OpenAM ITfoxtec Saml2 无效签名响应?

Posted

技术标签:

【中文标题】OpenAM ITfoxtec Saml2 无效签名响应?【英文标题】:OpenAM ITfoxtec Saml2 invalid signature response? 【发布时间】:2021-12-11 00:03:16 【问题描述】:

我正在尝试将 OpenAM Saml SSO 集成到我的 .net 5 应用程序中。 ITfoxtec.Saml2 用于处理 SP 上的身份验证。 尝试登录时,会发送有效的帖子 samlResponse。但是在验证响应时,我得到了以下异常。

ERROR|Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware|An unhandled exception has occurred while executing the request. ITfoxtec.Identity.Saml2.Cryptography.InvalidSignatureException: Signature is invalid.
at ITfoxtec.Identity.Saml2.Saml2Request.ValidateXmlSignature(SignatureValidation documentValidationResult)
at ITfoxtec.Identity.Saml2.Saml2Request.Read(String xml, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2Response.Read(String xml, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2AuthnResponse.Read(String xml, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2PostBinding.Read(HttpRequest request, Saml2Request saml2RequestResponse, String messageName, Boolean validateXmlSignature)
at ITfoxtec.Identity.Saml2.Saml2PostBinding.UnbindInternal(HttpRequest request, Saml2Request saml2RequestResponse, String messageName)
at ITfoxtec.Identity.Saml2.Saml2Binding`1.Unbind(HttpRequest request, Saml2Response saml2Response)

确认签名算法正确(http://www.w3.org/2000/09/xmldsig#rsa-sha1)

在手动验证 saml 响应时(通过浏览器插件 SAML Chrome 面板),我注意到签名和证书存在一些编码问题。我们的管理员还确认 openAM 编码配置设置为 utf-8。

我有什么遗漏的吗?

请求:

<saml2p:AuthnRequest
Destination="..."
ID="_b8fad14a-506b-4496-aa35-f09c4174e76f" IssueInstant="2021-10-25T12:59:21.212Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer>...</saml2:Issuer></saml2p:AuthnRequest>

回复:

<samlp:Response Destination="..."
ID="s2b5ecaf8f0265680dc4dcdd853678d3fb0fae7410" InResponseTo="_b8fad14a-506b-4496-aa35-f09c4174e76f"
IssueInstant="2021-10-25T12:59:21Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">...</saml:Issuer>
<samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"
        xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"></samlp:StatusCode>
</samlp:Status>
<saml:Assertion ID="s21d821b22e63d329f2ae5284b1dcfab415b825ebf" IssueInstant="2021-10-25T12:59:21Z"
    Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Issuer>...</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <ds:Reference URI="#s21d821b22e63d329f2ae5284b1dcfab415b825ebf">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>DUXzMtgGm0bCJD88pdxmElxNsxs=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>
            SGKlcZKLqzLL2MxNld4/4lGC8C/p2AULruK+HIha8sGvdEnU4zvdYhC701q6LpjHLwKLVcwgv+pG&#13;
            ATzkzIZDmZ6SzXljQXtOwTwy4yT7gblbnL4W3gEqxceDtxs4MDjNQ+k/bJQlD32egA+ThteJyNby&#13;
            Cztkf8LR2S5MLCyDjPX93DgQ97zo+tr4vUsIlExK2MiQQlTNBgvR0tZqvvTAOCva20dBacc5FaW+&#13;
            qmUe7+lPeRzCnWp1Lag2KpSIJs7Uuc/Tp3uHw9Jys/g+ZYRQLESRpGEiPNLB602CMF4a8xOMUdlz&#13;
            VUW5ECdywnnrZfVdJmKcPg725YJVmUGzS6K1QA==
        </ds:SignatureValue>
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
                <ds:X509Certificate>
                    MIIDaDCCAlCgAwIBAgIDcB/YMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNVBAYTAlVLMRAwDgYDVQQI&#13;
                    EwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQKEwlGb3JnZVJvY2sxDzANBgNVBAsT&#13;
                    Bk9wZW5BTTENMAsGA1UEAxMEdGVzdDAeFw0xNjAzMTgxMTU2MjhaFw0yNjAzMTYxMTU2MjhaMGUx&#13;
                    CzAJBgNVBAYTAlVLMRAwDgYDVQQIEwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQK&#13;
                    EwlGb3JnZVJvY2sxDzANBgNVBAsTBk9wZW5BTTENMAsGA1UEAxMEdGVzdDCCASIwDQYJKoZIhvcN&#13;
                    AQEBBQADggEPADCCAQoCggEBAKNbl89eP6B8kZATNSPe3+OZ3esLx31hjX+dakHtPwXCAaCKqJFw&#13;
                    jwKdxyRuPdsVG+8Dbk3PGhk26aJrSE93EpxeqmQqxNPMeD+N0/8pjkuVYWwPIQ/ts2iTiWOVn7wz&#13;
                    lE4ASfvupqOR5pjuYMWNo/pd4L7QNjUCKoAt9H11HMyiP+6roo/EYgX4AH7OAhfUMncYsopWhkW/&#13;
                    ze9z8wTXc8BAEgDmt8zFCez1CtqJB/MlSBUGDgk8oHYDsHKmx05baBaOBQ8LRGP5SULSbRtu34eL&#13;
                    FootBIn0FvUZSnwTiSpbaHHRgWrMOVm07oSLWBuO3h/bj38zBuuqqVsAK8YuyoECAwEAAaMhMB8w&#13;
                    HQYDVR0OBBYEFHxfAbr6PQ5Xgc+jVx+AGTPnnpWZMA0GCSqGSIb3DQEBCwUAA4IBAQAZBMJ29/2i&#13;
                    dv1ztC6ArHtB4kw/nHHwthXFwtWAN7sRPB8tLW7fD8aJ43RQr5107Bg1Lgkmt+FZxpafqUC/mukj&#13;
                    IzGzbW0COMSOTcWUGss+HxK6M6Fl9aOzKJMct1uOSpPFgjItcGqydGZXR2FH93vXWoAotUwtZ119&#13;
                    IixIdxpOJwYJg0HFn+GEfpU1PmiLfq2/uwqJ0hGCNfNcm9puagzhQrcDFOnolxjnYPSfSkU5wxlG&#13;
                    o99yE5eJwoHXXU7csaZVttmx7sPj1lUENogXUM6JMqzSyEIm1XCOCL8rZJkZ781W5CwZhuJTNzV3&#13;
                    1sBREs8FaaCeksu7Y48BmkUqw6E9
                </ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
            NameQualifier="...">zC7qyfpyMwFtp24en9Y97+hEEptH</saml:NameID>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData InResponseTo="_b8fad14a-506b-4496-aa35-f09c4174e76f"
                NotOnOrAfter="2021-10-25T13:09:21Z" Recipient="..."/></saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2021-10-25T12:49:21Z" NotOnOrAfter="2021-10-25T13:09:21Z">
        <saml:AudienceRestriction>
            <saml:Audience>...</saml:Audience>
        </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2021-10-25T12:18:36Z"
        SessionIndex="s27d56759d777a5ce71e5b97601c1563c4137ced01">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
        ...
    </saml:AttributeStatement>
</saml:Assertion></samlp:Response>

元数据:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor entityID="http://devopenam02.dev.coteng.com:8080/OpenAM-14.6.2" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
  <KeyDescriptor use="signing">
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
              <ds:X509Certificate>
                  MIIDaDCCAlCgAwIBAgIDcB/YMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNVBAYTAlVLMRAwDgYDVQQIEwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQKEwlGb3JnZVJvY2sxDzANBgNVBAsTBk9wZW5BTTENMAsGA1UEAxMEdGVzdDAeFw0xNjAzMTgxMTU2MjhaFw0yNjAzMTYxMTU2MjhaMGUxCzAJBgNVBAYTAlVLMRAwDgYDVQQIEwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQKEwlGb3JnZVJvY2sxDzANBgNVBAsTBk9wZW5BTTENMAsGA1UEAxMEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKNbl89eP6B8kZATNSPe3+OZ3esLx31hjX+dakHtPwXCAaCKqJFwjwKdxyRuPdsVG+8Dbk3PGhk26aJrSE93EpxeqmQqxNPMeD+N0/8pjkuVYWwPIQ/ts2iTiWOVn7wzlE4ASfvupqOR5pjuYMWNo/pd4L7QNjUCKoAt9H11HMyiP+6roo/EYgX4AH7OAhfUMncYsopWhkW/ze9z8wTXc8BAEgDmt8zFCez1CtqJB/MlSBUGDgk8oHYDsHKmx05baBaOBQ8LRGP5SULSbRtu34eLFootBIn0FvUZSnwTiSpbaHHRgWrMOVm07oSLWBuO3h/bj38zBuuqqVsAK8YuyoECAwEAAaMhMB8wHQYDVR0OBBYEFHxfAbr6PQ5Xgc+jVx+AGTPnnpWZMA0GCSqGSIb3DQEBCwUAA4IBAQAZBMJ29/2idv1ztC6ArHtB4kw/nHHwthXFwtWAN7sRPB8tLW7fD8aJ43RQr5107Bg1Lgkmt+FZxpafqUC/mukjIzGzbW0COMSOTcWUGss+HxK6M6Fl9aOzKJMct1uOSpPFgjItcGqydGZXR2FH93vXWoAotUwtZ119IixIdxpOJwYJg0HFn+GEfpU1PmiLfq2/uwqJ0hGCNfNcm9puagzhQrcDFOnolxjnYPSfSkU5wxlGo99yE5eJwoHXXU7csaZVttmx7sPj1lUENogXUM6JMqzSyEIm1XCOCL8rZJkZ781W5CwZhuJTNzV31sBREs8FaaCeksu7Y48BmkUqw6E9
              </ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </KeyDescriptor>
  <IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
   ...
  </IDPSSODescriptor>
</EntityDescriptor>

【问题讨论】:

基于 ItFoxtec.Saml2 的 SAML SP 可能不使用来自 IdP 的正确证书来验证 SAML 响应中的数字签名。 我已经添加了 idp 元数据并确认两个证书都匹配(unicode 字符除外) 【参考方案1】:

ITfoxtec Identity Saml2 包不读取 EntityDescriptor/KeyDescriptor 元素中的 IdP 签名证书,该元素不受支持。 IdP 证书在 EntityDescriptor/IDPSSODescriptor/KeyDescriptor 元素中读取。

TestIdPCore sample 的有效 IdP 元数据示例:

【讨论】:

以上是关于OpenAM ITfoxtec Saml2 无效签名响应?的主要内容,如果未能解决你的问题,请参考以下文章

ITfoxtec - ADFS SAML2 根据验证程序,远程证书无效

调用 Saml2PostBinding.Unbind() 时签名无效

ITfoxtec.Identity.Saml2.Saml2RequestException:“不完全是一个断言元素。”

使用 ITfoxtec.Identity.Saml2 登录用户

InvalidSignatureException:签名无效

ITfoxtec SAML2 能否支持多个 IdP?