没有签名的AuthnRequest在Gitlab上使用SAML

Posted 2021-04-07

我尝试使用SAML 2.0在Gitlab上实现SSO，我遇到了一些问题。

我公司的IdP经理给我发了他们的元数据，并按照关于SAML的Gitlab文档我配置了这样的Gitlab。

gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_block_auto_created_users'] = true
gitlab_rails['omniauth_auto_link_ldap_user'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = false

gitlab_rails['omniauth_providers'] =
[
   {
name: "saml",
args:
{
assertion_consumer_service_url: "https://my.domain.com/gitlab/auth/saml/callback",
idp_cert: "
-----BEGIN CERTIFICATE-----
IDP_Certificate
-----END CERTIFICATE-----
",
idp_sso_target_url: "https://my_idp_target_URL",
issuer: "sp-gitlab",
name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",

},
label: "SSO"
}
 ]

我将我的元数据发送给了IdP，他们被接受了。

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2017-11-22T09:24:33Z" ID="_1910909d-5325-4cba-a56f-4f9082e05e24" entityID="sp-gitlab">
    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>
            My cert
</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>
            Mycert
    </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://my.domain.com/gitlab/auth/saml/callback" index="0" isDefault="true"/>
        <md:AttributeConsumingService index="1" isDefault="true">
            <md:ServiceName xml:lang="en">Required attributes</md:ServiceName>
            <md:RequestedAttribute FriendlyName="Email address" Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
            <md:RequestedAttribute FriendlyName="Full name" Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
            <md:RequestedAttribute FriendlyName="Given name" Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
            <md:RequestedAttribute FriendlyName="Family name" Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
        </md:AttributeConsumingService>
    </md:SPSSODescriptor>
</md:EntityDescriptor>

当我尝试使用SSO连接到Gitlab时出现错误。我的AuthnRequest的签名不存在。 IdP的经理告诉我问题来自我的申请证书。所以这是关于Gitlab HTTPS的问题

nginx['redirect_http_to_https'] = true
nginx['redirect_http_to_https_port'] = 443
...
nginx['ssl_certificate'] = "/etc/gitlab/ssl/prod.cer"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/prod.key"

我的Gitlab实例运行在Apache Proxy之后，用于Gitlab的证书也用于这个Apache的网站。

那么为什么我的AuthnRequest中没有签名？我错在哪里或者我错过了什么？

附： ：我是SAML和Gitlab配置的新手，所以我可能错过了一些明显的东西

答案

您需要将证书和私钥添加到gitlab参数中。此外，您需要指定安全性参数以启用签名的生成。

这是一个示例：

gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_providers'] = [
    {
        name: 'saml',
        args: {
            assertion_consumer_service_url: 'https://mywebsite/users/auth/saml/callback',
            assertion_consumer_service_binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
            idp_cert_fingerprint: '77:EE:EE:AA:67:FA:78:4C:E2:ED:E8:57:AC:EE:AC:AB:AA:FF:FD:FD',
            idp_sso_target_url: 'https://idp.url/auth/SSOPOST/metaAlias/ent/providerIDP',
            idp_sso_target_binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
            idp_slo_target_url: 'https://idp.url/auth/IDPSloPOST/metaAlias/ent/providerIDP',
            idp_slo_target_binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
            sso_binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
            protocol_binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
            issuer: 'sp_gitlab',
            name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
            certificate: "-----BEGIN CERTIFICATE-----
MIIDzjCCArYCCQCxUOzAVm5w3DANBgkqhkiG9w0BAQUFADCBqDELMAkGA1UEBhMC
....
v84ULsyAgv8sVJ4XerZ9wr7B
-----END CERTIFICATE-----",
            private_key: "-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAxcTsJ0sBMAH9NwEvDT5qcGBA6JiChtM90I9di7YC98lO5qFM
....
lfIj9QAaFdL9lPskg6zX6HEooOEoLib8fm9IZCIChjhsdjoj/6QXP6k=
-----END RSA PRIVATE KEY-----",
            security: {
                authn_requests_signed: true,
                embed_sign: true,
                digest_method: "XMLSecurity::Document::SHA1",
                signature_method: "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
            }
        },
        label: 'SAML Auth'
    }
]

另一答案

根据我的知识和经验，AuthnRequest中没有签名。签名或加密在下一个HTTP请求中开始。

见：https://en.wikipedia.org/wiki/SAML_2.0#Authentication_Request_Protocol

你有什么地方和哪里有错误？

（示例）Authnrequest没有签名：

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    ID="_a976498d2ebe858cc56d486b5af2085ed957f45c5a"
                    Version="2.0"
                    IssueInstant="2017-08-10T13:29:09Z"
                    Destination="https://<idp_url>/idp/profile/SAML2/Redirect/SSO"
                    AssertionConsumerServiceURL="https://<mahara_adress>/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    >
    <saml:Issuer>https://<mahara_adress>/mahara</saml:Issuer>
</samlp:AuthnRequest>