WS-Trust沒有使用PHP進行身份驗證

Question

它正在我的腦海中...... 我在這裏錯過了什麼...必須是有時間戳的東西，因爲當我玩那些我得到不同的錯誤時...

我有以下信封（這是供應商如何把它給我用） 但keepis給我

<s:Body> <s:Fault> <s:Code> <s:Value> s:Sender</s:Value> <s:Subcode> <s:Value xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> a:InvalidSecurity</s:Value> </s:Subcode> </s:Code> <s:Reason> <s:Text xml:lang="en-US"> An error occurred when verifying security for the message.</s:Text> </s:Reason> </s:Fault> </s:Body> 

這是我的代碼：

$c = $this->getTimestamp(); 
    $e = $this->getTimestamp(300); 


$envelope = ' 
     <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> 
     <s:Header> 
      <a:Action s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</a:Action> 
      <a:MessageID>urn:uuid:4137dbed-db9f-40d9-ba9c-6fc82eb8aa46</a:MessageID> 
      <a:ReplyTo> 
       <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address> 
      </a:ReplyTo> 
      <a:To s:mustUnderstand="1">https://sts.service.net/adfs/services/trust/13/usernamemixed</a:To> 
      <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> 
       <u:Timestamp u:Id="_0"> 
        <u:Created>'.$c.'</u:Created> 
        <u:Expires>'.$e.'</u:Expires> 
       </u:Timestamp> 
       <o:UsernameToken u:Id="uuid-4137dbed-db9f-40d9-ba9c-6fc82eb8aa46"> 
        <o:Username>'.$username.'</o:Username> 
        <o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">'.$password.'</o:Password> 
       </o:UsernameToken> 
      </o:Security> 
     </s:Header> 
     <s:Body> 
      <trust:RequestSecurityToken xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> 
       <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> 
        <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing"> 
         <wsa:Address>'.$appliesTo.'</wsa:Address> 
        </wsa:EndpointReference> 
       </wsp:AppliesTo> 
       <trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType> 
       <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType> 
      </trust:RequestSecurityToken> 
     </s:Body> 
     </s:Envelope> 
     '; 


     $soap_do = curl_init(); 
     curl_setopt($soap_do, CURLOPT_URL,"https://sts.service.net/adfs/services/trust/13/usernamemixed"); 
     curl_setopt($soap_do, CURLOPT_FOLLOWLOCATION, 1); 
     curl_setopt($soap_do, CURLOPT_HEADER, 0); 
     curl_setopt($soap_do, CURLOPT_RETURNTRANSFER, 1); 
     curl_setopt($soap_do, CURLOPT_CONNECTTIMEOUT, 20); 
     curl_setopt($soap_do, CURLOPT_TIMEOUT,  20); 
     curl_setopt($soap_do, CURLOPT_SSL_VERIFYPEER, 0); 
     curl_setopt($soap_do, CURLOPT_SSL_VERIFYHOST, 0); 
     curl_setopt($soap_do, CURLOPT_POST,   true);    
     curl_setopt($soap_do, CURLOPT_POSTFIELDS,  $envelope); 
     curl_setopt($soap_do, CURLOPT_HTTPHEADER,  array('Content-Type: application/soap+xml; charset=utf-8')); 

     $this->payload = curl_exec($soap_do); 

Answer 1

您正在將當前時間戳放入Created元素和Expires元素中。這意味着當接收器收到RST時，該消息已經過期，並且接收器將被迫拒絕它。使用例如：

gmdate("Y-m-d\TH:i:s\Z", time() + 300); 

爲Expires元件。

同時檢查時鐘漂移：客戶端和服務器上的時間應該同步。

最後但並非最不重要：默認情況下，ADFS 2.0將嘗試加密響應中的令牌，因此它需要爲依賴方配置加密證書。確保您已爲與appliesTo關聯的實體配置了一個。 ADFS錯誤日誌應該爲您提供有關該錯誤的提示。

Answer 2

我做了以下來解決這個問題。 我已經改變了CURRENT_TIME - 200秒， CURRENT_TIME +3600秒

它的工作原理