java SAML Spring示例:签名未根据凭据的密钥进行验证
我将SAML Spring样本用于一家公司的ADFS idp。生成的元数据对SSOCIRCE有效,但对ADFS无效,我得到的错误消息如下:
Attempting to verify signature using trusted credentials
Attempting to validate signature using key from supplied credential
Creating XMLSignature object
Validating signature with signature algorithm URI: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
Signature verification failed.
Signature did not validate against the credential's key
Signature validation using candidate validation credential failed
rg.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key
我的安全元数据配置是:
<!-- IDP Metadata configuration - paths to metadata of IDPs in circle of trust is here -->
<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
<constructor-arg>
<list>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
<constructor-arg>
<bean class="java.util.Timer"/>
</constructor-arg>
<constructor-arg>
<bean class="org.opensaml.util.resource.ClasspathResource">
<constructor-arg value="/metadata/whatever_sp.xml"/>
</bean>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg ref="extendedMetadataSP" />
<property name="metadataTrustCheck" value="false"/>
</bean>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
<constructor-arg>
<bean class="java.util.Timer"/>
</constructor-arg>
<constructor-arg>
<bean class="org.opensaml.util.resource.ClasspathResource">
<constructor-arg value="/metadata/ADFSfederationMetadata.xml"/>
</bean>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg ref="extendedMetadataIDP" />
<property name="metadataTrustCheck" value="false"/>
</bean>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
<constructor-arg>
<bean class="java.util.Timer"/>
</constructor-arg>
<constructor-arg>
<bean class="org.opensaml.util.resource.ClasspathResource">
<constructor-arg value="/metadata/ssoCircleIdp.xml"/>
</bean>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg ref="extendedMetadataIDP" />
<property name="metadataTrustCheck" value="false"/>
</bean>
</list>
</constructor-arg>
</bean>
</bean>
<!-- Extended metadata properties -->
<bean id="extendedMetadataSP" class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="local" value="true"/>
<property name="securityProfile" value="metaiop"/>
<property name="sslSecurityProfile" value="pkix"/>
<property name="signingKey" value="apollo"/>
<property name="encryptionKey" value="apollo"/>
<property name="signMetadata" value="false" />
<property name="signingAlgorithm" value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
</bean>
我从ADFS得到的SAML响应如下:
<?xml version="1.0" encoding="UTF-8"?><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://localhost:8443/s
pring-security-saml2-sample/saml/SSO" ID="_58365a14-2ed8-4d68-8e8e-fe72618c82d9" InResponseTo="afj64ji85gba3991249die24d5eiii" IssueInstant="2016-07-28T11:00:18.094Z" Version="2.0">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">[MYIDP]</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_58365a14-2ed8-4d68-8e8e-fe72618c82d9">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>eUzL1nPviOFVEi6A/XcplZJR3gBpg/gXWdtK/37iNCk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>P+O4GMaYLrBnB/QkqTWI/b1ju3OShaJXPgMUWlTUdxGfcXLCBukmBO+pUH3V5F71f6G0qcYihGkXisVnk+kYrJ+ieGSAl4CgLok32OXVrafEAD9NVGCideabiJSr7MHBc1bWmlWBMJxPeYBDcH5e1+b/4uFwG3HBs6AHiDObVWZ97mQ
5ZnqwuS2m9zfunVKtAJOS1l3JkhXIBqU3OGD9fAriIMFxc+RygAZxbIq4pvXqSD4mP7aB6UlWE7jdcr5R+CmxmDWBEcQgjCSiAWUGQoEOC4EXkRXWc//3TEOjD19mMn4nepJA3Ko6jJfObS0peXfQKKhz3ink0lEbm1qCgA==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIF1DCCBLygAwIBAgIQbhhm1o92bv+YAd21fED0rDANBgkqhkiG9w0BAQsFADB6MQswCQYDVQQGEwJVUzELMAkGA1UECBMCVkExEDAOBgNVBAcTB0hlcm5kb24xITAfBgNVBAoTGE5ldHdvcmsgU29sdXRpb25zIEwuTC5D
LjEpMCcGA1UEAxMgTmV0d29yayBTb2x1dGlvbnMgT1YgU2VydmVyIENBIDIwHhcNMTQxMDI5MDAwMDAwWhcNMTgwMTAzMjM1OTU5WjCB8DELMAkGA1UEBhMCR0IxETAPBgNVBBETCEJTMzcgNUhaMQ0wCwYDVQQIEwRBdm9uMRAwDgYDVQQHEwdCcmlzdG9sMQ0wCwYD
VQQJEwRZYXRlMRUwEwYDVQQJEwxTdGF0aW9uIFJvYWQxHzAdBgNVBAkTFlVuaXQgMSBCYWRtaW50b24gQ291cnQxGzAZBgNVBAoTEkFQQUsgR3JvdXAgTGltaXRlZDELMAkGA1UECxMCSVQxITAfBgNVBAsTGFNlY3VyZSBMaW5rIFNTTCBXaWxkY2FyZDEZMBcGA1UE
AxQQKi5zd29yZC1hcGFrLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANlGeYyoUeZj2QwtmjfpZzZy0IRZLK4aBeaQw4uwevLyJMOBaPTFWXj6aEDmr9kEcKiSUhcbSFSltvS/e88Vh5ZxrL2X75g5kUzgCAw9lY6aTYEAEpFm7pix47YIgJsPf1VM
wtVbw4MBrDnVYoC/kuXZ7okeglYPnv4TtmSRSq5MF2+HRs/Fhv8JtDl0bt/Tz9//vyi48S7KAeaPSqvVxZ7qyHov7FLCRspjGY9JuuI/uEGv2+ohaDYmnhyLFeaSfHPotg0gWTAowblUSigtk/6CAH2lUfKopPGvAE/egR79vPofaNxHooaZuxnPQ6ylW3dwcDK67Ve1
BS1QvLO3nXkCAwEAAaOCAd0wggHZMB8GA1UdIwQYMBaAFCAzzbdh9qWGT9zJ13NqvApRZZjsMB0GA1UdDgQWBBTTLIw41beIX7xgjN5kHorN+6Ib2jAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYD
VR0gBG4wbDBgBgwrBgEEAYYOAQIBAwEwUDBOBggrBgEFBQcCARZCaHR0cDovL3d3dy5uZXR3b3Jrc29sdXRpb25zLmNvbS9sZWdhbC9TU0wtbGVnYWwtcmVwb3NpdG9yeS1jcHMuanNwMAgGBmeBDAECAjBJBgNVHR8EQjBAMD6gPKA6hjhodHRwOi8vY3JsLm5ldHNv
bHNzbC5jb20vTmV0d29ya1NvbHV0aW9uc09WU2VydmVyQ0EyLmNybDB7BggrBgEFBQcBAQRvMG0wRAYIKwYBBQUHMAKGOGh0dHA6Ly9jcnQubmV0c29sc3NsLmNvbS9OZXR3b3JrU29sdXRpb25zT1ZTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2Nz
cC5uZXRzb2xzc2wuY29tMBsGA1UdEQQUMBKCECouc3dvcmQtYXBhay5jb20wDQYJKoZIhvcNAQELBQADggEBADXCuYBzSLijLp8gQjkHl2NGb7VahaJTV4jD/pM0CV+6ERk5o7W6ufFH+ok7vONlukdQxT67GzEFnl7S+WgTxOTbYBQs4xMRsnY7G44yBLEtTjlw5UlN
kKPJXNnfFhrAy260sV5cqtP+hclNZ3TLTadwYVqdvv9D53aWP2gjZVE4RpUhI1DM0z9zk7FP7PyYsuhkILSwMst/YoPBOgs6C7/3nuMTh4IqCcYowSgcNdBiY8Vm+M5X6v/PqkPBvVPvE8s8xxrIfFIyNT4VdvKz1UGuT+yeI+4N3oeou3mCD0ENstzjxkRgPGOQbm45
2rlKIhki4ep90winKO4EectPUCM=</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
</samlp:Status>
</samlp:Response>
我的SP元数据是:
<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="[blah]" entityID="[blah]"><md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDZTCCAk2gAwIBAgIESm9pPTANBgkqhkiG9w0BAQsFADBiMQswCQYDVQQGEwJVSzEQMA4GA1UE
CBMHQnJpc3RvbDENMAsGA1UEBxMEWWF0ZTEOMAwGA1UEChMFU3dvcmQxDTALBgNVBAsTBEFwYWsx
EzARBgNVBAMTCkZpcnN0IExhc3QwIBcNMTYwMTE0MTUzMjE4WhgPMjI4OTEwMjgxNTMyMThaMGIx
CzAJBgNVBAYTAlVLMRAwDgYDVQQIEwdCcmlzdG9sMQ0wCwYDVQQHEwRZYXRlMQ4wDAYDVQQKEwVT
d29yZDENMAsGA1UECxMEQXBhazETMBEGA1UEAxMKRmlyc3QgTGFzdDCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAKyy2k8uLwA2sLMDV7AbqNzq8vh3n+FwxQiBFnly8EY1TbBmFa6I2u0L
1scYeGh/DudAWhj4nqhY2r44Q4GdmKvxGGFMKlrxDbzL3sfWW+OepwU25vd+wUk1OKxoYuK0cNmK
u3HkMgbXjTf4zLTuHSVuGXBh2p1cONTJVQYXzo8JqNSWRe5cmbqeESmzxsfctvv1/nfo5CHOuI6A
ol5R818d86SSGD1VADDmsSLTnw1GxTlzsp2637/0AIp119qamdBlmV6rl4MLcornWGnMDtHeN0iK
Q1x5Y9z9wVxr2Mz+PWUQP7qzlpr3mFwIRiFjCKpkHjfVOEHu+lRncaaPqhsCAwEAAaMhMB8wHQYD
VR0OBBYEFPe7nLb+sAec0J4f9cFj1Z3Q+zqvMA0GCSqGSIb3DQEBCwUAA4IBAQB28cgzoItNYtNp
LxvcRi/Y6aSkY/U+3uxke5GiEqMdsA7k+tn1ut7AcmmJnWQee7UjJJECwSxLHm2NIi9oukYtJi5R
lLjMMxWapREVg65HFZtH3HobkppOInQPxPxxKX1f0IdbAXthO5e8pYdTNVCRtLAXU0djPJFIwmhS
YgD2iyfHOOCX6BxjXiE9aYsykUH+S8PyFoIic9bbPziufTNW+Sa01kPzN6RYe4SukOXfvVlmR0eU
vvlyq9mAnAYVqbWUmYQkn+gokAxE/Uj4sACx75uzPx29VyiehQfkw5GgCDQMV6iXzRgLZThFp9+w
mYOs8uZDgNIFC/gFI6JeVdvh</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDZTCCAk2gAwIBAgIESm9pPTANBgkqhkiG9w0BAQsFADBiMQswCQYDVQQGEwJVSzEQMA4GA1UE
CBMHQnJpc3RvbDENMAsGA1UEBxMEWWF0ZTEOMAwGA1UEChMFU3dvcmQxDTALBgNVBAsTBEFwYWsx
EzARBgNVBAMTCkZpcnN0IExhc3QwIBcNMTYwMTE0MTUzMjE4WhgPMjI4OTEwMjgxNTMyMThaMGIx
CzAJBgNVBAYTAlVLMRAwDgYDVQQIEwdCcmlzdG9sMQ0wCwYDVQQHEwRZYXRlMQ4wDAYDVQQKEwVT
d29yZDENMAsGA1UECxMEQXBhazETMBEGA1UEAxMKRmlyc3QgTGFzdDCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAKyy2k8uLwA2sLMDV7AbqNzq8vh3n+FwxQiBFnly8EY1TbBmFa6I2u0L
1scYeGh/DudAWhj4nqhY2r44Q4GdmKvxGGFMKlrxDbzL3sfWW+OepwU25vd+wUk1OKxoYuK0cNmK
u3HkMgbXjTf4zLTuHSVuGXBh2p1cONTJVQYXzo8JqNSWRe5cmbqeESmzxsfctvv1/nfo5CHOuI6A
ol5R818d86SSGD1VADDmsSLTnw1GxTlzsp2637/0AIp119qamdBlmV6rl4MLcornWGnMDtHeN0iK
Q1x5Y9z9wVxr2Mz+PWUQP7qzlpr3mFwIRiFjCKpkHjfVOEHu+lRncaaPqhsCAwEAAaMhMB8wHQYD
VR0OBBYEFPe7nLb+sAec0J4f9cFj1Z3Q+zqvMA0GCSqGSIb3DQEBCwUAA4IBAQB28cgzoItNYtNp
LxvcRi/Y6aSkY/U+3uxke5GiEqMdsA7k+tn1ut7AcmmJnWQee7UjJJECwSxLHm2NIi9oukYtJi5R
lLjMMxWapREVg65HFZtH3HobkppOInQPxPxxKX1f0IdbAXthO5e8pYdTNVCRtLAXU0djPJFIwmhS
YgD2iyfHOOCX6BxjXiE9aYsykUH+S8PyFoIic9bbPziufTNW+Sa01kPzN6RYe4SukOXfvVlmR0eU
vvlyq9mAnAYVqbWUmYQkn+gokAxE/Uj4sACx75uzPx29VyiehQfkw5GgCDQMV6iXzRgLZThFp9+w
mYOs8uZDgNIFC/gFI6JeVdvh</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:8443/spring-security-saml2-sample/saml/SingleLogout"/><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:8443/spring-security-saml2-sample/saml/SingleLogout"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:8443/spring-security-saml2-sample/saml/SSO" index="0" isDefault="true"/><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://localhost:8443/spring-security-saml2-sample/saml/SSO" index="1"/></md:SPSSODescriptor></md:EntityDescriptor>
请注意我没有修改samlKeystore。jks。我不确定我做错了什么,有人能解释一下吗
正如我之前提到的,同样的SP上传到SSOCIRCE工作正常。在ADFS中,我得到了签名问题
ADFS需要sha256,事实上我也尝试过用CustomSAMLBootstrap在那里设置算法来实现SAMLBootstrap,但仍然没有成功。我真的被困住了,不知所措,请帮帮我
# 1 楼答案
我有一个Spring SAML实现,目前与3个ADFS实例集成,每个依赖方信任都设置为使用SHA-1而不是SHA-256。您是否要求使用SHA-256
您的ADFS实例是否使用自签名证书?如果是这样,则需要导入公共文件。cer文件放入你的JKS,让SAML工作。我发现this视频对于学习如何导航Windows、获取和导入证书非常有用
此外,如果您使用的是项目附带的JKS,那么您在SAML实现中使用的是自签名证书。您需要像这样导出证书:
并将其导入ADF