedSignature; 

target += "SAMLRequest=" + encodedRequest.replace(/(\r\n|\n|\r)/gm,""); 
target +="&RelayState=" + encodedRelayState; 
target += finalSignatureValue; 


if (Meteor.settings.debug) { 
    console.log("requestToUrl: " + target); 
} 
if (operation === 'logout') { 
    // in case of logout we want to be redirected back to the Meteor app. 
    result = target; 
    return callback(null, target); 

} else { 
    callback(null, target); 
} 
}); 

}