SAMLException:响应具有无效的状态代码状态消息为空

Posted

技术标签:

【中文标题】SAMLException:响应具有无效的状态代码状态消息为空【英文标题】:SAMLException: Response has invalid status code status message is null 【发布时间】:2018-03-14 09:25:50 【问题描述】:

我正在尝试将 spring-securtiy-saml 集成实现为带有 adfs 系统的 SP,并且我现在已经有几天头疼了,当 SAMLResponnse 在成功身份验证后从 ADFS 发回时发生此异常,并且以下异常是抛出。这是调试日志:

2017-10-02 18:05:09,246 - DEBUG [http-apr-443-exec-9] BaseMessageEncoder - Successfully encoded message.
2017-10-02 18:05:09,246 - INFO  [http-apr-443-exec-9] SAMLDefaultLogger - AuthNRequest;SUCCESS;208.95.100.30;saml2.glassboxdigital.com;http://this/is/a/valid/url;;;
2017-10-02 18:05:09,859 - DEBUG [http-apr-443-exec-3] SAMLProcessingFilter - Request is to process authentication
2017-10-02 18:05:09,860 - DEBUG [http-apr-443-exec-3] SAMLProcessingFilter - Attempting SAML2 authentication using profile urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser
2017-10-02 18:05:09,860 - DEBUG [http-apr-443-exec-3] ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: saml2.glassboxdigital.com
2017-10-02 18:05:09,860 - DEBUG [http-apr-443-exec-3] AbstractMetadataProvider - Searching for entity descriptor with an entity ID of saml2.glassboxdigital.com
2017-10-02 18:05:09,860 - DEBUG [http-apr-443-exec-3] AbstractMetadataProvider - Metadata document did not contain a descriptor for entity saml2.glassboxdigital.com
2017-10-02 18:05:09,860 - DEBUG [http-apr-443-exec-3] AbstractMetadataProvider - Metadata document did not contain any role descriptors of type urn:oasis:names:tc:SAML:2.0:metadataSPSSODescriptor for entity saml2.glassboxdigital.com
2017-10-02 18:05:09,860 - DEBUG [http-apr-443-exec-3] AbstractMetadataProvider - Metadata document does not contain a role of type urn:oasis:names:tc:SAML:2.0:metadataSPSSODescriptor supporting protocol urn:oasis:names:tc:SAML:2.0:protocol for entity saml2.glassboxdigital.com
2017-10-02 18:05:09,860 - DEBUG [http-apr-443-exec-3] ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: saml2.glassboxdigital.com
2017-10-02 18:05:09,860 - DEBUG [http-apr-443-exec-3] AbstractMetadataProvider - Searching for entity descriptor with an entity ID of saml2.glassboxdigital.com
2017-10-02 18:05:09,861 - DEBUG [http-apr-443-exec-3] KeyStoreCredentialResolver - Building credential from keystore entry for entityID apollo, usage type UNSPECIFIED
2017-10-02 18:05:09,861 - DEBUG [http-apr-443-exec-3] KeyStoreCredentialResolver - Processing PrivateKeyEntry from keystore
2017-10-02 18:05:09,861 - DEBUG [http-apr-443-exec-3] EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
2017-10-02 18:05:09,861 - DEBUG [http-apr-443-exec-3] KeyStoreCredentialResolver - Building credential from keystore entry for entityID apollo, usage type UNSPECIFIED
2017-10-02 18:05:09,861 - DEBUG [http-apr-443-exec-3] KeyStoreCredentialResolver - Processing PrivateKeyEntry from keystore
2017-10-02 18:05:09,861 - DEBUG [http-apr-443-exec-3] EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
2017-10-02 18:05:09,861 - DEBUG [http-apr-443-exec-3] StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://javax.xml.XMLConstants/feature/secure-processing'
2017-10-02 18:05:09,861 - DEBUG [http-apr-443-exec-3] StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://apache.org/xml/features/dom/defer-node-expansion'
2017-10-02 18:05:09,862 - DEBUG [http-apr-443-exec-3] StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://apache.org/xml/features/disallow-doctype-decl'
2017-10-02 18:05:09,863 - DEBUG [http-apr-443-exec-3] SAMLProcessorImpl - Retrieving message using binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
2017-10-02 18:05:09,864 - DEBUG [http-apr-443-exec-3] BaseMessageDecoder - Beginning to decode message from inbound transport of type: org.opensaml.ws.transport.http.HttpServletRequestAdapter
2017-10-02 18:05:09,865 - DEBUG [http-apr-443-exec-3] HTTPPostDecoder - Decoded SAML relay state of: https://console-ex-saml.glassboxcloud.com/webinterface/webui/
2017-10-02 18:05:09,865 - DEBUG [http-apr-443-exec-3] HTTPPostDecoder - Getting Base64 encoded message from request
2017-10-02 18:05:09,866 - DEBUG [http-apr-443-exec-3] BaseMessageDecoder - Parsing message stream into DOM document
2017-10-02 18:05:09,866 - DEBUG [http-apr-443-exec-3] BaseMessageDecoder - Unmarshalling message DOM
2017-10-02 18:05:09,866 - DEBUG [http-apr-443-exec-3] SignatureUnmarshaller - Starting to unmarshall Apache XML-Security-based SignatureImpl element
2017-10-02 18:05:09,867 - DEBUG [http-apr-443-exec-3] SignatureUnmarshaller - Constructing Apache XMLSignature object
2017-10-02 18:05:09,867 - DEBUG [http-apr-443-exec-3] SignatureUnmarshaller - Adding canonicalization and signing algorithms, and HMAC output length to Signature
2017-10-02 18:05:09,867 - DEBUG [http-apr-443-exec-3] SignatureUnmarshaller - Adding KeyInfo to Signature
2017-10-02 18:05:09,867 - DEBUG [http-apr-443-exec-3] BaseMessageDecoder - Message succesfully unmarshalled
2017-10-02 18:05:09,867 - DEBUG [http-apr-443-exec-3] HTTPPostDecoder - Decoded SAML message
2017-10-02 18:05:09,867 - DEBUG [http-apr-443-exec-3] BaseSAML2MessageDecoder - Extracting ID, issuer and issue instant from status response
2017-10-02 18:05:09,872 - DEBUG [http-apr-443-exec-3] PROTOCOL_MESSAGE - 
<?xml version="1.0" encoding="UTF-8"?><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://console-ex-saml.glassboxcloud.com/webinterface/saml/SSO" ID="_f33a822d-ca9c-4f55-92fd-325454f92f66" InResponseTo="a2g8hci4d0e1aa891bcj1d03ci51c29" IssueInstant="2017-10-02T18:05:12.972Z" Version="2.0">
   <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">valid.issuer</Issuer>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
         <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
         <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
         <ds:Reference URI="#_f33a822d-ca9c-4f55-92fd-325454f92f66">
            <ds:Transforms>
               <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
            <ds:DigestValue>XC9VCfj8MgDg/c5PaT/KPIWoAHn67SI2gHU937SILbc=</ds:DigestValue>
         </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>wfvDzv0cONrCjWi7k02oyISk16ABYY8UdG2CuP8Dg4jHcWL64Lp5lO3wvmNkcNX87tXN41ndqIIHupuKkqcLvqQs07fprxrIhkmDrScEkJObWD1pkNahUp24ERlOGt+fDWMcfWNpERpgHGU2O/FlH7kRUsj+LCxD3o1FQAHhXJeBVA1lbI6B+dOfyT2zLgpmS1jkaKLX/AKsc/56dvzDIUP5ElF5eMQdwuNmapmvCynSDSalP/v1KVn9pf12ShjiQh/oku4CtAXSgnjFbrg752EtGoaT80foIkooMjJQMSjC/CjHIGAMVEuTJraXUVdvgKPao5rC85OkFdOOoDYtOg==</ds:SignatureValue>
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
         <ds:X509Data>
            <ds:X509Certificate>MIIFFzCCA/+gAwIBAgIETCPgRjANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMWKGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxQzAeFw0xNDA4MTIxODE5MTJaFw0xODEwMTMwMjI0MTlaMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMREwDwYDVQQHEwhCZWxsZXZ1ZTEWMBQGA1UEChMNRXhwZWRpYSwgSW5jLjEYMBYGA1UEAxMPc3NvLmV4cGVkaWEuYml6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz2nGjBS3eZkuPHyjIFsMT8Ex19ywmOUXxDI051/ZVFcCmbNFlKJrfbhxO0PpX1mOv3REC0SC22bwdQGDH35JVSmPq7NR52S0Q/RwVDUb9mXs86d6q/BACm5KfHavsXXbMKrCQSQzHBeMoMS6cQIvUgtmvfjnpJ6tYp+OF2MK6sa568cy34C3m63O66Kt/tFOZwGg8qmJCXdEpCtHR3TEiqmtoHc/A4XbhSg9BR/6+Z8kZb8T7AeKh69BPy5U7SuaW0ifOpS4TigONkqn3vPQkxjtosYL3X0/+WBaHDbA642H4wMBa9cWrMBp6u9u2NBulK82HVrdJB6iC8rZLsD7twIDAQABo4IBfjCCAXowCwYDVR0PBAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmVudHJ1c3QubmV0L2xldmVsMWMuY3JsMGQGCCsGAQUFBwEBBFgwVjAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZW50cnVzdC5uZXQwLwYIKwYBBQUHMAKGI2h0dHA6Ly9haWEuZW50cnVzdC5uZXQvMjA0OC1sMWMuY2VyMEoGA1UdIARDMEEwNQYJKoZIhvZ9B0sCMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuZW50cnVzdC5uZXQvcnBhMAgGBmeBDAECAjAaBgNVHREEEzARgg9zc28uZXhwZWRpYS5iaXowHwYDVR0jBBgwFoAUHvGriQb4SQ8BM3fuFHruGXyTKE0wHQYDVR0OBBYEFDsc7/1fpNaaFgJ1jKZfWmBD9WJ4MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQEFBQADggEBAH97BdZzQIHGzyONbs1uLw71HJhWp3PtubbJ4aBRtmfopgJV/X/u4MfkKO8MokDY/oqN+PQLc0NwT6hfSWiclpOjWSW3u35IFQZTU+stT41/T41gvRHmnfCL3QuB+qNeQdWiDtWKAsJUUlx1Qn90BC23fbyiJptbppP3MDLbbf09grfifW0tJ4ThYOv4JkC/W3rtCiu6XryUWtFtz+RtwWtlSL5dxJnEE7VDvUcOSC+6dywb4dO/bSfYA1/gdbWXImsU+4124eC4DztWChDIMqCVqQObkNYdb9MsRr7itC+ezXVorKXzWhwG2FlNV8TjcCRgTKgdVFyw9+KMPXzFX+Q=</ds:X509Certificate>
         </ds:X509Data>
      </KeyInfo>
   </ds:Signature>
   <samlp:Status>
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
   </samlp:Status>
</samlp:Response>

2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BaseMessageDecoder - Evaluating security policy of type 'org.opensaml.ws.security.provider.BasicSecurityPolicy' for decoded message
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BaseSAMLSimpleSignatureSecurityPolicyRule - Evaluating simple signature rule of type: org.opensaml.saml2.binding.security.SAML2HTTPPostSimpleSignRule
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BaseSAMLSimpleSignatureSecurityPolicyRule - HTTP request was not signed via simple signature mechanism, skipping
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] SAMLSignatureProfileValidator - Saw Enveloped signature transform
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] SAMLSignatureProfileValidator - Saw Exclusive C14N signature transform
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] SAMLProtocolMessageXMLSignatureSecurityPolicyRule - Attempting to verify signature on signed SAML protocol message using context issuer message type: urn:oasis:names:tc:SAML:2.0:protocolResponse
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] MetadataCredentialResolver - Forcing on-demand metadata provider refresh if necessary
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] MetadataCredentialResolver - Attempting to retrieve credentials from cache using index: [blabla,urn:oasis:names:tc:SAML:2.0:metadataIDPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,SIGNING]
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] MetadataCredentialResolver - Retrieved credentials from cache using index: [blabla,urn:oasis:names:tc:SAML:2.0:metadataIDPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,SIGNING]
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] EvaluableCredentialCriteriaRegistry - Registry could not locate evaluable criteria for criteria class org.opensaml.security.MetadataCriteria
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableKeyAlgorithmCredentialCriteria for criteria class org.opensaml.xml.security.criteria.KeyAlgorithmCriteria
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableUsageCredentialCriteria for criteria class org.opensaml.xml.security.criteria.UsageCriteria
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BaseSignatureTrustEngine - Attempting to verify signature and establish trust using KeyInfo-derived credentials
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BasicProviderKeyInfoCredentialResolver - Found 0 key names: []
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BasicProviderKeyInfoCredentialResolver - Processing KeyInfo child with qname: http://www.w3.org/2000/09/xmldsig#X509Data
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BasicProviderKeyInfoCredentialResolver - Provider org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider doesn't handle objects of type http://www.w3.org/2000/09/xmldsig#X509Data, skipping
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BasicProviderKeyInfoCredentialResolver - Provider org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider doesn't handle objects of type http://www.w3.org/2000/09/xmldsig#X509Data, skipping
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BasicProviderKeyInfoCredentialResolver - Processing KeyInfo child http://www.w3.org/2000/09/xmldsig#X509Data with provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] InlineX509DataProvider - Attempting to extract credential from an X509Data
2017-10-02 18:05:09,874 - DEBUG [http-apr-443-exec-3] InlineX509DataProvider - Found 1 X509Certificates
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] InlineX509DataProvider - Found 0 X509CRLs
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] InlineX509DataProvider - Single certificate was present, treating as end-entity certificate
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BasicProviderKeyInfoCredentialResolver - Credentials successfully extracted from child http://www.w3.org/2000/09/xmldsig#X509Data by provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BasicProviderKeyInfoCredentialResolver - A total of 1 credentials were resolved
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] EvaluableCredentialCriteriaRegistry - Registry could not locate evaluable criteria for criteria class org.opensaml.xml.security.keyinfo.KeyInfoCriteria
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] SignatureValidator - Attempting to validate signature using key from supplied credential
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] SignatureValidator - Creating XMLSignature object
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] SignatureValidator - Validating signature with signature algorithm URI: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] SignatureValidator - Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] SignatureValidator - Signature validated with key from supplied credential
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseSignatureTrustEngine - Signature validation using candidate credential was successful
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseSignatureTrustEngine - Successfully verified signature using KeyInfo-derived credential
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseSignatureTrustEngine - Attempting to establish trust of KeyInfo-derived credential
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] ExplicitKeyTrustEvaluator - Successfully validated untrusted credential against trusted key
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseSignatureTrustEngine - Successfully established trust of KeyInfo-derived credential
2017-10-02 18:05:09,875 - INFO  [http-apr-443-exec-3] SAMLProtocolMessageXMLSignatureSecurityPolicyRule - Validation of protocol message signature succeeded, message type: urn:oasis:names:tc:SAML:2.0:protocolResponse
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] SAMLProtocolMessageXMLSignatureSecurityPolicyRule - Authentication via protocol message signature succeeded for context issuer entity ID blabla
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseMessageDecoder - Successfully decoded message.
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseSAMLMessageDecoder - Checking SAML message intended destination endpoint against receiver endpoint
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseSAMLMessageDecoder - Intended message destination endpoint: https://console-ex-saml.glassboxcloud.com/webinterface/saml/SSO
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseSAMLMessageDecoder - Actual message receiver endpoint: https://console-ex-saml.glassboxcloud.com/webinterface/saml/SSO
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseSAMLMessageDecoder - SAML message intended destination endpoint matched recipient endpoint
2017-10-02 18:05:09,876 - DEBUG [http-apr-443-exec-3] SAMLUtil - Found endpoint org.opensaml.saml2.metadata.impl.AssertionConsumerServiceImpl@41fbfcbf for request URL https://console-ex-saml.glassboxcloud.com/webinterface/saml/SSO based on location attribute in metadata
2017-10-02 18:05:09,876 - DEBUG [http-apr-443-exec-3] SAMLAuthenticationProvider - Error validating SAML message
org.opensaml.common.SAMLException: Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Responder, status message is null
    at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:113)
    at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:87)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
    at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:87)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
    at com.clarisite.container.web.WebExceptionHandler.doFilter(WebExceptionHandler.java:33)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:616)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
    at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2521)
    at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2510)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:745)
2017-10-02 18:05:09,876 - INFO  [http-apr-443-exec-3] SAMLDefaultLogger - AuthNResponse;FAILURE;208.95.100.30;saml2.glassboxdigital.com;blabla;;;org.opensaml.common.SAMLException: Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Responder, status message is null
    at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:113)
    at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:87)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
    at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:87)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
    at com.clarisite.container.web.WebExceptionHandler.doFilter(WebExceptionHandler.java:33)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:616)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
    at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2521)
    at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2510)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:745)

我已经在 SO 中讨论了一些问题:

    org.opensaml.common.SAMLException: Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Responder, status message is null Issues while integrating ADFS with Spring SAML Extension Setting the ExtendedMetadata 'signingAlgorithm' field

还有更多,几乎所有人似乎都认为这个问题是密钥库中过期密钥的问题或消息签名的问题。最初我认为问题出在消息的签名上(adfs 需要 RSA-SHA256,而 open saml 的默认值是 RSA-SHA1)。但我已经修复了它,如下所示:

SignatureValidator - Validating signature with signature algorithm URI: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

keystore 似乎也是一个问题,因为 idp 证书是硬编码在从 idp 导入的元数据中的。 问题似乎源于 WebSSOProfileConsumerImpl.java 的第 113 行,如果 statusCode 值等于 urn:oasis:names:tc:SAML:2.0:status:Success,则方法 processAuthenticationResponse 正在第 107 行检查,但是在我们从 idp 收到的响应中,状态代码等于 urn:oasis:names:tc:SAML:2.0:status:Responder 我想知道这是否是我们在 SAMLRequest 或其他方面的问题, 或者如果这是 adfs 方面的问题。 任何想法为什么会这样?

【问题讨论】:

看起来这是 IDP 端的错误或错误配置。看看这个 - ***.com/questions/46476260/… 【参考方案1】:

我猜这个问题是关于签名算法的。 Spring SAML 默认使用 SHA-1,ADFS 需要 SHA-256。两者之间的不匹配会以您的体验方式表现出来。

您可以通过查看 ADFS 的事件日志来验证此假设,或找到此行为的其他原因。

【讨论】:

【参考方案2】:

我们遇到了同样的问题,问题是 Spring 需要 SHA-1 和 ADFS 需要 SHA-256 之间不匹配。但是,我们的客户希望我们将 Spring Security SAML 升级为使用 SHA-256,而不是将 ADFS 降级为使用 SHA-1。

下面将向您展示如何将 Spring Security 升级到 SHA-256。

spring-security-adfs-saml2 example project on GitHub Configure Spring Security SAML to use SHA-256 as secure hash algorithm Spring Security SAML: Replacing SHA-1 with SHA-256 on Signature and Digest Algorithms

【讨论】:

以上是关于SAMLException:响应具有无效的状态代码状态消息为空的主要内容,如果未能解决你的问题,请参考以下文章

预检响应在角度 4 中具有无效的 HTTP 状态代码 500

预检响应具有无效的 HTTP 状态代码:401 角度

Angular 5:预检响应具有无效的 HTTP 状态代码 403

预检响应具有无效的 HTTP 状态代码 400 - aspx

预检响应具有无效的 HTTP 状态代码 401 - Spring

CORS 问题:预检响应具有无效的 HTTP 状态代码 403