SAML 1.1断言的SignedXml.CheckSignature失败 [英] SignedXml.CheckSignature fails for SAML 1.1 Assertion
问题描述
这个主题似乎有几个帖子,但是没有一个提供描述性的解决方案。我的代码非常简单:我使用代码生成SAML 1.1断言:
There seems to be several posts on this topic, however none of them providing a descriptive solution. My code is very simple: I am generating a SAML 1.1 assertion using the code:
X509AsymmetricSecurityKey
X509AsymmetricSecurityKey
signingKey = new
X509AsymmetricSecurityKey (x509Certificate);
signingKey = new X509AsymmetricSecurityKey(x509Certificate);
//这里我们创建一些SAML断言ID和发卡行名称。
SamlAssertion 断言=
new
SamlAssertion ();
SamlAssertion assertion = new SamlAssertion();
assertion.AssertionId =
assertion.AssertionId =
" _" +
Guid .NewGuid()。ToString();
"_" + Guid.NewGuid().ToString();
assertion.Issuer =
assertion.Issuer =
" www.tokenissuer.net" ;
"www.tokenissuer.net";
< span style ="color:#008000; font-size:x-small"> //不在之前,不在条件之后
assertion.Conditions =
assertion.Conditions =
new
SamlConditions ( DateTime 。现在,
DateTime 。Now.AddMinutes(60));
new SamlConditions(DateTime.Now, DateTime.Now.AddMinutes(60));
//创建一些SAML主题。
SamlSubject samlSubject =
new
SamlSubject ();
SamlSubject samlSubject = new SamlSubject();
samlSubject.Name =
samlSubject.Name =
" e_pref.csi.client" ;
"e_pref.csi.client";
samlSubject.ConfirmationMethods.Add(
samlSubject.ConfirmationMethods.Add(
" urn:oasis:names:tc :SAML:1.0:cm:sender-vouches" );
"urn:oasis:names:tc:SAML:1.0:cm:sender-vouches");
SamlAuthenticationStatement samlAuthenticationStatement =
new
SamlAuthenticationStatement ();
SamlAuthenticationStatement samlAuthenticationStatement = new SamlAuthenticationStatement();
samlAuthenticationStatement.AuthenticationInstant =
samlAuthenticationStatement.AuthenticationInstant =
DateTime 。现在;
DateTime.Now;
samlAuthenticationStatement.AuthenticationMethod =
samlAuthenticationStatement.AuthenticationMethod =
" urn:oasis:names:tc:SAML:1.0:am:password" ;
"urn:oasis:names:tc:SAML:1.0:am:password";
samlAuthenticationStatement.SamlSubject = samlSubject;
samlAuthenticationStatement.SamlSubject = samlSubject;
assertion.Statements.Add(samlAuthenticationStatement);
assertion.Statements.Add(samlAuthenticationStatement);
assertion.SigningCredentials =
assertion.SigningCredentials =
new
SigningCredentials (signingKey,
SecurityAlgorithms 。RsaSha1Signature,
SecurityAlgorithms 。Sha1Digest);
new SigningCredentials(signingKey, SecurityAlgorithms.RsaSha1Signature, SecurityAlgorithms.Sha1Digest);
//从提供的断言创建SamlSecurityToken
SamlSecurityToken samlToken =
new
SamlSecurityToken (断言);
SamlSecurityToken samlToken = new SamlSecurityToken(assertion);
// System.ServiceModel.Security.WSSecurityTokenSerializer ser = new System.ServiceModel.Security.WSSecurityTokenSerializer();
SecurityTokenHandlerCollectionManager mgr =
SecurityTokenHandlerCollectionManager 。CreateDefaultSecurityTokenHandlerCollectionManager();
SecurityTokenHandlerCollectionManager mgr = SecurityTokenHandlerCollectionManager.CreateDefaultSecurityTokenHandlerCollectionManager();
SecurityTokenHandlerCollection sthc = mgr.SecurityTokenHandlerCollections.First();
SecurityTokenHandlerCollection sthc = mgr.SecurityTokenHandlerCollections.First();
SecurityTokenSerializer ser =
new
SecurityTokenSerializerAdapter (sthc);
SecurityTokenSerializer ser = new SecurityTokenSerializerAdapter(sthc);
XmlWriterSettings settings =
new
XmlWriterSettings ()
XmlWriterSettings settings = new XmlWriterSettings()
{
编码=
编码 。UTF8,
Encoding.UTF8,
缩进=
true ,
true,
OmitXmlDeclaration =
OmitXmlDeclaration =
true ,
true,
CloseOutput =
CloseOutput =
true
};
StringBuilder sb =
new
StringBuilder ();
StringBuilder sb = new StringBuilder();
XmlWriter innerWriter =
XmlWriter 。创建(sb,设置);
XmlWriter innerWriter = XmlWriter.Create(sb, settings);
ser.WriteToken(innerWriter,samlToken);
ser.WriteToken(innerWriter, samlToken);
返回 sb.ToString();
然后当我尝试使用以下方式验证此令牌时:
SignedXml
SignedXml
signedXml = new
SignedXml (Doc);
// Doc.LoadXml(令牌)用于加载从上一个方法返回的令牌
signedXml = new SignedXml(Doc); // Doc.LoadXml(token) is used to load the token returned from the previous method
//找到"签名"节点并创建一个新的
// XmlNodeList对象。
XmlNodeList nodeList = Doc.GetElementsByTagName( " ds:签名" );
XmlNodeList nodeList = Doc.GetElementsByTagName("ds:Signature");
//如果没有找到签名,则抛出异常。
if (nodeList.Count< = 0)
if (nodeList.Count <= 0)
{
throw
new
CryptographicException ( "验证
失败:在文档中未找到签名。" );
throw new CryptographicException("Verification failed: No Signature was found in the document.");
}
//此示例仅支持 的一个签名
// This example only supports one signature for
//整个XML文档。抛出异常
//如果找到多个签名。
if (nodeList.Count> = 2)
if (nodeList.Count >= 2)
{
throw
new
CryptographicException ( "验证
失败:找到更多的文档签名。" );
throw new CryptographicException("Verification failed: More that one signature was found for the document.");
}
//加载第一个< signature>节点。
signedXml.LoadXml((
signedXml.LoadXml((
XmlElement )nodeList [0]);
XmlElement)nodeList[0]);
//检查签名并返回结果。
return signedXml.CheckSignature(x509Certificate.PrivateKey);
我总是假的。有人能指出我在这里可能缺少的东西吗?只是为了给你一点历史,我需要生成此SAML并通过WS Security标头将其发送到Java服务
问候,
Sandeep
推荐答案
错误是什么?如果您无法使用WS Sec进行检查,试试这个
SAML lib 。更多信息请访问
SAML 博客。
What is the error? If you cannot use WS Sec to check, try this SAML lib . More information are at this SAML blog .
这篇关于SAML 1.1断言的SignedXml.CheckSignature失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!