ADFS 2 SAML断言未规范化？ [英] ADFS 2 SAML Assertion Not Canonicalized?

问题描述

大家好，全部是


我们正在测试使用ADFS作为IDP和Java OpenSaml作为SP。 但是，从ADFS验证SAML断言仍然失败。 我已将其跟踪到ADFS断言的规范化问题：



以下是来自ADFS的内容：



< saml：Assertion Version =" 2.0" ID = QUOT; _c30603e8-9e7a-4a1b-b72b-a8c1af6d5be6" IssueInstant = QUOT; 2014-09-17T14：58：33.642Z" xmlns：saml =" urn：oasis：names：tc：SAML：2.0：assertion">



以下是Java规范化的内容：



< saml：Assertion xmlns：saml =" urn：oasis：names：tc：SAML：2.0：assertion" ID = QUOT; _c30603e8-9e7a-4a1b-b72b-a8c1af6d5be6" IssueInstant = QUOT; 2014-09-17T14：58：33.642Z" Version =" 2.0">



基于http://www.ibm.com/developerworks/library/x-c14n/,Java一个似乎是正确的。



所以，问题是： 有人知道为什么ADFS服务器没有遵循SAML标准吗？它已经声明它正在使用类似于下面的规范化方法：
$


     < ds：SignedInfo>

        < ds：CanonicalizationMethod Algorithm =" http：//www.w3.org/2001/10/xml-exc-c14n#" />
$


是否有人知道是否有任何配置来修复ADFS规范化？



谢谢提前很多。



- 郝

解决方案

这是同一个问题：
http://social.msdn.microsoft.com/Forums/vstudio/en-US/dd6a1016-8197-4bfb-9c30-a49d4422fff5/adfs3-shibboleth-msis0038-saml-message- has-wrong-signature？forum = Geneva

然后关于规范化。 Java示例对我来说是正确的（忽略了周围请求元素的可能影响）。 ADFS示例不是规范消息（它看起来100％ 逆转:-)）。但是，您可以通过这种方式在途中看到它。

您是否建议 < ds：CanonicalizationMethod Algorithm =" http：//www.w3.org/ 2001/10 / XML-EXC-C14N＃" />不标准？

Hi, all

We are testing using ADFS as IDP and Java OpenSaml as SP.  However, the validation of the SAML assertion from ADFS keeps failing.  I have tracked it down to the canonicalization issue of the ADFS assertions:

Here is what’s from ADFS:

<saml:Assertion Version="2.0" ID="_c30603e8-9e7a-4a1b-b72b-a8c1af6d5be6" IssueInstant="2014-09-17T14:58:33.642Z" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">

Here is what’s Java canonicalized:

<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_c30603e8-9e7a-4a1b-b72b-a8c1af6d5be6" IssueInstant="2014-09-17T14:58:33.642Z" Version="2.0">

Based on http://www.ibm.com/developerworks/library/x-c14n/, the Java one seems to be the correct one.

So, the question is:  does anybody know why the ADFS server is not following the SAML standard? It already states it's using the Canonicalization Method like bellow:

     <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

Does anybody know if there is any configuration to fix the ADFS canonicalization?

Thanks a lot in advance.

- Hao

解决方案

Is this the same question as: http://social.msdn.microsoft.com/Forums/vstudio/en-US/dd6a1016-8197-4bfb-9c30-a49d4422fff5/adfs3-shibboleth-msis0038-saml-message-has-wrong-signature?forum=Geneva

Then about canonicalization. The Java sample looks correct to me (ignoring possible effects from the surrounding request elements). The ADFS sample is just not a canonical message (it looks 100% reversed :-) ). You may however see it in transit that way.

Are you suggesting that <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> is not standard?

这篇关于ADFS 2 SAML断言未规范化？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！