SAML 响应 xml 无效
Posted
技术标签:
【中文标题】SAML 响应 xml 无效【英文标题】:SAML Response xml not valid 【发布时间】:2017-12-01 22:54:33 【问题描述】:我为我们的一位客户开发了一个自定义 SAML IdP。但是,当尝试将以下响应传递给 SP 时,它会失败。我尝试使用一些在线可用的 SAML 在线工具来验证响应,我看到了一些错误,但我不知道出了什么问题。有人可以帮忙吗?
<Response xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_8ad9eb0c-c65c-4327-ae76-ae238ca17e96"
Version="2.0"
IssueInstant="2017-06-28T13:53:06.9612024Z"
Destination="https://crnm.lessonly.com/auth/saml/callback"
xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml:Issuer>https://crnm.lessonly.com/auth/saml/metadata</saml:Issuer>
<Status>
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</Status>
<saml:Assertion Version="2.0"
ID="_4761e320-64e8-4d8a-a443-2e4e2ccb3e98"
IssueInstant="2017-06-28T13:53:06.9612024Z"
>
<saml:Issuer>https://crnm.lessonly.com/auth/saml/metadata</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">amilev1@visualantidote.com</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData Recipient="https://crnm.lessonly.com/auth/saml/callback"
NotOnOrAfter="2017-06-28T13:58:06.9768269Z"
/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2017-06-28T13:53:06.9768269Z"
NotOnOrAfter="2017-06-28T13:58:06.9768269Z"
>
<saml:AudienceRestriction>
<saml:Audience>https://crnm.lessonly.com/auth/saml/metadata</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2017-06-28T13:53:06.9768269Z"
SessionIndex="_4761e320-64e8-4d8a-a443-2e4e2ccb3e98"
>
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="UserID"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xsi:type="xsd:string">125481</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="email"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xsi:type="xsd:string">amilev1@visualantidote.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="first_name"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xsi:type="xsd:string">Angel1</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="last_name"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xsi:type="xsd:string">Milev1</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="name"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xsi:type="xsd:string">Angel1 Milev1</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_4761e320-64e8-4d8a-a443-2e4e2ccb3e98">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>UB/5XN1dGa2/w0aKRmmq2oFvbOE=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>JTkUhfmk2ngPQnFtSC41WQodJj0MyCHw8oCJbEQE32vgViV4ucVvaim4jKMMD6B7JIkvCtuyu8II5h6oJOSsXQK0x03hlQFqpdgj/1Be53v9H90PWTgJ1mr41jF2AQTgAcdJmuV05oI23KxI+5jNFifri+POHSEfRU+k0Phyh+UTA2DlhFnbn5DAjzhnIu4e+L35QJBCSwZy7zT+NDr7dzL/JLAQOC79PlaM4cbjn9ri2bUwS3T1QFMQqsxGOl+ggaAwGWWNQlCV2Se2tZ1rLVUpZ5lB611GIbysBmghy5gtDe3htDHsp8IkuJnRf4lndjral7FVmZ1pdPhdK7HTgTA=</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIDUTCCAjigAwIBAgIBADANBgkqhkiG9w0BAQ0FADBCMQswCQYDVQQGEwJjYTERMA8GA1UECAwITWFuaXRvYmExDTALBgNVBAoMBENSTk0xETAPBgNVBAMMCENSTk0uQ09NMB4XDTE3MDYyMTE5MzEzNloXDTI3MDYxOTE5MzEzNlowQjELMAkGA1UEBhMCY2ExETAPBgNVBAgMCE1hbml0b2JhMQ0wCwYDVQQKDARDUk5NMREwDwYDVQQDDAhDUk5NLkNPTTCCASMwDQYJKoZIhvcNAQEBBQADggEQADCCAQsCggECAPbVJtzJTRQvSkAOl8sGUymWy0K1yNKI11Vf8eDnHiH/awkgSu9JORwochJdHPnTA8qA1KaH7IxIIZX8wYkXsE9OxRkUAv+xWHemVBRrUc64wlotfghCCziaPuhinPKxQ63BlIkj0u/KOmdXcGvOfYasBK0Gr4IVpL7X4CdXTDKQPF5Y6zV7Ed5lgjDcO3wG1klHGVSStOwIFptWzyArDMNCrOWqSbojzczjxcrESy8agTR1Z/U+YVhcwHub2ch0w/RkxepvtLQMHiTK3YtFrp5of29pCGHLv0dWgCoR+S7+VcSbQrQdAv1kb13EC64F55GwvJnPEcQGTous2DZrbsOnAgMBAAGjUDBOMB0GA1UdDgQWBBToNe5/YV0PcEjQJlvv/yJ7FhfvQjAfBgNVHSMEGDAWgBToNe5/YV0PcEjQJlvv/yJ7FhfvQjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAgCPzeVaQNP3Bm796QT5R2r0Ur537xkN9f6W69paWfh2Ti7FzVyBCUMUMHL55dR24m45Xl7X2rurwZnr3oyibcCUENk2nYQ3uadoXTj3q5jfW2KxTx0DQH2F4D3TqxUpsTcJpt5eG+2mFheAyG6A+k719ShVgV6BtW1A1U9KJMD7UeWbejBGKrAC3AkCQyIaBjw+64sed8NN+jRPaEJxJ/APpHEBRiXQQOtnTKoRoz9ZvRvJTZ0N65/s+Cs7c2Y56PonWjlY2Kt4W5tp4VZTCmwnGmvMApyrWr/IZ9GgJsSz1EmbfVGKjKLHM29xXxnBLmkfGdc1yU4HXZYVFh00Ds6cgA==</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</saml:Assertion>
</Response>
使用 samltool.com 上的验证器出现以下错误:
XML 无效。
行:69 |列:0 --> 元素“http://www.w3.org/2000/09/xmldsig#签名”:不需要此元素。
【问题讨论】:
您好,请为这个新问题创建一个新问题并将其标记为已解决。这将帮助其他人更轻松地找到答案 【参考方案1】:SAML XSD 要求 Signature 元素紧跟在 Issuer 元素之后
【讨论】:
成功了,非常感谢!现在我需要找出新的错误:)以上是关于SAML 响应 xml 无效的主要内容,如果未能解决你的问题,请参考以下文章
AuthenticationServiceException:验证 SAML 消息时出错 :: AuthNResponse;FAILURE;响应的状态码无效:状态消息为空
SAML 2 和 ADFS 3.0 IDP - SSO 无效状态代码首次登录 - 但之后每次都成功
SAMLException:响应具有无效的状态代码状态消息为空