Response doesn't have any valid assertion which would pass subject validation

问题

I am completely new to SAML, and ADFS. I tried googling my error, but sadly did not get any hits. I have been trying to set up Spring SAML and ADFS so I can get single sign-on working, by following this guide It seems like I am close to the end but I am met by the following error: Response doesn't have any valid assertion which would pass subject validation

Strack trace:

[#|2015-10-29T08:03:43.334+0100|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=1689;_ThreadName=Thread-2;|- AuthNResponse;FAILURE;fe80:0:0:0:e1fd:739e:9d4e:8883%14;https://nkr-beh1:18181/saml/saml/metadata;http://NKR-AD.adm.kulturrad.no/adfs/services/trust;;;org.opensaml.common.SAMLException: Response doesn't have any valid assertion which would pass subject validation
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:229)
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:84)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:217)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:279)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:655)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:161)
at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:331)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:231)
at com.sun.enterprise.v3.services.impl.ContainerMapper$AdapterCallable.call(ContainerMapper.java:317)
at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:195)
at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:860)
at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:757)
at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1056)
at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:229)
at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
at java.lang.Thread.run(Thread.java:745)

I checked out the code, and it is supposed to get the assertion from the response (ADFS) and if this is null it throws out the errors. I guess that means my ADFS is missing something, or am I misunderstanding what Assertions are?

回答1:

First you should take a Fiddler trace and see if AD FS issued a token successfully. Alternatively you can enable auditing on AD FS side to see what tokens were issued if any.

See here for audit instructions https://technet.microsoft.com/en-us/library/adfs2-troubleshooting-configuring-computers(WS.10).aspx#bkmk_ConfigureAuditing

Then the security event log and AD FS event logs should confirm if there was an error issuing a token or whether it was successfully issued.

See here for some details for reviewing Fiddler. Its written for wsfed but will help for SAML too. http://social.technet.microsoft.com/wiki/contents/articles/3286.aspx

This plugin might also be of use to see tokens better. Likely easier than using textwizard to do base64/deflatedsaml decoding as applicable. http://social.technet.microsoft.com/wiki/contents/articles/3590.fiddler-inspector-for-federation-messages.aspx

Fiddler will interfere with Windows Integrated Auth unless you follow this link and disable extended protection on AD FS. http://social.technet.microsoft.com/wiki/contents/articles/ad-fs-2-0-continuously-prompted-for-credentials-while-using-fiddler-web-debugger.aspx

If you have 2012R2 you should do

Set-ADFSProperties -ExtendedProtectionTokenCheck None 

Fiddler wont help if your app provided an encryption cert and AD FS is sending an encrypted assertion. In that case AD FS security log and debug logs are easier to use to see exactly what was sent.

The goal here is to see the assertion and the subject element. Then check why validation fails.

You can see a sample assertion here https://rnd.feide.no/samlexample/simplesamlphp_saml_2_0_authentication_response/. You need to see if AD FS issued a token successfully (check status is success and not responder) and with a subject that meets your app validation checks.

回答2:

I ran into same problem with Srping security SAML , the solution is when you create a MetadataGenerator Bean the Entity ID set should Match exactly with Audience Restriction(or similar field ) in Idp Provider , I have used Okta as Idp Provider hence Audience Restriction was field to be properly configured

来源：https://stackoverflow.com/questions/33408854/response-doesnt-have-any-valid-assertion-which-would-pass-subject-validation