ADFS和PingFederate SSO：SAML消息签名错误 [英] ADFS and PingFederate SSO : SAML Message has wrong signature

问题描述

我正在尝试为服务实现SSO，并使用ADFS和PingFederate作为IDP。

I am trying to implement SSO for a service and using ADFS and PingFederate as IDP.

当我避免签署AuthRequest（同时使用ADFS和PingFederate）时，SSO可以工作，但是失败并显示以下错误 SAML消息的签名错误。发行者：'My SP entityID'

SSO works when I avoid signing the AuthRequest (both with ADFS and PingFederate), but fails with following error "SAML Message has wrong signature. Issuer: 'My SP entityID' " when AuthRequest is signed.

我已经用SP的证书更新了相应的Reeling trust部分。我认为，我在IDP配置中做错了。谢谢您的帮助。

I had updated corresponding Relying trust part with certificate of my SP. I think, i am doing something wrong in the IDP configuration. Any help is appreciated.

我试过这个答案没有任何运气： MSIS0038：SAML消息签名错误-ADFS错误

I had tried this answer without any luck: MSIS0038: SAML Message has wrong signature - ADFS error

推荐答案

对AuthnRequest进行签名但配置的SP的证书不正确时，会收到ADFS上的此错误。确保您提供了正确的证书，然后转到依赖方属性> 签名标签。您应该看到您提供的证书。

This error on ADFS is received when the AuthnRequest is signed but the SP's certificate configured is incorrect. Make sure that you have provided the correct certificate, go to Relying Party Properties > Signature tab. You should see the certificate provided by you. Verify the thumbprint to be sure.

此外，如果要发送SAMLRequest作为查询参数（HTTP重定向绑定），请确保将SHA1证书用于签署AuthnRequest。 ADFS的HTTP重定向绑定不支持使用SHA256证书进行签名。

Also, if you are sending the SAMLRequest as a query parameter (HTTP-Redirect binding), make sure you are using the SHA1 certificate for signing the AuthnRequest. Signing using the SHA256 certificate is not supported in HTTP-Redirect binding by ADFS.

这篇关于ADFS和PingFederate SSO：SAML消息签名错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！