SSL握手检索saml元数据失败

Question

因此，我正在尝试将spring-security-saml2扩展添加到现有的spring-boot项目中。作为身份提供者，我使用ADFS，我以前使用过spring-boot和其他saml框架。

现在我得到了错误

...
Caused by: org.opensaml.saml2.metadata.provider.MetadataProviderException: Error retrieving metadata from https://fs.example.com/FederationMetadata/2007-06/FederationMetadata.xml
    at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:274) ~[opensaml-2.6.6.jar:na]
    at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:258) ~[opensaml-2.6.6.jar:na]
    ... 67 common frames omitted
Caused by: javax.net.ssl.SSLException: SSLSession was invalid: Likely implicit handshake failure: Set system property javax.net.debug=all for details
    at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.verifyHostname(TLSProtocolSocketFactory.java:275) ~[openws-1.5.6.jar:na]
    at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:186) ~[openws-1.5.6.jar:na]
    at org.springframework.security.saml.trust.httpclient.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:97) ~[spring-security-saml2-core-1.0.6.RELEASE.jar:1.0.6.RELEASE]
    at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707) ~[commons-httpclient-3.1.jar:na]
    at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361) ~[commons-httpclient-3.1.jar:na]
    at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387) ~[commons-httpclient-3.1.jar:na]
    at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) ~[commons-httpclient-3.1.jar:na]
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) ~[commons-httpclient-3.1.jar:na]
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323) ~[commons-httpclient-3.1.jar:na]
    at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:250) ~[opensaml-2.6.6.jar:na]
    ... 68 common frames omitted

我已经打开了javax.net.debug=all并检查是否加载了正确的证书：

adding as trusted cert:
  Subject: CN=Exapmle CA G2, OU=Example Certificate Authority, O=Example, L=City, ST=BS, C=GB
  Issuer:  CN=Exapmle CA G2, OU=Example Certificate Authority, O=Example, L=City, ST=BS, C=GB
  Algorithm: RSA; Serial number: 0xdfec3e266fcad7e1
  Valid from Fri Mar 20 18:29:09 CET 2015 until Wed Apr 04 19:29:09 CEST 2025

但是加载元数据仍然失败，并显示以下错误：

localhost-startStop-1, IOException in getSession():  javax.net.ssl.SSLHandshakeException: org.springframework.security.saml.trust.UntrustedCertificateException: Peer SSL/TLS certificate 'CN=fs.example.com, C=GB, ST=BS, L=City, O=Example, OU=Development' issued by 'CN=Exapmle CA G2, OU=Example Certificate Authority, O=Example, L=City, ST=BS, C=GB' is not trusted, add the certificate or it's CA to your trust store and optionally update tlsKey in extended metadata with the certificate's alias

Java打印idp的证书，如下所示：

Version: V3
  Subject: CN=fs.example.com, C=GB, ST=BS, L=City, O=Example, OU=Development
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: ...
  public exponent: 65537
  Validity: [From: Thu Sep 01 10:51:48 CEST 2016,
               To: Tue Aug 31 10:51:48 CEST 2021]
  Issuer: CN=Exapmle CA G2, OU=Example Certificate Authority, O=Example, L=City, ST=BS, C=GB
  SerialNumber: [    02dfec3e 266fcad8 46]

如您所见，发行证书已加载。

我还尝试导入idp本身的证书。这没什么用。

adding as trusted cert:
  Subject: CN=fs.example.com, C=GB, ST=BS, L=City, O=Example, OU=Development
  Issuer:  CN=Exapmle CA G2, OU=Example Certificate Authority, O=Example, L=City, ST=BS, C=GB
  Algorithm: RSA; Serial number: 0x2dfec3e266fcad846
  Valid from Thu Sep 01 10:51:48 CEST 2016 until Tue Aug 31 10:51:48 CEST 2021

有谁知道如何解决这个问题吗？

如果您需要我的任何代码，请随时询问。

谢谢。

Answer 1

当我遇到这个问题时，原因是ADFS中的安全散列。查看Spring Security SAML文档主题12.1.2

https://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x/reference/html/chapter-idp-guide.html