响应没有任何可以通过主题验证的有效断言 [英] Response doesn't have any valid assertion which would pass subject validation
问题描述
我对 SAML 和 ADFS 完全陌生.我试着用谷歌搜索我的错误,但遗憾的是没有得到任何点击.我一直在尝试设置 Spring SAML 和 ADFS,以便我可以按照 本指南 看起来我已经接近尾声了,但我遇到了以下错误:响应没有'没有任何可以通过主题验证的有效断言
I am completely new to SAML, and ADFS. I tried googling my error, but sadly did not get any hits. I have been trying to set up Spring SAML and ADFS so I can get single sign-on working, by following this guide It seems like I am close to the end but I am met by the following error: Response doesn't have any valid assertion which would pass subject validation
跟踪跟踪:
[#|2015-10-29T08:03:43.334+0100|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=1689;_ThreadName=Thread-2;|- AuthNResponse;FAILURE;fe80:0:0:0:e1fd:739e:9d4e:8883%14;https://nkr-beh1:18181/saml/saml/metadata;http://NKR-AD.adm.kulturrad.no/adfs/services/trust;;;org.opensaml.common.SAMLException: Response doesn't have any valid assertion which would pass subject validation
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:229)
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:84)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:217)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:279)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:655)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:161)
at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:331)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:231)
at com.sun.enterprise.v3.services.impl.ContainerMapper$AdapterCallable.call(ContainerMapper.java:317)
at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:195)
at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:860)
at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:757)
at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1056)
at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:229)
at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
at java.lang.Thread.run(Thread.java:745)
我检查了代码,它应该从响应 (ADFS) 中获取断言,如果它为空,则会抛出错误.我想这意味着我的 ADFS 缺少某些东西,还是我误解了断言是什么?
I checked out the code, and it is supposed to get the assertion from the response (ADFS) and if this is null it throws out the errors. I guess that means my ADFS is missing something, or am I misunderstanding what Assertions are?
推荐答案
首先,您应该进行 Fiddler 跟踪并查看 AD FS 是否成功发布了令牌.或者,您可以在 AD FS 端启用审核,以查看颁发了哪些令牌(如果有).
First you should take a Fiddler trace and see if AD FS issued a token successfully. Alternatively you can enable auditing on AD FS side to see what tokens were issued if any.
然后安全事件日志和 AD FS 事件日志应确认是否在发出令牌时出错或是否已成功发出令牌.
Then the security event log and AD FS event logs should confirm if there was an error issuing a token or whether it was successfully issued.
有关审查 Fiddler 的一些详细信息,请参见此处.它是为 wsfed 编写的,但对 SAML 也有帮助.http://social.technet.microsoft.com/wiki/contents/articles/3286.aspx
See here for some details for reviewing Fiddler. Its written for wsfed but will help for SAML too. http://social.technet.microsoft.com/wiki/contents/articles/3286.aspx
这个插件也可能有助于更好地查看令牌.如果适用,可能比使用 textwizard 进行 base64/deflatedsaml 解码更容易.http://social.technet.microsoft.com/wiki/contents/articles/3590.fiddler-inspector-for-federation-messages.aspx
This plugin might also be of use to see tokens better. Likely easier than using textwizard to do base64/deflatedsaml decoding as applicable. http://social.technet.microsoft.com/wiki/contents/articles/3590.fiddler-inspector-for-federation-messages.aspx
Fiddler 会干扰 Windows 集成身份验证,除非您点击此链接并禁用 AD FS 上的扩展保护.http://social.technet.microsoft.com/wiki/contents/articles/ad-fs-2-0-continuously-prompted-for-credentials-while-using-fiddler-web-debugger.aspx
Fiddler will interfere with Windows Integrated Auth unless you follow this link and disable extended protection on AD FS. http://social.technet.microsoft.com/wiki/contents/articles/ad-fs-2-0-continuously-prompted-for-credentials-while-using-fiddler-web-debugger.aspx
如果你有 2012R2 你应该这样做
If you have 2012R2 you should do
Set-ADFSProperties -ExtendedProtectionTokenCheck None
如果您的应用提供了加密证书并且 AD FS 正在发送加密断言,Fiddler 将无济于事.在这种情况下,可以更轻松地使用 AD FS 安全日志和调试日志来准确查看发送的内容.
Fiddler wont help if your app provided an encryption cert and AD FS is sending an encrypted assertion. In that case AD FS security log and debug logs are easier to use to see exactly what was sent.
这里的目标是查看断言和主题元素.然后检查验证失败的原因.
The goal here is to see the assertion and the subject element. Then check why validation fails.
您可以在此处查看示例断言 https://rnd.feide.no/samlexample/simplesamlphp_saml_2_0_authentication_response/.您需要查看 AD FS 是否成功发出令牌(检查状态为成功而不是响应者)以及是否具有符合您的应用验证检查的主题.
You can see a sample assertion here https://rnd.feide.no/samlexample/simplesamlphp_saml_2_0_authentication_response/. You need to see if AD FS issued a token successfully (check status is success and not responder) and with a subject that meets your app validation checks.
这篇关于响应没有任何可以通过主题验证的有效断言的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
