spring-security-saml,IdP无法加密断言?

时间:2014-10-29 10:23:19

标签: shibboleth spring-saml

我尝试使用testshib.org测试Shibboleth的Spring-Security-SAML设置。

我们生成的元数据(在推送xmllint --format之后,为了便于阅读)包括在内:

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="https___sforge0.york.ac.uk_sf_saml_" entityID="https://sforge0.york.ac.uk/sf/saml/">
  <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIDNjCCAvOgAwIBAgIEUESd6DALBgcqhkjOOAQDBQAwbDEQMA4GA1UEBhMHVW5rbm93bjEQMA4G
A1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UE
CxMHVW5rbm93bjEQMA4GA1UEAxMHVW5rbm93bjAeFw0xNDEwMjMxNTM2MTJaFw0xNTAxMjExNTM2
MTJaMGwxEDAOBgNVBAYTB1Vua25vd24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25v
d24xEDAOBgNVBAoTB1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xEDAOBgNVBAMTB1Vua25vd24w
ggG4MIIBLAYHKoZIzjgEATCCAR8CgYEA/X9TgR11EilS30qcLuzk5/YRt1I870QAwx4/gLZRJmlF
XUAiUftZPY1Y+r/F9bow9subVWzXgTuAHTRv8mZgt2uZUKWkn5/oBHsQIsJPu6nX/rfGG/g7V+fG
qKYVDwT7g/bTxR7DAjVUE1oWkTL2dfOuK2HXKu/yIgMZndFIAccCFQCXYFCPFSMLzLKSuYKi64QL
8Fgc9QKBgQD34aCF1ps93su8q1w2uFe5eZSvu/o66oL5V0wLPQeCZ1FZV4661FlP5nEHEIGAtEkW
cSPoTCgWE7fPCTKMyKbhPBZ6i1R8jSjgo64eK7OmdZFuo38L+iE1YvH7YnoBJDvMpPG+qFGQiaiD
3+Fa5Z8GkotmXoB7VSVkAUw7/s9JKgOBhQACgYEAlmBZaPGCOx/qBr/sGxjkb+FA1SPfMj2ys2OQ
joauGh53ORS8AolmE3Cwc3S2B0qA9ldhL4I2cv0ShOIz7x+JYTnrIqXtqS6essY6jG1Kpwhy4YCB
UJRwKfcyYfq1+meLbZ/vAqgvMA7/rJOQnRi/HnqzqW7wdH9BItPR6G451vmjITAfMB0GA1UdDgQW
BBQANR5pMdkq/O47PEgTBUuMQPFrtzALBgcqhkjOOAQDBQADMAAwLQIUYlj1QoLS6JGlnjsTYl/l
vFmVFL0CFQCQ/jwl1chFdPvHvzTeo+LvsOynrw==</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIDNjCCAvOgAwIBAgIEUESd6DALBgcqhkjOOAQDBQAwbDEQMA4GA1UEBhMHVW5rbm93bjEQMA4G
A1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UE
CxMHVW5rbm93bjEQMA4GA1UEAxMHVW5rbm93bjAeFw0xNDEwMjMxNTM2MTJaFw0xNTAxMjExNTM2
MTJaMGwxEDAOBgNVBAYTB1Vua25vd24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25v
d24xEDAOBgNVBAoTB1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xEDAOBgNVBAMTB1Vua25vd24w
ggG4MIIBLAYHKoZIzjgEATCCAR8CgYEA/X9TgR11EilS30qcLuzk5/YRt1I870QAwx4/gLZRJmlF
XUAiUftZPY1Y+r/F9bow9subVWzXgTuAHTRv8mZgt2uZUKWkn5/oBHsQIsJPu6nX/rfGG/g7V+fG
qKYVDwT7g/bTxR7DAjVUE1oWkTL2dfOuK2HXKu/yIgMZndFIAccCFQCXYFCPFSMLzLKSuYKi64QL
8Fgc9QKBgQD34aCF1ps93su8q1w2uFe5eZSvu/o66oL5V0wLPQeCZ1FZV4661FlP5nEHEIGAtEkW
cSPoTCgWE7fPCTKMyKbhPBZ6i1R8jSjgo64eK7OmdZFuo38L+iE1YvH7YnoBJDvMpPG+qFGQiaiD
3+Fa5Z8GkotmXoB7VSVkAUw7/s9JKgOBhQACgYEAlmBZaPGCOx/qBr/sGxjkb+FA1SPfMj2ys2OQ
joauGh53ORS8AolmE3Cwc3S2B0qA9ldhL4I2cv0ShOIz7x+JYTnrIqXtqS6essY6jG1Kpwhy4YCB
UJRwKfcyYfq1+meLbZ/vAqgvMA7/rJOQnRi/HnqzqW7wdH9BItPR6G451vmjITAfMB0GA1UdDgQW
BBQANR5pMdkq/O47PEgTBUuMQPFrtzALBgcqhkjOOAQDBQADMAAwLQIUYlj1QoLS6JGlnjsTYl/l
vFmVFL0CFQCQ/jwl1chFdPvHvzTeo+LvsOynrw==</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sforge0.york.ac.uk:443/sf/saml/SingleLogout"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sforge0.york.ac.uk:443/sf/saml/SingleLogout"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sforge0.york.ac.uk:443/sf/saml/SSO" index="0" isDefault="true"/>
  </md:SPSSODescriptor>
</md:EntityDescriptor>

我们通过&#34; Register&#34;将其上传到testshib.org。选项,然后在$ contextPath / saml / login上点击我们正在运行的服务,这正确地将我们重定向到testshib.org,它接受了自己:我自己&#34;凭据,并重定向回我们的网站。

最后,我们会看到(在我们的日志中):

2014-10-29 10:12:52,002 278662 [1817318774@qtp-1246086685-8] INFO  o.s.security.saml.log.SAMLDefaultLogger - AuthNResponse;FAILURE;144.32.136.27;https://sforge
0.york.ac.uk/sf/saml/;https://idp.testshib.org/idp/shibboleth;;;org.opensaml.common.SAMLException: Response has invalid status code urn:oasis:names:tc:SAML:2.0
:status:Responder, status message is Unable to encrypt assertion
        at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:113)
        at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82)
        at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)

从testshib.org上删除日志显示:

06:12:51.694 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:927] - Could not resolve a key encryption credential for peer entity: https://sforge0.york.ac.uk/sf/saml/
06:12:51.695 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:289] - Unable to construct encrypter
org.opensaml.xml.security.SecurityException: Could not resolve key encryption credential
    at edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler.getEncrypter(AbstractSAML2ProfileHandler.java:928) ~[shibboleth-identityprovider-2.4.0.jar:na]
    at edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler.buildResponse(AbstractSAML2ProfileHandler.java:286) ~[shibboleth-identityprovider-2.4.0.jar:na]

正如其他问题中所建议的那样,我确保元数据中有一个KeyDescriptor标记(事实上,两个,每个都有一个&#34; use&#34;属性)。我还尝试手动修改元数据以使用单个KeyDescriptor,使用和不使用&#34;使用&#34;属性,所有这些似乎都会产生类似的结果。

我可以根据要求提供更多详细信息,例如更多日志内容,spring xml配置等,但我不确定它有多相关,所以我暂时选择将它们排除在外

我不确定如何说服testshib.org使用元数据中提供的密钥,或者我们为testshib.org提供的元数据是否有问题?关于如何让我们的testshib登录工作的任何想法?

1 个答案:

答案 0 :(得分:3)

我发布在Shibboleth.net邮件列表中,Ian Young建议我的证书可能有问题。

最后,这是我对mailing list的完整回复,包括我采取了哪些措施来修复它:

  

重新创建密钥库似乎解决了这个问题。在这种情况下,Keytool表现得非常奇怪地试图从keytool获取信息(keytool -printcert -alias skillsforgetrustfabrickey -keystore sfTestKeyStore.jks)似乎挂起了keytool进程(!)。

     

我删除了旧的密钥库并重新创建了它:

     

keytool -genkeypair -keysize 2048 -keyalg rsa -validity 730 -keystore sfTestKeyStore.jks -alias skillsforgeTrustFabricKey

     

使用我配置中指定的相同密码等,重新启动Jetty&amp; amp;之后神秘地栩栩如生。重新请求/重新注册我的元数据。

     

虽然我之前没有确切记录我是如何生成密钥对的,但我相当肯定我之前使用过相同(或至少非常相似)的方法。很明显,我在过去设置密钥库时必须输入错误的内容。

相关问题
最新问题