2

我正在做一个项目,基本上已经到了我不知道该怎么做才能走得更远的地步。

尝试与供应商合作以使用 SAML 设置 SSO 流程。目前,我们手动执行此过程,因为我们没有像 SimpleSAMLPHP 那样实现的解决方案。

为了测试这个过程,我们将 SimpleSAMLPHP 设置为服务提供者。这在我们的测试阶段提供了很大的帮助,但我们目前遇到了这个错误:

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 /portal/server/htdocs/saml/www/module.php:180 (N/A)
Caused by: SimpleSAML_Error_Exception: Neither the assertion nor the response was signed.
Backtrace:
3 /portal/server/htdocs/saml/modules/saml/lib/Message.php:554 (sspmod_saml_Message::processAssertion)
2 /portal/server/htdocs/saml/modules/saml/lib/Message.php:518 (sspmod_saml_Message::processResponse)
1 /portal/server/htdocs/saml/modules/saml/www/sp/saml2-acs.php:96 (require)
0 /portal/server/htdocs/saml/www/module.php:135 (N/A)

这是我们发送给我们的 SP 的 SAML 请求,以查看我们是否可以进行身份​​验证。

<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="efmlkhlddlofoifkbikjkbemicpndhjingeioamb" Version="2.0" IssueInstant="2014-04-14T15:09:50Z" Destination="https://mytest.mediumuniversity.edu/saml/www/module.php/saml/sp/saml2-acs.php/default-sp" InResponseTo="_bf9dc3aa65b9899c565fdc153cefe40c06c1209229">
<saml:Issuer>https://mydevl.mediumuniversity.edu/portal/services/academicworks/process_response.php</saml:Issuer>

<samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="llgkdlffdpoobdkjfkgjcabphgifgfgbammdibjm" Version="2.0" IssueInstant="2014-04-14T15:09:50Z">
    <saml:Issuer>https://mydevl.mediumuniversity.edu/portal/services/academicworks/process_response.php</saml:Issuer>

    <saml:Subject>
        <saml:NameID SPNameQualifier="https://mytest.mediumuniversity.edu/saml/www/module.php/saml/sp/metadata.php/default-sp" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">123456789</saml:NameID>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData NotOnOrAfter="2014-04-14T15:19:50Z" Recipient="https://mytest.mediumuniversity.edu/saml/www/module.php/saml/sp/saml2-acs.php/default-sp" InResponseTo="_bf9dc3aa65b9899c565fdc153cefe40c06c1209229"/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2014-04-14T15:04:50Z" NotOnOrAfter="2014-04-14T15:19:50Z">
        <saml:AudienceRestriction>
            <saml:Audience>https://mytest.mediumuniversity.edu/saml/www/module.php/saml/sp/metadata.php/default-sp</saml:Audience>
        </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2014-04-14T15:09:50Z" SessionNotOnOrAfter="2014-04-14T16:09:50Z" SessionIndex="hkckflaackcdmckckpipgjpdgdlhmiieclpigaij">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
        <saml:Attribute Name="eagleID" NameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
            <saml:AttributeValue xsi:type="xs:string">123456789</saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="emailAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
            <saml:AttributeValue xsi:type="xs:string">cwsterling@mediumuniversity.edu</saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
</saml:Assertion>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  <ds:Reference URI="#llgkdlffdpoobdkjfkgjcabphgifgfgbammdibjm"><ds:Transforms>    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>    </ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>    <ds:DigestValue>p/aLBlix/UI0oNiHgg4t5fgkwJg=</ds:DigestValue></ds:Reference>    </ds:SignedInfo>    <ds:SignatureValue>AsVSwH8mVNHhOak3z2A9j8F/1Q67Yuw472K9BI649EUePdT8QOCW/+BTS+OG+CM++Yn1J7ceT+pwYvOLMr5HFcUcdr8VMZNfPuk2oefs4afK8BpP2ndskPlGhfFx7UlkdXdu41dzWMJeaULo1KfcHtKF0e1ZgObucN3GCNDs97s=</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data>    <ds:X509Certificate>MIIC2DCCAkGgAwIBAgIJAMCu9vwLblc3MA0GCSqGSIb3DQEBBQUAMIGEMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHR2VvcmdpYTETMBEGA1UEBwwKU3RhdGVzYm9ybzEkMCIGA1UECgwbR2VvcmdpYSBTb3V0aGVybiBVbml2ZXJzaXR5MSgwJgYDVQQLDB9FbnRlcnByaXNlIEFwcGxpY2F0aW9uIFNlcnZpY2VzMB4XDTE0MDMyNTEyMjg1NVoXDTE0MDQyNDEyMjg1NVowgYQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdHZW9yZ2lhMRMwEQYDVQQHDApTdGF0ZXNib3JvMSQwIgYDVQQKDBtHZW9yZ2lhIFNvdXRoZXJuIFVuaXZlcnNpdHkxKDAmBgNVBAsMH0VudGVycHJpc2UgQXBwbGljYXRpb24gU2VydmljZXMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANN71CK2aSfTTd63cEkhG/DlpIOMtkUTLQLRfUFZ1U5RX8TA0NcmVMwJcIKVHllsJiwNZBl2RT/GUb+1PwLUkiUxFNZ6eT1qQ6t8SaPosv40ofnD4AXEGwG5Rzx3BvBSuz+viCc8/yjNY4RqSQ/wS34tMd0Eu9Z+Q6MZsmVmBWefAgMBAAGjUDBOMB0GA1UdDgQWBBS46JUAvJGsu79wMjdba7q3iOQ3xTAfBgNVHSMEGDAWgBS46JUAvJGsu79wMjdba7q3iOQ3xTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAL+iVErbdU6lCISWWE7Dr3efaDAhyAxQVU/nLIi8aHvniQCQ6uACQhkQbfZpRdB6cbBDKzzsZD2pqIwY+N/yeomyRhpGqw0Y+q3Wa5tOoyY/AheCfqfRgVSfWkNFLv8Ri4G5Gz+2PJeMuZq4aJ5II/m0OUCn+84OOXDBiPs8+K</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature></samlp:Response>

现在,在为代码格式化时,我错误地在其中添加了几个额外的空格。

我正在使用此 PHP 库对 SAML 文件进行签名:https ://code.google.com/p/xmlseclibs/并使用以下代码:

$doc = new DOMDocument();
$doc->load($tempFileName);
$objDSig = new XMLSecurityDSig();
$objDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N);
$objDSig->addReference($doc, XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature'), array('force_uri' => true,'uri_context'=>$encHash1));
$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type'=>'private'));
/* load private key */
$objKey->loadKey( $privKey, TRUE);
$objDSig->sign($objKey);
/* Add associated public key */
$objDSig->add509Cert(file_get_contents('gsukeys/academicworks_pub.pem'));
$objDSig->appendSignature($doc->documentElement);
$doc->save($tempFileName.'.out');

我会说,如果我没有这一行的最后一部分

$objDSig->addReference($doc, XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature'), array('force_uri' => true,'uri_context'=>$encHash1));

具体来说, array('force_uri' => true,'uri_context'=>$encHash1),服务提供商看到了文件并成功验证了我的请求。

关于如何创建此文件以发送的任何建议?我们不想将 SimpleSAMLPHP 实现为我们的登录,因为这将需要更改整个登录过程,我们已经在夏季进行了更改以与 CAS 集成。

编辑以阐明我所做的更改如何使其发挥作用。

当我告诉它摆脱引用 URI 部分时,它摆脱了这个:URI="#llgkdlffdpoobdkjfkgjcabphgifgfgbammdibjm"并且不再指向已签名文档的特定部分。所以我觉得要么整个文档都被签名了,要么签名只是添加到文档中,而 SimpleSAMLPHP 只是忽略了签名。

编辑2:我忘了更新这个,我最终找到了这个代码: http: //michaelseiler.net/2013/08/23/cas-and-google-sso-integration/这真的帮助了我,我能够做到2次尝试后我想要什么。

4

1 回答 1

1

您可以考虑使用lightsaml库。使带有断言的签名响应看起来像这样

$response = new Response();
$response->setID(Helper::generateID());
$response->setInResponseTo($request->getID());
$response->setIssueInstant(time());
$response->setDestination($destination);

$assertion = new Assertion();
$response->addAssertion($assertion);

$subject = new Subject();
$assertion->setSubject($subject);    
$assertion->setNameID(NameID($username, NameIDPolicy::PERSISTENT));

$subjectConfirmation = new SubjectConfirmation();
$subject->addSubjectConfirmation($subjectConfirmation);
$subjectConfirmation->setMethod(Protocol::CM_BEARER);
$data = new SubjectConfirmationData();
$subjectConfirmation->setData($data);
$data->setInResponseTo($request->getID());
$data->setNotOnOrAfter(time()+$this->expirationTime);
$data->setRecipient($recipient);

$assertion->setNotBefore(time());
$assertion->setNotOnOrAfter(time()+$this->expirationTime);
$assertion->setValidAudience(array($request->getIssuer()));

$authnStatement = new AuthnStatement();
$authnStatement->setAuthnContext($this->authnContextClassRef);
$assertion->setAuthnStatement($authnStatement);

$assertion->addAttribute(new Attribute(ClaimTypes::COMMON_NAME, array('username'), 'Common Name'));


$signatureCreator = new SignatureCreator();
$signatureCreator->setXmlSecurityKey($xmlSecKey);
$signatureCreator->setCertificate($certificate);
$response->setSignature($signatureCreator);

$bindingManager = new BindingManager();
$r = $bindingManager->send($response);
$r->render();
于 2014-06-01T15:18:30.013 回答