saml - UntrustedCertificateException：对等 SSL/TLS 证书不受信任 SAML gluu 服务器

Question

我正在尝试配置我的应用程序 (SP) 以使用远程 IDP。IDP 为我提供了使用 SP 配置的证书。对于 SAML 请求。我得到这个例外：

org.springframework.security.saml.trust.UntrustedCertificateException：由 XXX 颁发的对等 SSL/TLS 证书 XXX 不受信任，将证书或其 CA 添加到您的信任库，并可选择使用证书的别名更新扩展元数据中的 tlsKey。

遵循对等方提供的证书（PEM 格式）。存在/结束证书（包括）之间的内容可以存储在文件中并使用keytool 导入，例如'keytool -importcert -file cert.cer -alias certAlias -keystore keystore.jks'）。在将提供的证书添加到密钥库之前，请确保提供的证书是由您信任的 CA 颁发的。

为什么我得到这个例外？

我正在使用 gluu 服务器，它是 shibboleth 组件。在 SP 中有一个 apollo.cert 和一个 samlkeystore.jks 。apollo.crt 在 samlkeystore.jks 中导入。我运行 SP 并获取 metadata.xml（它包含 ds:X509Certificate）并将此文件导入 gluu server 。我一头雾水，问题出在哪里？IDP 或 SP？我能做些什么来解决这个问题？我真的需要帮助。

编辑：

@Bernahrd，@Guillermo 非常感谢您的回复。我仍在工作，但不知道这里发生了什么。我在 idp 和 sp 添加元数据 xml 文件。

这是 gluu idp 元数据，要在 gluu 服务器上生成 idp 元数据，我使用https://hostname/idp/shibboleth

<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor entityID="https://ubuntu.gluu.info/idp/shibboleth" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
                  xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <IDPSSODescriptor errorURL="https://ubuntu.gluu.info/identity/feedback.htm"
                      protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
        <Extensions>
            <shibmd:Scope regexp="false">ubuntu.gluu.info</shibmd:Scope>
        </Extensions>
        <KeyDescriptor>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIIDaDCCAlACCQD165zhtG0q6DANBgkqhkiG9w0BAQsFADB2MQswCQYDVQQGEwJJ
                        UjELMAkGA1UECAwCVEgxDzANBgNVBAcMBnRlaHJhbjENMAsGA1UECgwER0xVVTEZ
                        MBcGA1UEAwwQdWJ1bnR1LmdsdXUuaW5mbzEfMB0GCSqGSIb3DQEJARYQc3VwcG9y
                        dEBnbHV1Lm9yZzAeFw0xNjA2MTcyMDMxMTlaFw0xNzA2MTcyMDMxMTlaMHYxCzAJ
                        BgNVBAYTAklSMQswCQYDVQQIDAJUSDEPMA0GA1UEBwwGdGVocmFuMQ0wCwYDVQQK
                        DARHTFVVMRkwFwYDVQQDDBB1YnVudHUuZ2x1dS5pbmZvMR8wHQYJKoZIhvcNAQkB
                        FhBzdXBwb3J0QGdsdXUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
                        AQEAuSkeEK+lK498Yc8OspdYoqoDQLDPs8cF0qE84hLRhdEHU1y++/dzaC6271sV
                        KtTXt/aG1PwBS7unPIMOEKFNJXdO0FHEgt4nkuhq7KUvcR4ckNvL+5Ys5r/3Egzh
                        8nm96Z0jtuUlu1e8b6iAsw+9tYq1olDZO9Hv6hR9V/ZlTolmuZqnXEy3p/47W25p
                        ROLVuR7jIH+cKDVJe8lW1702wWEQWDhxPBJ1fJsMuBA/RiB/J6SBAgkxs/9m513Y
                        +lYaobhqMfocwzt/GAqsq4Fnixf1PldJpi/ZJfnyJ0JOFcLj8YHY/CFRiRm8b3UE
                        1VUYZRTHK9Qc3ryd+KA14QTymwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBRS5aR
                        CSPS+3qoWI5wj3f97QEncv0Q80sb0tzumUJIWqDoYWW0ucyRWGiUSSVIBeVJmmmG
                        Yus9ML6Khb1WNCsXZW3GcBfoA8FImTtTBMyXWHpDtR6Ne156kSv2ymmdyipZo6OB
                        iItWjEgAOmRsynxkJASEPhH5RM8iqGAJVBCgU738so0X3e7N5pQSNMKLiCkf8afK
                        EsL9Q61f9RiLImlehkdw3m2B0wKQJZo1Q1D/L7sZzaOXiif3YkcVNO8t0CJpZSog
                        YSKS+2cM7LTDdiNS3YMpcRdcvZTixDMSAfO+7PDTfubio8ADAmjr7Gj7vwzG8sFi
                        PmIqbqM/Ii1e0kD7
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </KeyDescriptor>
        <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
                                   Location="https://ubuntu.gluu.info:9443/idp/profile/SAML1/SOAP/ArtifactResolution"
                                   index="1"/>
        <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
                                   Location="https://ubuntu.gluu.info:9443/idp/profile/SAML2/SOAP/ArtifactResolution"
                                   index="2"/>
        <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
        <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
                             Location="https://ubuntu.gluu.info/idp/profile/Shibboleth/SSO"/>
        <SingleSignOnService Binding="urn:mace:shibboleth:2.0:profiles:AuthnRequest"
                             Location="https://ubuntu.gluu.info/idp/profile/SAML2/Unsolicited/SSO"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                             Location="https://ubuntu.gluu.info/idp/profile/SAML2/POST/SSO"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
                             Location="https://ubuntu.gluu.info/idp/profile/SAML2/POST-SimpleSign/SSO"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                             Location="https://ubuntu.gluu.info/idp/profile/SAML2/Redirect/SSO"/>
    </IDPSSODescriptor>
    <AttributeAuthorityDescriptor
            protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
        <Extensions>
            <shibmd:Scope regexp="false">ubuntu.gluu.info</shibmd:Scope>
        </Extensions>
        <KeyDescriptor>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIIDaDCCAlACCQD165zhtG0q6DANBgkqhkiG9w0BAQsFADB2MQswCQYDVQQGEwJJ
                        UjELMAkGA1UECAwCVEgxDzANBgNVBAcMBnRlaHJhbjENMAsGA1UECgwER0xVVTEZ
                        MBcGA1UEAwwQdWJ1bnR1LmdsdXUuaW5mbzEfMB0GCSqGSIb3DQEJARYQc3VwcG9y
                        dEBnbHV1Lm9yZzAeFw0xNjA2MTcyMDMxMTlaFw0xNzA2MTcyMDMxMTlaMHYxCzAJ
                        BgNVBAYTAklSMQswCQYDVQQIDAJUSDEPMA0GA1UEBwwGdGVocmFuMQ0wCwYDVQQK
                        DARHTFVVMRkwFwYDVQQDDBB1YnVudHUuZ2x1dS5pbmZvMR8wHQYJKoZIhvcNAQkB
                        FhBzdXBwb3J0QGdsdXUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
                        AQEAuSkeEK+lK498Yc8OspdYoqoDQLDPs8cF0qE84hLRhdEHU1y++/dzaC6271sV
                        KtTXt/aG1PwBS7unPIMOEKFNJXdO0FHEgt4nkuhq7KUvcR4ckNvL+5Ys5r/3Egzh
                        8nm96Z0jtuUlu1e8b6iAsw+9tYq1olDZO9Hv6hR9V/ZlTolmuZqnXEy3p/47W25p
                        ROLVuR7jIH+cKDVJe8lW1702wWEQWDhxPBJ1fJsMuBA/RiB/J6SBAgkxs/9m513Y
                        +lYaobhqMfocwzt/GAqsq4Fnixf1PldJpi/ZJfnyJ0JOFcLj8YHY/CFRiRm8b3UE
                        1VUYZRTHK9Qc3ryd+KA14QTymwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBRS5aR
                        CSPS+3qoWI5wj3f97QEncv0Q80sb0tzumUJIWqDoYWW0ucyRWGiUSSVIBeVJmmmG
                        Yus9ML6Khb1WNCsXZW3GcBfoA8FImTtTBMyXWHpDtR6Ne156kSv2ymmdyipZo6OB
                        iItWjEgAOmRsynxkJASEPhH5RM8iqGAJVBCgU738so0X3e7N5pQSNMKLiCkf8afK
                        EsL9Q61f9RiLImlehkdw3m2B0wKQJZo1Q1D/L7sZzaOXiif3YkcVNO8t0CJpZSog
                        YSKS+2cM7LTDdiNS3YMpcRdcvZTixDMSAfO+7PDTfubio8ADAmjr7Gj7vwzG8sFi
                        PmIqbqM/Ii1e0kD7
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </KeyDescriptor>
        <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
                          Location="https://ubuntu.gluu.info:9443/idp/profile/SAML1/SOAP/AttributeQuery"/>
        <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
                          Location="https://ubuntu.gluu.info:9443/idp/profile/SAML2/SOAP/AttributeQuery"/>
        <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
    </AttributeAuthorityDescriptor>
</EntityDescriptor>

然后我将它添加到 shibboleth-idb.xml 中的 SP

这是我的 SP 元数据文件，应该添加到 gluu idp 中：

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor ID="http://ubuntu.gluu.info:9090/saml/metadata/alias/defaultAlias"
                     entityID="http://ubuntu.gluu.info:9090/saml/metadata/alias/defaultAlias"
                     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
    <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true"
                        protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>MIIDUjCCAjqgAwIBAgIEUOLIQTANBgkqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJGSTEQMA4GA1UE
                        CBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEM
                        MAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wHhcNMTMwMTAxMTEyODAxWhcNMjIxMjMwMTEy
                        ODAxWjBrMQswCQYDVQQGEwJGSTEQMA4GA1UECBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kx
                        GDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEMMAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8w
                        ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXqP0wqL2Ai1haeTj0alwsLafhrDtUt00E
                        5xc7kdD7PISRA270ZmpYMB4W24Uk2QkuwaBp6dI/yRdUvPfOT45YZrqIxMe2451PAQWtEKWF5Z13
                        F0J4/lB71TtrzyH94RnqSHXFfvRN8EY/rzuEzrpZrHdtNs9LRyLqcRTXMMO4z7QghBuxh3K5gu7K
                        qxpHx6No83WNZj4B3gvWLRWv05nbXh/F9YMeQClTX1iBNAhLQxWhwXMKB4u1iPQ/KSaal3R26pON
                        UUmu1qVtU1quQozSTPD8HvsDqGG19v2+/N3uf5dRYtvEPfwXN3wIY+/R93vBA6lnl5nTctZIRsyg
                        0Gv5AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAFQwAAYUjso1VwjDc2kypK/RRcB8bMAUUIG0hLGL
                        82IvnKouGixGqAcULwQKIvTs6uGmlgbSG6Gn5ROb2mlBztXqQ49zRvi5qWNRttir6eyqwRFGOM6A
                        8rxj3Jhxi2Vb/MJn7XzeVHHLzA1sV5hwl/2PLnaL2h9WyG9QwBbwtmkMEqUt/dgixKb1Rvby/tBu
                        RogWgPONNSACiW+Z5o8UdAOqNMZQozD/i1gOjBXoF0F5OksjQN7xoQZLj9xXefxCFQ69FPcFDeEW
                        bHwSoBy5hLPNALaEUoa5zPDwlixwRjFQTc5XXaRpgIjy/2gsL8+Y5QRhyXnLqgO67BlLYW/GuHE=
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:KeyDescriptor use="encryption">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>MIIDUjCCAjqgAwIBAgIEUOLIQTANBgkqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJGSTEQMA4GA1UE
                        CBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEM
                        MAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wHhcNMTMwMTAxMTEyODAxWhcNMjIxMjMwMTEy
                        ODAxWjBrMQswCQYDVQQGEwJGSTEQMA4GA1UECBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kx
                        GDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEMMAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8w
                        ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXqP0wqL2Ai1haeTj0alwsLafhrDtUt00E
                        5xc7kdD7PISRA270ZmpYMB4W24Uk2QkuwaBp6dI/yRdUvPfOT45YZrqIxMe2451PAQWtEKWF5Z13
                        F0J4/lB71TtrzyH94RnqSHXFfvRN8EY/rzuEzrpZrHdtNs9LRyLqcRTXMMO4z7QghBuxh3K5gu7K
                        qxpHx6No83WNZj4B3gvWLRWv05nbXh/F9YMeQClTX1iBNAhLQxWhwXMKB4u1iPQ/KSaal3R26pON
                        UUmu1qVtU1quQozSTPD8HvsDqGG19v2+/N3uf5dRYtvEPfwXN3wIY+/R93vBA6lnl5nTctZIRsyg
                        0Gv5AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAFQwAAYUjso1VwjDc2kypK/RRcB8bMAUUIG0hLGL
                        82IvnKouGixGqAcULwQKIvTs6uGmlgbSG6Gn5ROb2mlBztXqQ49zRvi5qWNRttir6eyqwRFGOM6A
                        8rxj3Jhxi2Vb/MJn7XzeVHHLzA1sV5hwl/2PLnaL2h9WyG9QwBbwtmkMEqUt/dgixKb1Rvby/tBu
                        RogWgPONNSACiW+Z5o8UdAOqNMZQozD/i1gOjBXoF0F5OksjQN7xoQZLj9xXefxCFQ69FPcFDeEW
                        bHwSoBy5hLPNALaEUoa5zPDwlixwRjFQTc5XXaRpgIjy/2gsL8+Y5QRhyXnLqgO67BlLYW/GuHE=
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                Location="http://ubuntu.gluu.info:9090/saml/SingleLogout/alias/defaultAlias"/>
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                                Location="http://ubuntu.gluu.info:9090/saml/SingleLogout/alias/defaultAlias"/>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
                                     Location="http://ubuntu.gluu.info:9090/saml/SSO/alias/defaultAlias" index="0"
                                     isDefault="true"/>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                     Location="http://ubuntu.gluu.info:9090/saml/SSO/alias/defaultAlias" index="1"/>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"
                                     Location="http://ubuntu.gluu.info:9090/saml/SSO/alias/defaultAlias" index="2"/>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"
                                     Location="http://ubuntu.gluu.info:9090/saml/HoKSSO/alias/defaultAlias"
                                     hoksso:ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
                                     index="3"
                                     xmlns:hoksso="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"/>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"
                                     Location="http://ubuntu.gluu.info:9090/saml/HoKSSO/alias/defaultAlias"
                                     hoksso:ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" index="4"
                                     xmlns:hoksso="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"/>
    </md:SPSSODescriptor>
</md:EntityDescriptor>

在 gluu 服务器中，我添加了新的信任关系并向其中添加了 SP 元数据文件。

但是这里发生了一些奇怪的事情，在SP索引页面中我选择了shibolleth idp，然后出现了shibolleth idp的登录页面，输入用户名和密码后它重定向到我的SP然后发生异常，根据异常，idp发送给我这个证书和想让我把它添加到我的信任库中：

谢谢。

score 0 · Accepted Answer

你的 SP 元数据有

       <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
                                 Location="http://ubuntu.gluu.info:9090/saml/SSO/alias/defaultAlias" index="0"
                                 isDefault="true"/>

因此将使用工件绑定。

--> SP 尝试连接到 IdP 的 Artifact Resolution 服务（Location="https://ubuntu.gluu.info:9443/idp/profile/SAML2/SOAP/ArtifactResolution"）。

由于这具有方案“https”，因此必须执行安全的 SOAP 调用。

您可以为运行应用程序的部署容器配置 JSSE 信任库（JVM-option -Djavax.net.ssl.trustStore=PATH_TO_JKS_TRUSTORE）并将提供的证书添加到帽子信任库或从 SP 的元数据中删除工件绑定，并且只使用前端通道绑定（所有通信都通过用户代理）

saml - UntrustedCertificateException：对等 SSL/TLS 证书不受信任 SAML gluu 服务器

1 回答 1

Related

Reference