Spring SAML 握手失败 - 无法针对受信任的密钥验证不受信任的凭据

Posted

技术标签:

【中文标题】Spring SAML 握手失败 - 无法针对受信任的密钥验证不受信任的凭据【英文标题】:Spring SAML handshake failure - Failed to validate untrusted credential against trusted key 【发布时间】:2014-12-20 16:34:00 【问题描述】:

我正在使用 Spring Security SAML 扩展来与 ACA 医疗保健(又名 Obamacare)网站集成。它使用 IDP 发起的 SSO。 SAML 握手失败并显示以下输出

org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider] Single certificate was present, treating as end-entity certificate
org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver] Credentials successfully extracted from child http://www.w3.org/2000/09/xmldsig#X509Data by provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver] A total of 1 credentials were resolved
org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry] Registry could not locate evaluable criteria for criteria class org.opensaml.xml.security.keyinfo.KeyInfoCriteria
org.opensaml.xml.signature.SignatureValidator] Attempting to validate signature using key from supplied credential
org.opensaml.xml.signature.SignatureValidator] Creating XMLSignature object
org.opensaml.xml.signature.SignatureValidator] Validating signature with signature algorithm URI: http://www.w3.org/2000/09/xmldsig#rsa-sha1
org.opensaml.xml.signature.SignatureValidator] Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
org.opensaml.xml.signature.SignatureValidator] Signature validated with key from supplied credential
org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Signature validation using candidate credential was successful
org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Successfully verified signature using KeyInfo-derived credential
org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Attempting to establish trust of KeyInfo-derived credential
org.opensaml.xml.security.trust.ExplicitKeyTrustEvaluator] Failed to validate untrusted credential against trusted key
org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Failed to establish trust of KeyInfo-derived credential
org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Failed to verify signature and/or establish trust using any KeyInfo-derived credentials
org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine] Attempting to verify signature using trusted credentials
org.opensaml.xml.signature.SignatureValidator] Attempting to validate signature using key from supplied credential
org.opensaml.xml.signature.SignatureValidator] Creating XMLSignature object
org.opensaml.xml.signature.SignatureValidator] Validating signature with signature algorithm URI: http://www.w3.org/2000/09/xmldsig#rsa-sha1
org.opensaml.xml.signature.SignatureValidator] Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
org.apache.xml.security.signature.XMLSignature] Signature verification failed.
org.opensaml.xml.signature.SignatureValidator] Signature did not validate against the credential's key
org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Signature validation using candidate validation credential failed
org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key
    at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:79)

我的 securityContext 有以下内容:

    <bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
    <constructor-arg>
        <list>
            <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                <constructor-arg>
                    <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                        <constructor-arg>
                            <value type="java.io.File">classpath:$MC_METADATA</value>
                        </constructor-arg>
                        <property name="parserPool" ref="parserPool" />
                    </bean>
                </constructor-arg>
                <constructor-arg>
                    <map>
                        <entry key="$MC_ALIAS_1">
                            <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                                <property name="local" value="true" />
                                <property name="alias" value="$MC_ALIAS_1" />
                                <property name="securityProfile" value="metaiop" />
                                <property name="requireArtifactResolveSigned" value="false" />
                                <property name="requireLogoutRequestSigned" value="false" />
                                <property name="requireLogoutResponseSigned" value="false" />
                                <property name="idpDiscoveryEnabled" value="false" />
                            </bean>
                        </entry>

                    </map>
                </constructor-arg>
            </bean>
        </list>
    </constructor-arg>
    <property name="defaultExtendedMetadata">
        <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
            <property name="local" value="true" />
            <property name="alias" value="$MC_ALIAS_1" />
            <property name="securityProfile" value="metaiop" />
            <property name="requireArtifactResolveSigned" value="false" />
            <property name="requireLogoutRequestSigned" value="false" />
            <property name="requireLogoutResponseSigned" value="false" />
            <property name="idpDiscoveryEnabled" value="false" />
        </bean>
    </property>
    <property name="hostedSPName" value="$MC_ALIAS_1" />
</bean>

传入的 SAML 包含 X509Certificate,我已将其复制到正在签名的元数据文件中。我也尝试将'metadataTrustCheck'添加为false,但仍然是同样的错误。通信通过 HTTPS 进行,我的测试服务器(接收 SAML)使用自签名证书。

关于可能缺少/错误的任何想法?

【问题讨论】:

【参考方案1】:

通常,将证书添加到 IDP 的元数据中会使其受到 Spring SAML 的信任,因此您的方法是正确的。以下情况之一可能会导致您面临的问题:

$MC_ALIAS_1 元数据可能是您的 IDP 元数据,但您当前正在导入它,就好像它是 SP 元数据一样 - 您是在使用元数据生成器,还是这真的是您预先配置的 SP 元数据? 您已将在 IDP 消息中找到的证书导入到您的 SP 元数据中,但需要将其导入 IDP 元数据中才能被信任

发布您收到的 SAML 消息和完整的配置 xml,而不仅仅是 sn-p,将使故障排除更容易。

【讨论】:

@avijendr 和其他访问此问题的人。问题在于 Spring IDP 元数据文件中的证书错误。 @avijendr 你能解决这个问题吗?我已验证元数据文件中的证书是正确的。

以上是关于Spring SAML 握手失败 - 无法针对受信任的密钥验证不受信任的凭据的主要内容,如果未能解决你的问题,请参考以下文章

为啥在 Spring Saml 中忽略 cacerts?

无法针对架构验证 SAML 2.0 断言

主域和受信域之间的信任关系失败

SAML Java Spring Boot - PKIX 路径构造因不受信任的凭证而失败

由于状态消息为空,ADFS 响应失败时的 Spring SAML 单点登录

SAML 断言失败