SSO with signing and signature validation doesn't work

匿名 (未验证) 提交于 2019-12-03 00:59:01

问题:

I have succesfully configured SSO using WSO2IS 4.6.0 and spring saml grails plugin, but when I enable signing and signature validation like this:

I see errors on WSO2 console

WARN {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} -  Signature Validation Failed for the SAML Assertion : Signature is invalid. DEBUG org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} -  org.opensaml.xml.validation.ValidationException: Unable to evaluate key against signature WARN {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor} -  Signature validation for Authentication Request failed.

I exported default public key (wso2carbon) from WSO2 keystore (wso2carbon.jks), and inserted certificate into X509Certificate section in my SP and IdP metadata.
Here is my IdP metadata:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <EntityDescriptor entityID="https://localhost:9443/samlsso" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">     <KeyDescriptor use="signing">         <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">             <ds:X509Data>                 <ds:X509Certificate>***                 </ds:X509Certificate>             </ds:X509Data>         </ds:KeyInfo>     </KeyDescriptor>     <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"                          Location="https://localhost:9443/samlsso"                          ResponseLocation="https://localhost:9443/samlsso"/>     <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"                          Location="https://localhost:9443/samlsso"/>     <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"                          Location="https://localhost:9443/samlsso"/> </IDPSSODescriptor> </EntityDescriptor>

And SP metadata:

<?xml version="1.0" encoding="UTF-8"?> <md:EntityDescriptor entityID="local" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"> <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">     <md:Extensions>         <idpdisco:DiscoveryResponse xmlns:idpdisco="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="http://localhost:8080/spring-security-saml/login/auth/alias/localhost?disco=true"/>     </md:Extensions>     <md:KeyDescriptor use="signing">         <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">             <ds:X509Data>                 <ds:X509Certificate>                     ****                 </ds:X509Certificate>             </ds:X509Data>         </ds:KeyInfo>     </md:KeyDescriptor>     <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/***/saml/SingleLogout/alias/local"/>     <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8080/***/saml/SingleLogout/alias/local"/>     <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://localhost:8080/***/saml/logout/SingleLogout/local"/>     <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>     <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>     <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>     <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>     <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat>     <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/***/saml/SSO/alias/local" index="0" isDefault="true"/>     <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://localhost:8080/***/saml/SSO/alias/local" index="1" isDefault="false"/> </md:SPSSODescriptor> </md:EntityDescriptor>

My concern is that I use wrong certificate in either SP or IdP metadata, or it should be signed somehow.

What certificate should I use for IdP and what for SP metadata, and can I check if they are valid?
How can I get it properly using public key exported from WSO2 keystore?
Thank you!

UPDATE: It works on 5.1.0 even with incorrect certificates in metadata, looks like an issue. Here is 5.1.0 Configuration:

回答1:

You have to import your IDP (Server) certificate as a trust in your SP machine.. Your IDP is hosted as https so.. Import IDP trust In SP box at your custom certificate location/JDK Cacerts (Java\jdk1.8.0_45\jre\lib\security\cacerts) and then you can try the below command to check your IDP descriptor URL is accessible from SP box like... 

wget "YOUR_IDP_DESCRIPTOR_URL";


转载请标明出处:SSO with signing and signature validation doesn't work
标签
sso
saml
localhost
oasis
idp
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!