SAML SP抱怨“无效数字签名"; [英] SAML SP complaining "Invalid digital signature"
问题描述
我们正在尝试与Cisco WebEx设置自定义SAML集成.但是,在SAML响应发送到WebEx之后,WebEx SP一直抱怨无效数字签名".
We are trying to setup a custom SAML integration with the Cisco WebEx. However WebEx SP keeps complaining about the "Invalid digital signature" after the SAML Response is sent to WebEx.
我们已经检查了SAML响应的SAML响应,签名证书和Fiddler跟踪.似乎没有什么不寻常的.我们已经为其他几项服务执行了此操作,并且没有遇到任何问题.
We have already inspected the SAML Response, Signing Cert, and the Fiddler trace of the SAML transaction. Nothing seems out of ordinary. We have done this for several other services and have not run into any issues.
是否有一个好的工具可以帮助我们调试WebEx为什么认为数字签名无效?
Is there a good tool that can help us debug as to why WebEx is thinking the Digital Signature is invalid?
推荐答案
数字签名可能被视为无效的原因有很多.
There are a few reasons why a digital signature might be seen as invalid.
更改的文档: 确保您要签名的文档在签名后没有任何改变.即使添加空格字符也会使签名无效.
Altered Document: Ensure that the document you are signing is not in any way altered after it is signed. Even the addition of a whitespace character will invalidate the signature.
字符编码:
如果您的文档包含unicode字符,请确保您指定了正确的编码.预计大多数SAML文档都将以UTF8编码,如下所示:<?xml version="1.0" encoding="utf-8"?>
Character Encoding:
If your document contains unicode charaters, ensure that you have the correct encoding specified. Most SAML documents are expected to be encoded in UTF8 like so: <?xml version="1.0" encoding="utf-8"?>
错误的元素签名:包含声明的SAML文档通常应在声明本身上签名,而不必在整个文档上签名.
Wrong Element Signed: A SAML document containing an Assertion is usually expected to have a signature on the Assertion itself, and not necessarily on the entire document.
不正确的证书:确保您已获得授权的证书与您正在签名的密钥匹配.某些实现将使您将证书包括在文档中,而其他一些实现可能会要求您预定义证书.如果您的文档中的一个与他们归档的一个不匹配,则签名将被视为无效.您是否正在使用SSL证书签名?您最近更新了吗?
Incorrect Certificate: Ensure that the certificate you've given the authority is a match with the key you are signing. Some implementations will have you include the certificate in the document, where others might require you to predefine the certificate. If the one in your document does not match the one they have on file, the signature will not be seen as valid. Are you signing with an SSL certificate? Did you recently update it?
最终,您应该自己测试文档.许多SAML库将提供一种用于验证签名的机制.您的资料库对您看来有效吗?失败的话,您可以使用 xmlsec1 之类的证书来手动验证您的文档.这可能是您的库用来加密的内容,也可能是授权机构用来验证的内容.
Ultimately you should test the document yourself. Many SAML libraries will have a mechanism for validating a signature. Does yours appear valid to your library? Failing that, you can use something like xmlsec1 to manually validate your document with your certificate. This is likely what your library is using to encrypt, and likely what the authority is using to validate.
使用XMLSec :
给定一个名为cert.pem的证书和一个名为doc.xml的SAML响应XML文档,您将像这样验证它:
Using XMLSec:
Given a certificate called cert.pem and a SAML Response XML document called doc.xml you would validate it like so:
$ xmlsec1 --verify --pubkey-cert-pem cert.pem --id-attr:ID Response doc.xml
OK
SignedInfo References (ok/all): 1/1
您可能需要更改--id-attr值以匹配文档的ID属性.您正在寻找与上述类似的输出,以通知您文档的签名对所提供的证书有效.
You may need to alter the --id-attr value to match the ID attribute of your document. You are looking for output similar to the above to inform you that your document's signature is valid with the provided certificate.
这篇关于SAML SP抱怨“无效数字签名";的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
