1

我们有一个充当 SP(服务提供者)的企业应用程序和一个充当 IDP(身份提供者)的 OpenAm。

从 SP 生成元数据并导入 OpenAm

元数据文件 

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"  ID="_602b5e40-99ef-0134-def1-4d6af9854785" entityID="https://<site>/sso_auth/metadata">
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
cert
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
cert
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService ResponseLocation="https://<site>/sso_auth/logout" Location="https://<site>/sso_auth/logout" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</md:NameIDFormat>
<md:AssertionConsumerService isDefault="true" index="0" Location="https://<site>/sso_auth/consume_saml" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>

SP 数字签名并向 OpenAm 发起请求,然后我收到“SAML 请求无效”错误。

签名 SP 的请求

<samlp:AuthnRequest AssertionConsumerServiceURL='https://<site>/sso_auth/consume_saml'
    Destination='http://<openam>/openam_12.0.0/SSOPOST/metaAlias/idp'
    ID='_2eeaae10-99f0-0134-def1-4d6af9854785' IssueInstant='2016-12-01T12:32:44Z' Version='2.0'
    xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'
    xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'>
    <saml:Issuer>https://<site>/sso_auth/metadata</saml:Issuer>
    <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
        <ds:SignedInfo><ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'/><ds:SignatureMethod Algorithm='XMLSecurity::Document::RSA_SHA1'/>
            <ds:Reference URI='#_2eeaae10-99f0-0134-def1-4d6af9854785'>
                <ds:Transforms><ds:Transform Algorithm='http://www.w3.org/2000/09/xmldsig#enveloped-signature'/>
                    <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'><ec:InclusiveNamespaces PrefixList='#default samlp saml ds xs xsi md'
                        xmlns:ec='http://www.w3.org/2001/10/xml-exc-c14n#'/></ds:Transform>
                </ds:Transforms><ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>
                <ds:DigestValue>n4a4wAkD84V7Qm+8MTeYcJzsAxI=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>
            signature
        </ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>
                    cert
                </ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature><samlp:NameIDPolicy AllowCreate='true'
        Format='urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'/></samlp:AuthnRequest>

我收到以下错误

在此处输入图像描述

请帮我解决这个问题

4

0 回答 0