问题
I have set up WSO2 Identity Server with Office 365 (AAD) Identity Provider, the sso sample app travelocity.com and configured my Azure Active Directory application with the necessary permissions.I have disabled user consent on both side, Azure AD & my Identity Server.
Using the sample app, the login is working fine but I receive the following error from travelocity.com
An error has occurred
SAML2 Response Issuer verification failed
I guess the authentication is working, from the debug logging enabled (truncate some string for readbility) :
[2018-05-28 14:24:36,909] DEBUG {org.wso2.carbon.identity.sso.saml.builders.DefaultResponseBuilder} - Building SAML Response for the consumer 'http://testsso.myapp.com/travelocity.com/home.jsp'
authenticatedIdPs: eyJ0eXAiOiJKV1QiLCAiYWx[TRUNCATED]
[2018-05-28 14:24:36,749] DEBUG {org.wso2.carbon.identity.data.publisher.application.authentication.AbstractAuthenticationDataPublisher} - Retrieving current IDPw for user
[2018-05-28 14:24:36,748] DEBUG {org.wso2.carbon.identity.application.common.processors.RandomPasswordProcessor} - Cache Key not found for Random Password Container
[2018-05-28 14:24:36,719] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} - Removing post authentication sequnce tracker cookie for context : 09808b90-af77-49ad-b63c-54c01ea2c3d6
[2018-05-28 14:24:36,718] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} - ConsentMgtPostAuthenticationHandler is enabled. Hence executing for context : 09808b90-af77-49ad-b63c-54c01ea2c3d6
[2018-05-28 14:24:36,717] DEBUG {org.wso2.carbon.identity.application.authz.xacml.handler.impl.XACMLBasedAuthorizationHandler} - In policy authorization flow...
[2018-05-28 14:24:36,716] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} - Executing Post Authentication Management Service for context 09808b90-af77-49ad-b63c-54c01ea2c3d6
[2018-05-28 14:24:36,715] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} - Step processing is completed.
[2018-05-28 14:24:36,715] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler} - UNFILTERED_IDP_CLAIM_VALUES map property set to [@odata.id:https://outlook.office365[TRUNCATED] acf5e8c015e'),Alias:my.user,DisplayName:my USER,MailboxGuid:dxxxxxxxxxxxef1a,Id:[TRUNCATED]79639@[TRUNCATED]8c015e,@odata.context:https://outlook.office365.com/api/v2.0/$metadata#Me,EmailAddress:my.user@mycompany.com,]
[2018-05-28 14:24:36,713] DEBUG {org.wso2.carbon.identity.claim.metadata.mgt.dao.CacheBackedExternalClaimDAO} - Cache hit for external claim list for dialect: http://wso2.org/oidc/claim in tenant: -1234 [2018-05-28 14:24:36,712] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler} - Executing claim handler. isFederatedClaims = true and remote claims = [@odata.id:https://outlook.office365.com/api/v2.0/Users('a[TRUNCATED]980a-82ba0f179639@[TRUNCATED]1-88e0-6acf5e8c015e'),Alias:my.user,DisplayName:my USER,MailboxGuid:[TRUNCATED]4bb9-b0f1-89b84064ef1a,Id:[TRUNCATED]-980a-82ba0f179639@[TRUNCATED]-88e0-6[TRUNCATED],@odata.context:https://outlook.office365.com/api/v2.0/$metadata#Me,EmailAddress:my.user@mycompany.com,]
[2018-05-28 14:24:36,711] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultSequenceHandlerUtils} - Service Provider Mapped Roles: null
[2018-05-28 14:24:36,709] DEBUG {org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil} - JWT Header :{"typ":"JWT", "alg":"none"}
[2018-05-28 14:24:36,709] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} - Handling Post Authentication tasks
[2018-05-28 14:24:36,707] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} - Authenticated IDP data for the IDP 'Azure Active Directory' couldn't be found in previous authenticate IDPs as well. Using a fresh AuthenticatedIdPData object
[2018-05-28 14:24:36,514] DEBUG {org.wso2.carbon.identity.authenticator.office365.Office365Authenticator} - Claim URL: https://outlook.office365.com/api/v2.0/me
[2018-05-28 14:24:36,078] DEBUG {org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils} - Authentication Context is null
[2018-05-28 14:24:36,970] DEBUG {org.wso2.carbon.identity.sso.saml.builders.SignKeyDataHolder} - Initializing Key Data for super tenant using system key store
[2018-05-28 14:24:36,911] DEBUG {org.wso2.carbon.identity.application.common.processors.RandomPasswordProcessor} - Cache Key not found for Random Password Container
[2018-05-28 14:24:36,860] DEBUG {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} - Query string : sessionDataKey=7d7081e3-b733-47e6-9d28-b9d169a4caf1
[2018-05-28 14:24:36,749] DEBUG {org.wso2.carbon.identity.data.publisher.application.authentication.AbstractAuthenticationDataPublisher} - Returning roles, Azure Active Directory
[2018-05-28 14:24:36,719] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} - Post authentication handler ConsentMgtPostAuthenticationHandler returned with status : SUCCESS_COMPLETED for context identifier : [TRUNCATED]c-54c01ea2c3d6
[2018-05-28 14:24:36,718] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} - Post authentication handler MissingClaimPostAuthnHandler completed execution for session context : 09808b90-af77-49ad-b63c-54c01ea2c3d6
[2018-05-28 14:24:36,718] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} - Post authentication handler XACMLBasedAuthorizationHandler returned with status : SUCCESS_COMPLETED for context identifier : [TRUNCATED]01ea2c3d6
[2018-05-28 14:24:36,716] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} - PASTR cookie is not set to context : 09808b90-af77-49ad-b63c-54c01ea2c3d6. Hence setting the cookie
[2018-05-28 14:24:36,716] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} - No stored pastr cookie found in authentication context for : 09808b90-af77-49ad-b63c-54c01ea2c3d6 . Hence returning without validating
[2018-05-28 14:24:36,707] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} - Authenticated IDP data of the IDP 'Azure Active Directory' couldn't be found in current authenticate IDPs. Trying previous authenticated IDPs
[2018-05-28 14:24:36,081] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} - Office365Authenticator can handle the request.
[2018-05-28 14:24:36,081] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} - No previous authenticated IDPs found in the authentication context.
[2018-05-28 14:24:36,071] DEBUG {org.wso2.carbon.identity.auth.service.handler.HandlerManager} - Get first priority handler for the given handler list.
[2018-05-28 14:24:36,070] DEBUG {org.wso2.carbon.identity.auth.service.handler.HandlerManager} - Created singleton instance for org.wso2.carbon.identity.auth.service.handler.HandlerManager
[2018-05-28 14:24:36,945] DEBUG {org.wso2.carbon.identity.application.common.processors.RandomPasswordProcessor} - Cache Key not found for Random Password Container
[2018-05-28 14:24:36,861] DEBUG {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} - No SaaS SAML service providers found for the issuer : travelocity.com. Checking for SAML service providers registered in tenant domain : carbon.super
[2018-05-28 14:24:36,860] DEBUG {org.wso2.carbon.identity.auth.service.handler.HandlerManager} - Get first priority handler : DefaultAuthenticationManager(org.wso2.carbon.identity.auth.service.AuthenticationManager)
[2018-05-28 14:24:36,858] DEBUG {org.wso2.carbon.identity.auth.service.handler.HandlerManager} - Created singleton instance for org.wso2.carbon.identity.auth.service.handler.HandlerManager
sessionDataKey: 7d7081e3-b733-47e6-9d28-b9d169a4caf1
commonAuthAuthenticated: true
[2018-05-28 14:24:36,079] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} - Executing the Step Based Authentication...
[2018-05-28 14:24:36,719] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler} - Concluding the Authentication Flow
[2018-05-28 14:24:36,718] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} - MissingClaimPostAuthnHandler is enabled. Hence executing for context : [TRUNCATED]-49ad-b63c-54c01ea2c3d6
[2018-05-28 14:24:36,717] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} - XACMLBasedAuthorizationHandler is enabled. Hence executing for context : [TRUNCATED]-49ad-b63c-54c01ea2c3d6
[2018-05-28 14:24:36,715] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler} - Handling post authentication
[2018-05-28 14:24:36,715] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler} - Returning claims from claim handler = []
[2018-05-28 14:24:36,709] DEBUG {org.wso2.carbon.identity.application.authentication.framework.config.ConfigurationFacade} - Trying to find the IdP for name: Azure Active Directory
[2018-05-28 14:24:36,707] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} - Office365Authenticator returned: SUCCESS_COMPLETED
[2018-05-28 14:24:36,661] DEBUG {org.wso2.carbon.identity.authenticator.office365.Office365Authenticator} - Claim URL: https://outlook.office365.com/api/v2.0/me
[2018-05-28 14:24:36,081] DEBUG {org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils} - No authenticators found.
[2018-05-28 14:24:36,079] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.GraphBasedSequenceHandler} - Authentication Graph not defined for the application. Performing Step based authentication. Service Provider :sso_test
[2018-05-28 14:24:36,079] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler} - In authentication flow
[2018-05-28 14:24:36,751] DEBUG {org.wso2.carbon.identity.data.publisher.application.authentication.AbstractAuthenticationDataPublisher} - Publishing authentication success
[2018-05-28 14:24:36,719] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} - Post authentication handler ConsentMgtPostAuthenticationHandler completed execution for session context :[TRUNCATED]-49ad-b63c-54c01ea2c3d6
[2018-05-28 14:24:36,718] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} - Post authentication handler MissingClaimPostAuthnHandler returned with status : SUCCESS_COMPLETED for context identifier : [TRUNCATED]-49ad-b63c-54c01ea2c3d6
[2018-05-28 14:24:36,715] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler} - UNFILTERED_SP_CLAIM_VALUES map property set to []
[2018-05-28 14:24:36,715] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler} - UNFILTERED_LOCAL_CLAIM_VALUES map property set to []
[2018-05-28 14:24:36,713] DEBUG {org.wso2.carbon.identity.claim.metadata.mgt.dao.CacheBackedLocalClaimDAO} - Cache hit for local claim list for tenant: -1234
[2018-05-28 14:24:36,710] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} - No role attribute value has received from the external IDP: Azure Active Directory, in Domain: null.
[2018-05-28 14:24:36,709] DEBUG {org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil} - JWT Body :{"iss":"wso2","exp":15275174767093000,"iat":1527517476709,"idps":[{"idp":"Azure Active Directory","authenticator":"Office365Authenticator"}]}
[2018-05-28 14:24:36,081] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} - Receive a response from the external party
[2018-05-28 14:24:36,081] DEBUG {org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils} - Finding already authenticated IdPs of the step {order:1}
[2018-05-28 14:24:36,080] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} - No current authenticated IDPs in the authentication context. Continuing with the previous authenticated IDPs
[2018-05-28 14:24:36,072] DEBUG {org.wso2.carbon.identity.auth.service.handler.HandlerManager} - Get first priority handler : DefaultAuthenticationManager(org.wso2.carbon.identity.auth.service.AuthenticationManager)
[2018-05-28 14:24:36,860] DEBUG {org.wso2.carbon.identity.auth.service.handler.HandlerManager} - Get first priority handler for the given handler list.
authenticatedUser: aff5b6e8-3ee4-470f-980a-82ba0f179639@7ab7bec6-e60d-43b1-88e0-6acf5e8c015e
[2018-05-28 14:24:36,745] DEBUG {org.wso2.carbon.identity.data.publisher.application.authentication.AbstractAuthenticationDataPublisher} - Publishing session creation
[2018-05-28 14:24:36,719] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} - Post authentication evaluation has completed for the flow with session data key : [TRUNCATED]-49ad-b63c-54c01ea2c3d6
[2018-05-28 14:24:36,718] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.PostAuthnMissingClaimHandler} - Post authentication handling for missing claims started
[2018-05-28 14:24:36,718] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} - Post authentication handler XACMLBasedAuthorizationHandler completed execution for session context : [TRUNCATED]-49ad-b63c-54c01ea2c3d6
[2018-05-28 14:24:36,716] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} - Starting from current post handler index 0 for context : [TRUNCATED]-49ad-b63c-54c01ea2c3d6
[2018-05-28 14:24:36,711] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultSequenceHandlerUtils} - Getting Service Provider mapped roles of application: sso_test of user: null
[2018-05-28 14:24:36,710] DEBUG {org.wso2.carbon.identity.application.authentication.framework.config.ConfigurationFacade} - A registered IdP was found
[2018-05-28 14:24:36,709] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} - Request is successfully authenticated.
[2018-05-28 14:24:36,708] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} - There are no more steps to execute.
[2018-05-28 14:24:36,708] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} - Step 1 is completed. Going to get the next one.
[2018-05-28 14:24:36,080] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} - Starting Step: 1
[2018-05-28 14:24:36,079] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.GraphBasedSequenceHandler} - Executing the Step Based Authentication...
[2018-05-28 14:24:36,807] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler} - Sending response back to: /samlsso...
" <script type='text/javascript'>"
<!--$additionalParams-->
<input type='hidden' name='SAMLResponse' value='PD94bWwgdmVyc2lvbj0iMS4wIiB[TRUNCATED]NhbWwycDpSZXNwb25zZT4='/>
" <p>"
" If the redirection fails, please click the post button.</p>"
[2018-05-28 14:24:37,057] DEBUG {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} - samlsso_response.html <!--
[2018-05-28 14:24:37,032] DEBUG {org.wso2.carbon.identity.application.common.processors.RandomPasswordProcessor} - Cache Key not found for Random Password Container
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
uij0SKVN2wbNcBFhUva/zdYZdLJFncZjbx6bDrpKkL9cXKQdzcNnoPTo7NqO3ENqCxzynYV60eEa
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignedInfo>
yzoB9khd18faM/pHPpy2XyU12G9XIf5Es9jAcQ==
D1I1TBLWDDa03X2Juouoijh3I9+SujuWp724eFbt7UmUFsi6Xw2yiMA6D+t7sCeWQD315ddyt/zL
V9MaQ4SUT+m2a17DjxTEQ0ErrQtqvnrv3+VtgT4/kV1HbkzF6UKyR7FLrV6y1SbMrwEXVrB8qfOg
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<saml2p:Response Destination="http://testsso.myapp.com/travelocity.com/home.jsp" ID="_4ef05bebd4ab91eabd769cc4ee37d501" InResponseTo="niblbbpjdnlokandnpbbbmcpjdpajlonncldcnpi" IssueInstant="2018-05-28T14:24:36.921Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">localhost</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
" </script>"
" document.forms[0].submit();"
" </p>"
<html>
-->
[TRUNCATED]
CXaL/gdwMsqcCjwBsuxY0gprp1zSB6jaTPyhiso84uirKJ+VELaY32tYhuRB4GdAVBg+eB1pESNC
</ds:Transforms>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
qfyXM7xEotWoxmm6HZx8oWQ8U5aiXjZ5RKDWCCq4ZuXl6wVsUz1iE61suO5yWi8=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:Assertion ID="_54459a8d0c72b06aaa9cbe446f9362f1" IssueInstant="2018-05-28T14:24:36.935Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
/mvTmWZLM7GM6sApmyLX6OXUp8z0pkY+vT/9+zRxxQs7GurC4/C1nK3rI/0ySUgGEafO1atNjYml
</ds:SignatureValue>
SOu0s4wPMg1mAnpz6suXzBXn3nq+u+zxszUBSmB6Ji3iw7vy2w/X8GJPb6YgCk0cW69mDMxr61zy
<ds:SignatureValue>
[2018-05-28 14:24:37,027] DEBUG {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor} - <?xml version="1.0" encoding="UTF-8"?>
[2018-05-28 14:24:37,017] DEBUG {org.wso2.carbon.identity.sso.saml.builders.SignKeyDataHolder} - Initializing Key Data for super tenant using system key store
" </form>"
" <button type='submit'>POST</button>"
[2018-05-28 14:24:37,031] DEBUG {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor} - PD94bWwgdmVy[TRUNCATED]SZXNwb25zZT4=
</ds:SignatureValue>
rlsAPDJe8WsU8n2kRf4n43gj+UiHOrCL1EeqcQ==
<ds:Transforms>
[TRUNCATED]
CBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxDTALBgNVBAoTBFdTTzIxEjAQBgNVBAMTCWxv
CUXBkoV2V4tJg2GozJJQL+iiWen3HhRW1bc93msuJ+BJOQMIs4MOb4bYS4XWyrjMw4aWlAsCw91g
</ds:SignedInfo>
<ds:DigestValue>zo728mSqUt83wg9P5p0xQWMqna0=</ds:DigestValue>
<ds:Reference URI="#_4ef05bebd4ab91eabd769cc4ee37d501">
<ds:SignedInfo>
</body>
" <!--$params-->"
" <form method='post' action='http://testsso.myapp.com/travelocity.com/home.jsp'>"
" <body>"
[TRUNCATED]
V8up9UQHeb58Eds6BJ5PJvMrCPTGy59Q03er7X1rzIMNVN0ijaFFQTOd2CCS21OHF+g5709TQun9
</ds:SignedInfo>
<ds:DigestValue>f+rrjvtlOhgKz8tVnHE+3nEzoZM=</ds:DigestValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCAjGgAwIBAgIEAoLQ/TANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJVUzELMAkGA1UE
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</html>
" <p>You are now redirected back to http://testsso.myapp.com/travelocity.com/home.jsp"
Variables http://testsso.myapp.com/travelocity.com/home.jsp, $response, $relayState and $additionalParams will be replaced by the corrosponding values
qfyXM7xEotWoxmm6HZx8oWQ8U5aiXjZ5RKDWCCq4ZuXl6wVsUz1iE61suO5yWi8=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[TRUNCATED]-82ba0f179639@[TRUNCATED]-88e0-6acf5e8c015e</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="niblbbpjdnlokandnpbbbmcpjdpajlonncldcnpi" NotOnOrAfter="2018-05-28T14:29:36.921Z" Recipient="http://testsso.myapp.com/travelocity.com/home.jsp"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2018-05-28T14:24:36.935Z" NotOnOrAfter="2018-05-28T14:29:36.921Z"><saml2:AudienceRestriction>fefd4ede6"><saml2:AuthnContext><sa<saml2:Audience>travelocity.com</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2018-05-28T14:24:36.952Z" SessionIndex="4cd87270-9341-4a54-8d14-1c0ml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute Name="@odata.id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">https://outlook.office365.com/api/v2.0/Users('[TRUNCATED]980a-82ba0f179639@[TRUNCATED]-88e0-6acf5e8c015e')</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="Alias" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">my.user</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="DisplayName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">my USER</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="MailboxGuid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[TRUNCATED]-89b84064ef1a</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="Id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[TRUNCATED]-82ba0f179639@[TRUNCATED]-88e0-6acf5e8c015e</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="@odata.context" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">https://outlook.office365.com/api/v2.0/$metadata#Me</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="EmailAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">my.user@mycompany.com</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion></saml2p:Response>
Pty9jqM1CgRPpqvZa2lPQBQqZrHkdDE06q4NG0DqMH8NT+tNkXBe9YTre3EJCSfsvswtLVDZ7GDv
[TRUNCATED]
C6xKegbRWxky+5P0p4ShYEOkHs30QI2VCuR6Qo4Bz5rTgLBrky03W1GAVrZxuvKRGj9V9+PmjdGt
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCAjGgAwIBAgIEAoLQ/TANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJVUzELMAkGA1UE
<ds:SignatureValue>
</ds:Reference>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform>
<ds:Reference URI="#_54459a8d0c72b06aaa9cbe446f9362f1">
[TRUCATED]
au4CTXu9pLLcqnruaczoSdvBYA3lS9a7zgFU0+s6kMl2EhB+rk7gXluEep7lIOenzfl2f6IoTKa2
</ds:Reference>
</ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform>
<ds:Transforms>
THKojJjQvdVCzRj6XH5Truwefb4BJz9APtnlyJIvjHk1hdozqyOniVZd0QOxLAbcdt946chNdQvC
Can I consider my configuration working as is or is there a real issue there ?
Thank you.
回答1:
In your SAML response, the issuer is localhost. It's mismatching with what you have used. That is you have used travelocity.com as the issuer. If you want to change the issuer in identity server, you can do it by navigating to the following directory on your identity server. Resident Identity Provider -> SAML2 Web SSO Configuration -> Identity Provider Entity Id:
来源:https://stackoverflow.com/questions/50569438/wso2-identity-server-saml2-response-issuer-verification-failed