证书名称是不可接受的

Question

我正在使用我的SP来使用TestShib IDP进行身份验证。在登录IDP之后，在SP端我得到了这个错误

Unable to establish security of incoming assertion.

从我看到的shibd.log

2016-11-03 11:30:34 ERROR XMLTooling.TrustEngine.PKIX [4]: certificate name was not acceptable
2016-11-03 11:30:34 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [4]: unable to verify message signature with supplied trust engine
2016-11-03 11:30:34 WARN Shibboleth.SSO.SAML2 [4]: detected a problem with assertion: Unable to establish security of incoming assertion.

请给我建议。

更新-

更多信息来自shibd.log

2016-11-03 11:10:55 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:2.5.4.3
2016-11-03 11:10:55 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:2.5.4.4
2016-11-03 11:10:55 INFO Shibboleth.Application : building AttributeFilter of type XML...
 2016-11-03 11:10:55 INFO Shibboleth.AttributeFilter : reload thread started...running when signaled
 2016-11-03 11:10:55 INFO Shibboleth.AttributeFilter : loaded XML resource (/opt/shibboleth-sp/etc/shibboleth/attribute-policy.xml)     
2016-11-03 11:10:55 INFO Shibboleth.Application : building AttributeResolver of type Query...
2016-11-03 11:10:55 INFO Shibboleth.Application : building CredentialResolver of type File...
2016-11-03 11:10:55 INFO XMLTooling.SecurityHelper : loading private key from file (/opt/shibboleth-sp/etc/shibboleth/sp-key.pem)
2016-11-03 11:10:55 INFO XMLTooling.SecurityHelper : loading certificate(s) from file (/opt/shibboleth-sp/etc/shibboleth/sp-cert.pem)
2016-11-03 11:10:55 INFO Shibboleth.Listener : registered remoted message endpoint (default::getHeaders::Application)
2016-11-03 11:10:55 INFO Shibboleth.Listener : listener service starting
2016-11-03 11:11:34 ERROR XMLTooling.TrustEngine.PKIX [2]: certificate name was not acceptable
2016-11-03 11:11:34 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [2]: unable to verify message signature with supplied trust engine
2016-11-03 11:11:34 WARN Shibboleth.SSO.SAML2 [2]: detected a problem with assertion: Unable to establish security of incoming assertion.
2016-11-03 11:25:55 INFO XMLTooling.StorageService : purged 3 expired record(s) from storage
2016-11-03 11:30:34 ERROR XMLTooling.TrustEngine.PKIX [4]: certificate name was not acceptable
2016-11-03 11:30:34 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [4]: unable to verify message signature with supplied trust engine
2016-11-03 11:30:34 WARN Shibboleth.SSO.SAML2 [4]: detected a problem with assertion: Unable to establish security of incoming assertion.
2016-11-03 11:40:55 INFO XMLTooling.StorageService : purged 3 expired record(s) from storage

来自shibd_warn.log

2016-11-03 10:50:10 WARN Shibboleth.SSO.SAML2 [2]: detected a problem with assertion: Message was signed, but signature could not be verified.
2016-11-03 11:11:34 ERROR XMLTooling.TrustEngine.PKIX [2]: certificate name was not acceptable
2016-11-03 11:11:34 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [2]: unable to verify message signature with supplied trust engine
2016-11-03 11:11:34 WARN Shibboleth.SSO.SAML2 [2]: detected a problem with assertion: Unable to establish security of incoming assertion.
2016-11-03 11:30:34 ERROR XMLTooling.TrustEngine.PKIX [4]: certificate name was not acceptable
2016-11-03 11:30:34 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [4]: unable to verify message signature with supplied trust engine
2016-11-03 11:30:34 WARN Shibboleth.SSO.SAML2 [4]: detected a problem with assertion: Unable to establish security of incoming assertion.

Answer 1

您应该不使用PKIX，而应该使用显式信任。

当您的SP试图验证来自testshib IDP的SAML断言的签名(因此是真实性)时，就会发生错误。您已经将SP配置为使用PKIX TrustEngine验证签名，并且不匹配任何

• subject DN采用反向/LDAP逗号分隔语法，有或没有空格(请参阅RFC 2253)
• 主题CN
• 任何DNS和URL subjectAltNames

你的证书。

使用ExplicitKey TrustEngine要简单得多，这是推荐的方法。这意味着SP将直接从元数据中了解TestShib IdP的签名证书。