带有签名和签名验证的 SSO 不起作用 [英] SSO with signing and signature validation doesn't work
问题描述
我已经使用 WSO2IS 4.6.0 和 spring saml grails 插件成功配置了 SSO,但是当我像这样启用签名和签名验证时: 我在 WSO2 控制台上看到错误
I have succesfully configured SSO using WSO2IS 4.6.0 and spring saml grails plugin, but when I enable signing and signature validation like this: I see errors on WSO2 console
WARN {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} - Signature Validation Failed for the SAML Assertion : Signature is invalid.
DEBUG org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} - org.opensaml.xml.validation.ValidationException: Unable to evaluate key against signature
WARN {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor} - Signature validation for Authentication Request failed.
我从 WSO2 密钥库 (wso2carbon.jks
) 导出默认公钥 (wso2carbon
),并将证书插入到我的 SP 的 X509Certificate
部分和 IdP 元数据.
这是我的 IdP 元数据:
I exported default public key (wso2carbon
) from WSO2 keystore (wso2carbon.jks
), and inserted certificate into X509Certificate
section in my SP and IdP metadata.
Here is my IdP metadata:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor entityID="https://localhost:9443/samlsso" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>***
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://localhost:9443/samlsso"
ResponseLocation="https://localhost:9443/samlsso"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://localhost:9443/samlsso"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://localhost:9443/samlsso"/>
</IDPSSODescriptor>
</EntityDescriptor>
和 SP 元数据:
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor entityID="local" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:Extensions>
<idpdisco:DiscoveryResponse xmlns:idpdisco="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="http://localhost:8080/spring-security-saml/login/auth/alias/localhost?disco=true"/>
</md:Extensions>
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
****
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/***/saml/SingleLogout/alias/local"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8080/***/saml/SingleLogout/alias/local"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://localhost:8080/***/saml/logout/SingleLogout/local"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/***/saml/SSO/alias/local" index="0" isDefault="true"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://localhost:8080/***/saml/SSO/alias/local" index="1" isDefault="false"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
我担心的是我在 SP 或 IdP 元数据中使用了错误的证书,或者应该以某种方式对其进行签名.
My concern is that I use wrong certificate in either SP or IdP metadata, or it should be signed somehow.
我应该对 IdP 使用什么证书,对 SP 元数据使用什么证书,我可以检查它们是否有效?
如何使用从 WSO2 密钥库导出的公钥正确获取它?
谢谢!
What certificate should I use for IdP and what for SP metadata, and can I check if they are valid?
How can I get it properly using public key exported from WSO2 keystore?
Thank you!
更新:即使元数据中的证书不正确,它也可以在 5.1.0 上运行,这看起来像是一个问题.这里是 5.1.0 配置:
UPDATE: It works on 5.1.0 even with incorrect certificates in metadata, looks like an issue. Here is 5.1.0 Configuration:
推荐答案
您必须导入 IDP(服务器)证书作为 SP 机器中的信任.您的 IDP 托管为 https,因此.. 在 SP 中导入 IDP 信任在您的自定义证书位置/JDK Cacerts (Java\jdk1.8.0_45\jre\lib\security\cacerts
) 中的框,然后您可以尝试以下命令来检查您的 IDP 描述符 URL 是否可以从 SP 访问像盒子一样...
You have to import your IDP (Server) certificate as a trust in your SP machine.. Your IDP is hosted as https so.. Import IDP trust In SP box at your custom certificate location/JDK Cacerts (Java\jdk1.8.0_45\jre\lib\security\cacerts
) and then you can try the below command to check your IDP descriptor URL is accessible from SP box like...
wget "YOUR_IDP_DESCRIPTOR_URL";
这篇关于带有签名和签名验证的 SSO 不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!