SAML响应Signed Assertion缺少KeyInfo元素 [英] SAML response Signed Assertion missing KeyInfo element
问题描述
我们在使用SAML 2.0的IDP发起的SSO中充当服务提供商。我们使用Saml2SecurityTokenHandler从SAML响应Signed断言中检索令牌。但是当< ds:KeyInfo>时出现以下异常。 < ds:Signature>中缺少元素
元件。 SecurityTokenHandler期望KeyInfo出现在Signed断言中。但是根据SAML 2.0规范,KeyInfo不是强制性元素,可以不存在。
异常收到:
System.IdentityModel .SignatureVerificationFailedException:ID4037:无法从以下安全密钥标识符'SecurityKeyIdentifier(IsReadOnly = False, Count = 1, Clause [0] = System.IdentityModel.Tokens.Saml2SecurityKeyIdentifierClause $)解析验证签名所需的密钥b $ b)'。确保使用所需的密钥填充SecurityTokenResolver。
代码段:
$
foreach( _assertionElements中的XmlElement assertionNode)
{
using(var reader = new XmlNodeReader(assertionNode))
{
Saml2SecurityToken tokenHandler = new Saml2SecurityToken();
$
var securityToken = tokenHandler.ReadToken(reader); //触发异常。
tokenHandler.DetectReplayedToken(securityToken);
tokenHandler.ValidateConditions(securityToken.Assertion.Conditions,false);
claimList.Add(tokenHandler.CreateClaims(securityToken));
}
}
1.来自同一第三方IDP的几个响应(SAML响应签名声明)缺少KeyInfo值,而其他响应有这个价值。 IDP的响应行为不一致。可能是什么原因?
2. SAML响应签名断言是否必须使用KeyInfo元素?
3.即使IDP是什么,避免此异常的方法是什么?缺少响应中的元素?
We are acting as a Service provider in IDP initiated SSO using SAML 2.0. We are using Saml2SecurityTokenHandler to retrieve the token from the SAML response Signed assertion. But following exception occurs when the <ds:KeyInfo> element is absent
in the <ds:Signature> element. SecurityTokenHandler expects the KeyInfo to be present in the Signed assertion. But as per SAML 2.0 Specification, KeyInfo is not a mandatory element and can be absent.
Exception Received:
System.IdentityModel.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier ( IsReadOnly = False, Count = 1, Clause[0] = System.IdentityModel.Tokens.Saml2SecurityKeyIdentifierClause
)'. Ensure that the SecurityTokenResolver is populated with the required key.
Code Snippet :
foreach (XmlElement assertionNode in _assertionElements)
{
using (var reader = new XmlNodeReader(assertionNode))
{
Saml2SecurityToken tokenHandler = new Saml2SecurityToken();
var securityToken = tokenHandler.ReadToken(reader); // Exception triggered.
tokenHandler.DetectReplayedToken(securityToken);
tokenHandler.ValidateConditions(securityToken.Assertion.Conditions, false);
claimList.Add(tokenHandler.CreateClaims(securityToken));
}
}
1. Few responses (SAML response Signed Assertion) from the same third party IDP is missing the KeyInfo value, while other responses have this value. The IDP is inconsistent in its response behavior. What could be the reason?
2. Is the KeyInfo element mandatory for SAML response signed assertion?
3. What is the way to avoid this exception even when the IDP is missing the element in its response?
推荐答案
您好Prasanna BR,
Hi Prasanna B R,
以下主题提供了两个解决方案,请检查它是否适合你。
The following thread provide two solution, please check if it works for you.
#Solution1
#Solution1
RSACryptoServiceProvider rsa = signingCert.PrivateKey as RSACryptoServiceProvider;
RsaSecurityKey rsaKey = new RsaSecurityKey(rsa);
RsaKeyIdentifierClause rsaClause = new RsaKeyIdentifierClause(rsa);
SecurityKeyIdentifier signingSki = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] { rsaClause });
SigningCredentials signingCredentials = new SigningCredentials(rsaKey, signatureAlgorithm, digestAlgorithm, signingSki);#Solution2
#Solution2
X509RawDataKeyIdentifierClause x509clause = new X509RawDataKeyIdentifierClause(signingCert);
SecurityKeyIdentifier signingSki2 =new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] {x509clause});
SigningCredentials signingCredentials2 = new SigningCredentials(rsaKey, signatureAlgorithm, digestAlgorithm, signingSki2);
descriptor.SigningCredentials = signingCredentials;
https://social.msdn.microsoft.com/Forums/vstudio/en-US/0a288c39-44d8-4e3c-b7b5-47a15be1bfee/the-key-needed-to-verify-the-signature-could-not-be-resolved?forum=Geneva
祝你好运,
张龙
这篇关于SAML响应Signed Assertion缺少KeyInfo元素的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
