SAML响应签名为null :SAML2.0
SAML响应签名为null :SAML2.0
提问于 2020-01-27 10:24:57
我是SAML认证新手。
SAML Request -
<saml2p:AuthnRequest
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://host/project/jsp/index.jsp" Destination="https://host/unica/jsp/index.jsp" ForceAuthn="false" ID="_9d2a3a673a4eba881518c4b18f7dcfa0957264fd074f13e72e" IsPassive="false" IssueInstant="2020-01-24T17:12:55.758Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
<saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://host/unica
</saml2:Issuer>
<saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" SPNameQualifier="https://host/project"/>
<saml2p:RequestedAuthnContext Comparison="exact">
<saml2:AuthnContextClassRef
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml2:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
</saml2p:AuthnRequest>根据上述要求,我收到的答复如下-
<samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s294e0dd953d11cd8d7b2f249bb05951070679e9c0" InResponseTo="_9d2a3a673a4eba881518c4b18f7dcfa0957264fd074f13e72e" Version="2.0" IssueInstant="2020-01-24T17:13:03Z" Destination="https://host/project/jsp/index.jsp">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://sso-ppd.localhost.com/idp/openam
</saml:Issuer>
<samlp:Status
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Value="urn:oasis:names:tc:SAML:2.0:status:Success">
</samlp:StatusCode>
</samlp:Status>
<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="Someid" IssueInstant="2020-01-24T17:13:03Z" Version="2.0">
<saml:Issuer>https://sso-ppd.localhost.com/idp/openam</saml:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#s2bd9e70f040ca49643880ee440b0a84ae25f5e557">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>dd+x9TXVAgDghwv9ADkdTEkXBto=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
qJn0KfZVrg9uiHvFctdjU/8RzancM0Q==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDdTCCAl2gAwIBAgIEPA8XezANBgkqhkiG9w0BAQsFADBrMQswCQYDVQQGEwJGUjEMMAoGA1UE
CBMDSURGMQ4wDAYDVQQHEwVNYXNzeTESMBAGA1UEChMJQ2FycmVmb3VyMQwwCgYDVQQLEwNHTlQx
OD2K1NbH7DLZa+zy/QmBvvIxraovhmpW3U2j/
XAFtVXOL5Pln23c1L9c9BzqGMMDHu3v98w65aoJI1FMkiQ==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://sso-ppd.localhost.com/idp/openam" SPNameQualifier="https://host/unica">gregory_picano</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="_9d2a3a673a4eba881518c4b18f7dcfa0957264fd074f13e72e" NotOnOrAfter="2020-01-24T17:23:03Z" Recipient="https://host/project/jsp/index.jsp"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2020-01-24T17:03:03Z" NotOnOrAfter="2020-01-24T17:23:03Z">
<saml:AudienceRestriction>
<saml:Audience>https://host/project</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2020-01-24T17:13:02Z" SessionIndex="s2d78f7647bbdfe8b5d241ff924944d3afc7f34005">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="uid">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">gregory_picano
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="cn">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">pG
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="sn">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">PG
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="mail">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">pg.com
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="givenName">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Gregory
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>将XML对象转换为SAML响应对象以进行处理。
Response responseObject = (Response)responseXmlObject;当试图从响应中获得签名时,我得到的是null。
Signature signature = responseObject.getSignature();但是我可以看到xml :xml中的签名、ds:SignatureValue和标记。
签名无效的原因是什么?
编辑的
这就是我可以看到签名为空的地方,在解组签名为空之后。
回答 1
Stack Overflow用户
发布于 2020-01-27 15:23:52
请注意以下内容:
<samlp:Response ... ID="s294e0dd953d11cd8d7b2f249bb05951070679e9c0"
....
<ds:Reference URI="#s2bd9e70f040ca49643880ee440b0a84ae25f5e557">您已经在SAML响应中插入了一个签名元素,但是没有指定哪个元素被签名(可以是一个完整的响应,也可以是单个断言)。
我认为引用URI需要与saml:Response或saml:断言中的ID相对应(参见https://www.samltool.com/generic_sso_res.php)
注意:如果您正在构建一个客户端,我强烈建议使用一些成熟的开箱即用库(OpenSAML或security SAML 2)来正确生成或验证SAML消息(所有支持的转换算法,防止签名注入攻击,.)
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/59929206
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号