ADFS 2 SAML断言未规范化? [英] ADFS 2 SAML Assertion Not Canonicalized?
问题描述
大家好,全部是
我们正在测试使用ADFS作为IDP和Java OpenSaml作为SP。 但是,从ADFS验证SAML断言仍然失败。 我已将其跟踪到ADFS断言的规范化问题:
以下是来自ADFS的内容:
< saml:Assertion Version =" 2.0" ID = QUOT; _c30603e8-9e7a-4a1b-b72b-a8c1af6d5be6" IssueInstant = QUOT; 2014-09-17T14:58:33.642Z" xmlns:saml =" urn:oasis:names:tc:SAML:2.0:assertion">
以下是Java规范化的内容:
< saml:Assertion xmlns:saml =" urn:oasis:names:tc:SAML:2.0:assertion" ID = QUOT; _c30603e8-9e7a-4a1b-b72b-a8c1af6d5be6" IssueInstant = QUOT; 2014-09-17T14:58:33.642Z" Version =" 2.0">
基于http://www.ibm.com/developerworks/library/x-c14n/,Java一个似乎是正确的。
所以,问题是: 有人知道为什么ADFS服务器没有遵循SAML标准吗?它已经声明它正在使用类似于下面的规范化方法:
$
< ds:SignedInfo>
< ds:CanonicalizationMethod Algorithm =" http://www.w3.org/2001/10/xml-exc-c14n#" />
$
是否有人知道是否有任何配置来修复ADFS规范化?
谢谢提前很多。
- 郝
然后关于规范化。 Java示例对我来说是正确的(忽略了周围请求元素的可能影响)。 ADFS示例不是规范消息(它看起来100% 逆转:-))。但是,您可以通过这种方式在途中看到它。
您是否建议 < ds:CanonicalizationMethod Algorithm =" http://www.w3.org/ 2001/10 / XML-EXC-C14N#" />不标准?
Hi, all
We are testing using ADFS as IDP and Java OpenSaml as SP. However, the validation of the SAML assertion from ADFS keeps failing. I have tracked it down to the canonicalization issue of the ADFS assertions:
Here is what’s from ADFS:
<saml:Assertion Version="2.0" ID="_c30603e8-9e7a-4a1b-b72b-a8c1af6d5be6" IssueInstant="2014-09-17T14:58:33.642Z" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
Here is what’s Java canonicalized:
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_c30603e8-9e7a-4a1b-b72b-a8c1af6d5be6" IssueInstant="2014-09-17T14:58:33.642Z" Version="2.0">
Based on http://www.ibm.com/developerworks/library/x-c14n/, the Java one seems to be the correct one.
So, the question is: does anybody know why the ADFS server is not following the SAML standard? It already states it's using the Canonicalization Method like bellow:
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
Does anybody know if there is any configuration to fix the ADFS canonicalization?
Thanks a lot in advance.
- Hao
Is this the same question as: http://social.msdn.microsoft.com/Forums/vstudio/en-US/dd6a1016-8197-4bfb-9c30-a49d4422fff5/adfs3-shibboleth-msis0038-saml-message-has-wrong-signature?forum=Geneva
Then about canonicalization. The Java sample looks correct to me (ignoring possible effects from the surrounding request elements). The ADFS sample is just not a canonical message (it looks 100% reversed :-) ). You may however see it in transit that way.
Are you suggesting that <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> is not standard?
这篇关于ADFS 2 SAML断言未规范化?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!