我與作爲IDP我們產生了服務提供商元數據從我們appliaction和進口ADFS元客戶的ADFS2.0我們的一個appliaction SSO內和集成Spring SAML推廣工作數據到我們的appliaction.When我選擇客戶IDP並點擊啓動單點登錄,並給予適當的客戶證書,我們看到了SAML響應如下:問題而與春SAML擴展集成ADFS
SAML響應。
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
Destination="https://sso.spire2grow.com:8443/<our application>/saml/SSO" ID="_d7fa7cb7-a858-4d4e-aa4c-bf7a5d11e485"
InResponseTo="a2icei36d347di68gi33534cc13fd1" IssueInstant="2014-09-30T14:17:21.819Z" Version="2.0"><Issuer
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Clients ADFS trust services URL></Issuer><samlp:Status><samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Responder"></samlp:StatusCode></samlp:Status></samlp:Response>
但我也看到下面的異常被拋出,因爲服務提供者無法驗證消息。
異常消息:
[351545]2014-09-30 19:47:21,714 DEBUG - SAML message intended destination endpoint matched recipient endpoint
[351545]2014-09-30 19:47:21,714 DEBUG - Authentication attempt using org.springframework.security.saml.SAMLAuthenticationProvider
[351545]2014-09-30 19:47:21,715 DEBUG - Error validating SAML message
org.opensaml.common.SAMLException: Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Responder, status message is null
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:113)
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:84)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
可以在任何一個請指出,如果我在這裏mising任何事情。
UPDATE:
看到提供了這個問題 答案後,我從ADFS看到下面的錯誤。
Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSignatureAlgorithmMismatchException: MSIS7093: The message is not signed with expected signature algorithm. Message is signed with signature algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1. Expected signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256. at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.ValidateSignatureRequirements(SamlMessage samlMessage) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
但看到這一點,我們做了依賴信任方的簽名算法更改爲RSA-SHA256,但仍然顯示了同樣的消息之後。
我們是否需要rsa-sha256的正版證書?自簽名證書是否正常工作?
任何想法,爲什麼彈簧安全SAML不能處理ADFS SHA-256的簽名? – samottenhoff 2015-08-24 17:35:59
默認情況下ADFS需要SHA-256,但默認情況下OpenSAML/Spring-Security-SAML使用SHA-1。你必須改變一個或另一個來使它們匹配。更好的選擇是使用SHA-256,所以你必須像這樣改變你的實現:http://stackoverflow.com/questions/25982093/setting-the-extendedmetadata-signingalgorithm-field/26004147#26004147 – 2015-12-23 12:29:13