Spring SAML握手失败 – 无法针对可信密钥validation不受信任的凭据
我正在使用Spring Security SAML扩展与ACA医疗保健(aka Obamacare)网站集成。 它使用IDP启动的SSO。 SAML握手失败,输出如下
org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider] Single certificate was present, treating as end-entity certificate org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver] Credentials successfully extracted from child {http://www.w3.org/2000/09/xmldsig#}X509Data by provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver] A total of 1 credentials were resolved org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry] Registry could not locate evaluable criteria for criteria class org.opensaml.xml.security.keyinfo.KeyInfoCriteria org.opensaml.xml.signature.SignatureValidator] Attempting to validate signature using key from supplied credential org.opensaml.xml.signature.SignatureValidator] Creating XMLSignature object org.opensaml.xml.signature.SignatureValidator] Validating signature with signature algorithm URI: http://www.w3.org/2000/09/xmldsig#rsa-sha1 org.opensaml.xml.signature.SignatureValidator] Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl' org.opensaml.xml.signature.SignatureValidator] Signature validated with key from supplied credential org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Signature validation using candidate credential was successful org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Successfully verified signature using KeyInfo-derived credential org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Attempting to establish trust of KeyInfo-derived credential org.opensaml.xml.security.trust.ExplicitKeyTrustEvaluator] Failed to validate untrusted credential against trusted key org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Failed to establish trust of KeyInfo-derived credential org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Failed to verify signature and/or establish trust using any KeyInfo-derived credentials org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine] Attempting to verify signature using trusted credentials org.opensaml.xml.signature.SignatureValidator] Attempting to validate signature using key from supplied credential org.opensaml.xml.signature.SignatureValidator] Creating XMLSignature object org.opensaml.xml.signature.SignatureValidator] Validating signature with signature algorithm URI: http://www.w3.org/2000/09/xmldsig#rsa-sha1 org.opensaml.xml.signature.SignatureValidator] Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl' org.apache.xml.security.signature.XMLSignature] Signature verification failed. org.opensaml.xml.signature.SignatureValidator] Signature did not validate against the credential's key org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Signature validation using candidate validation credential failed org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:79) 我的securityContext具有以下内容:
classpath:${MC_METADATA}
传入的SAML包含X509Certificate,我已将其复制到签名下的元数据文件中。 我也尝试将’metadataTrustCheck’添加为false但仍然是同样的错误。 通过HTTPS进行通信,我的测试服务器(接收SAML)使用自签名证书。
关于可能缺失/错误的任何想法?
通常,将证书添加到IDP的元数据中将使其受到Spring SAML的信任,因此您的方法是正确的。 以下之一可能会导致您遇到的问题:
- $ {MC_ALIAS_1}元数据可能是您的IDP元数据,但您当前正在导入它,就好像它是SP元数据一样 – 您使用的是元数据生成器,还是这是您预先配置的SP元数据?
- 您已将IDP消息中找到的证书导入SP元数据,而需要将其导入IDP元数据才能被信任
发布您收到的SAML消息以及完整的配置xml,而不仅仅是一个代码段,可以使故障排除更容易。
- Java的Collections.sort(列表,比较器)的排序顺序是什么? 从小到大还是从大到小?
- 使用DFS查找图形中的所有路径
- 如何设置用于使用HttpsURLConnection创建的套接字的密码和协议列表?
- 泽西岛2. *。 如何替换Jersey 1的InjectableProvider和AbstractHttpContextInjectable
- 如何获取客户端IP地址?
- 如果它没有在代码中修改,我应该声明一个java字段’final’吗?
- Java中的简单划分 – 这是一个错误还是一个function?
- 如何使用javareflection在类中定义所有导入?
- 将Java运行时嵌入到沙盒Cocoa Mac应用程序中