2

我们正在尝试使用 Spring Security 连接到 Microsoft ADFS 服务器。我们设置了 Spring SAML 示例应用程序,如 Spring 安全文档中所述,但我们在 ADFS 服务器上收到以下错误。

Exception details: 
    Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSignatureVerificationException: MSIS7075: SAML authentication request for the WebSSO profile must not specify any SubjectConfirmations.
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.ValidateSignatureRequirements(SamlMessage samlMessage)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

接着:

The verification of the SAML message signature failed. 
Message issuer: http://adfs.xxxx.yyyy.com/adfs/services/trust 
Exception details: 
MSIS7075: SAML authentication request for the WebSSO profile must not specify any SubjectConfirmations. 

This request failed. 

User Action 
Verify that the message issuer configuration in the AD FS configuration database is up to date. 
Configure the signing certificate for the specified issuer. 
Verify that the issuer's certificate is up to date. 
Verify the issuer and server message signing requirements.

我们已经应用了上述建议。Spring 安全日志中没有错误消息。

4

1 回答 1

0

SAML 规范(4.1.4.1 Usage)说:

请注意,服务提供者可以在请求中包含一个元素,该元素命名它希望接收断言的实际身份。此元素不得包含任何元素。如果身份提供者不将主体识别为该身份,则它必须以包含错误状态且不包含断言的消息进行响应。

看起来该模块可能违反了该规范。检查并查看是否有避免向 IDP 发送 SubjectConfirmation 元素的选项。

于 2015-10-06T19:51:46.687 回答