Azure IDP 元数据加载失败
Posted
技术标签:
【中文标题】Azure IDP 元数据加载失败【英文标题】:Azure IDP metadata loading fails 【发布时间】:2018-07-02 14:19:34 【问题描述】:我正在开展一个项目,该项目重新使用 https://github.com/vdenotaris/spring-boot-security-saml-sample 以作为 IDP 与 Azure AD 集成。
整合进行得很顺利。我唯一无法解决的是元数据信任检查。
根据https://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x/reference/html/chapter-idp-guide.html 建议将 metadataTrustCheck 设置为 false 以跳过签名验证
但是,我想问一下是否可以对 Azure 使用元数据信任检查。
要重新创建,请将 IDP 元数据 url 设置为 https://login.microsoftonline.com/sample.onmicrosoft.com/FederationMetadata/2007-06/FederationMetadata.xml
将 WebSecurityConfig#extendedMetadataProvider 的 metadataTrustCheck 设置为 true
并将 login.microsoftonline.com SSL 证书导入 samlKeystore.jks
2018-01-23 09:58:05.450 DEBUG 9924 --- [localhost-startStop-1] o.o.xml.signature.SignatureValidator : Signature validated with key from supplied credential
2018-01-23 09:58:05.451 DEBUG 9924 --- [localhost-startStop-1] o.o.x.s.impl.BaseSignatureTrustEngine : Signature validation using candidate credential was successful
2018-01-23 09:58:05.451 DEBUG 9924 --- [localhost-startStop-1] o.o.x.s.impl.BaseSignatureTrustEngine : Successfully verified signature using KeyInfo-derived credential
2018-01-23 09:58:05.452 DEBUG 9924 --- [localhost-startStop-1] o.o.x.s.impl.BaseSignatureTrustEngine : Attempting to establish trust of KeyInfo-derived credential
2018-01-23 09:58:05.452 DEBUG 9924 --- [localhost-startStop-1] o.x.s.x.BasicX509CredentialNameEvaluator : Supplied trusted names are null or empty, skipping name evaluation
2018-01-23 09:58:05.452 DEBUG 9924 --- [localhost-startStop-1] o.s.s.s.t.MetadataCredentialResolver : Attempting PKIX path validation on untrusted credential: [subjectName='CN=accounts.accesscontrol.windows.net']
2018-01-23 09:58:05.458 TRACE 9924 --- [localhost-startStop-1] o.s.s.s.t.MetadataCredentialResolver : Building certificate path using default security provider
2018-01-23 09:58:05.466 TRACE 9924 --- [localhost-startStop-1] o.s.s.s.t.MetadataCredentialResolver : PKIX path construction failed for untrusted credential: [subjectName='CN=accounts.accesscontrol.windows.net']
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source) ~[na:1.8.0_161]
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source) ~[na:1.8.0_161]
at java.security.cert.CertPathBuilder.build(Unknown Source) ~[na:1.8.0_161]
at org.springframework.security.saml.trust.CertPathPKIXTrustEvaluator.validate(CertPathPKIXTrustEvaluator.java:85) ~[spring-security-saml2-core-1.0.3.RELEASE.jar!/:1.0.3.RELEASE]
ssocircle 元数据https://idp.ssocircle.com/idp-meta.xml 不会发生此问题
【问题讨论】:
【参考方案1】:用于签署元数据的证书似乎与您在 login.microsoftonline.com 上导入的证书不同。
见Signature trust establishment failed for SAML metadata entry
【讨论】:
以上是关于Azure IDP 元数据加载失败的主要内容,如果未能解决你的问题,请参考以下文章