AuthenticationServiceException：验证 SAML 消息时出错 :: AuthNResponse;FAILURE;响应的状态码无效：状态消息为空

Posted 2023-02-27

【中文标题】AuthenticationServiceException：验证 SAML 消息时出错 :: AuthNResponse;FAILURE;响应的状态码无效：状态消息为空

【英文标题】：AuthenticationServiceException: Error validating SAML message :: AuthNResponse;FAILURE; Response has invalid status code : status message is null

【发布时间】：2017-10-01 05:24:06

【问题描述】：

我正在尝试使用 ADFS 配置 Spring SAML 扩展。

我收到消息 - 状态消息为空。最后提供了详细的日志。

我在 *** 上浏览过类似的帖子。他们建议在 ADFS 服务器上启用 RSA1。

org.opensaml.common.SAMLException: Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Responder, status message is null

Issues while integrating ADFS with Spring SAML Extension

我的日志似乎 RSA1 正常，并且服务器上的设置相同。

注意

服务器证书是自签名的。 服务器上存在发夹，并设置主机文件条目来解决该问题。

编辑 1：

IdP 发起的单点登录正在运行。但是，该错误仅在 SP 启动登录时发生。此外，在 ADFS 服务器端没有观察到日志

日志

DEBUG DigesterOutputStream:55 - Pre-digested input:
DEBUG DigesterOutputStream:60 - <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://mysite-dev:443/empdServer/saml/SSO" ID="_4fba4628-a5d1-4fb6-85d4-f9366db2385a" InResponseTo="a4g74i6f5sdi3ebg778g3f4jab0j9c" IssueInstant="2017-05-02T14:28:51.502Z" Version="2.0"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.myserver/adfs/services/trust</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"></samlp:StatusCode></samlp:Status></samlp:Response>
DEBUG Reference:784 - Verification successful for URI "#_4fba4628-a5d1-4fb6-85d4-f9366db2385a"
DEBUG Manifest:344 - The Reference has Type 
DEBUG SignatureValidator:70 - Signature validated with key from supplied credential
DEBUG BaseSignatureTrustEngine:148 - Signature validation using candidate credential was successful
DEBUG BaseSignatureTrustEngine:101 - Successfully verified signature using KeyInfo-derived credential
DEBUG BaseSignatureTrustEngine:102 - Attempting to establish trust of KeyInfo-derived credential
DEBUG ExplicitKeyTrustEvaluator:91 - Successfully validated untrusted credential against trusted key
DEBUG BaseSignatureTrustEngine:104 - Successfully established trust of KeyInfo-derived credential
INFO  SAMLProtocolMessageXMLSignatureSecurityPolicyRule:129 - Validation of protocol message signature succeeded, message type: urn:oasis:names:tc:SAML:2.0:protocolResponse
DEBUG SAMLProtocolMessageXMLSignatureSecurityPolicyRule:131 - Authentication via protocol message signature succeeded for context issuer entity ID http://adfs.myserver.com/adfs/services/trust
DEBUG BaseMessageDecoder:85 - Successfully decoded message.
DEBUG BaseSAMLMessageDecoder:191 - Checking SAML message intended destination endpoint against receiver endpoint
DEBUG BaseSAMLMessageDecoder:210 - Intended message destination endpoint: https://mysite-dev:443/myapp/saml/SSO
DEBUG BaseSAMLMessageDecoder:211 - Actual message receiver endpoint: https://mysite-dev/myapp/saml/SSO
DEBUG BaseSAMLMessageDecoder:219 - SAML message intended destination endpoint matched recipient endpoint
DEBUG SAMLUtil:349 - Found endpoint org.opensaml.saml2.metadata.impl.AssertionConsumerServiceImpl@4189c9e9 for request URL https://mysite-dev/myapp/saml/SSO based on location attribute in metadata
DEBUG ProviderManager:162 - Authentication attempt using org.springframework.security.saml.SAMLAuthenticationProvider
DEBUG SAMLAuthenticationProvider:98 - Error validating SAML message
  org.opensaml.common.SAMLException: Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Responder, status message is null
    at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:113)
    at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:87)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167)
    at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:87)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:184)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:616)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1104)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1519)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1475)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Unknown Source)
2017-05-02 07:28:51 INFO  SAMLDefaultLogger:127 - AuthNResponse;FAILURE;1x.1x.1x.1x;urn:myapp.mysite;http://adfs.myserver.com/adfs/services/trust;;;org.opensaml.common.SAMLException: Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Responder, status message is null
    at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:113)
    at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:87)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167)
    at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:87)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:184)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:616)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1104)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1519)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1475)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Unknown Source)

DEBUG SAMLProcessingFilter:350 - Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Error validating SAML message
DEBUG SAMLProcessingFilter:351 - Updated SecurityContextHolder to contain null Authentication
DEBUG SAMLProcessingFilter:352 - Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@20088b6d

【参考方案1】：

错误出现在 AD FS 端。您的日志只是报告 AD FS 报告了错误。

您应该查看 AD FS 事件日志以了解应用程序和服务\ad fs\admin 事件日志中的内容。

如果 IDP 发起的登录有效，则意味着 SP 端具有对应于 AD FS 的正确详细信息。您只需要确保 AD FS 正在接收基于您在 AD FS 端配置的请求。

https://technet.microsoft.com/en-us/library/adfs2-troubleshooting-configuring-computers(v=ws.10).aspx 应该会有所帮助。

【讨论】：

谢谢。这已经配置好了。出错时在 ADFS 服务器端没有生成日志。

这不太可能。你应该有东西。否则根据该链接检查 ad fs 调试日志。