1

SAMLException:当我尝试进行 saml 登录并从身份提供程序站点启动而未启动请求表单服务提供程序站点时,出现以下错误“断言因缺少受众限制而失效”。

我的 SP 元数据:

   <?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor ID="urn_test_system_stag_sp_test" entityID="urn:test:system:stag:sp:test"
                     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false"
                        protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                Location="https://mytestsite/samlSlo"/>
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                                Location="https://mytestsite/samlSlo"/>

        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                     Location="https://mytestsite/samlAcs?sp=test" index="0"
                                     isDefault="true"/>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
                                     Location="https://mytestsite/samlAcs?sp=test"
                                     index="1"/>
    </md:SPSSODescriptor>
</md:EntityDescriptor>

我有的例外:

       2018-02-15 15:30:24,356 org.opensaml.common.SAMLException: Response doesn't have any valid assertion which would pass subject validation
2018-02-15 15:30:24,356     at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:229)
2018-02-15 15:30:24,356     at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:87)
2018-02-15 15:30:24,356     at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167)
2018-02-15 15:30:24,356     at com.test.marlin.action.sso.saml2.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:61)
2018-02-15 15:30:24,356     at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217)
2018-02-15 15:30:24,356     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
2018-02-15 15:30:24,356     at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
2018-02-15 15:30:24,356     at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:184)
2018-02-15 15:30:24,356     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
2018-02-15 15:30:24,356     at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
2018-02-15 15:30:24,356     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
2018-02-15 15:30:24,356     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
2018-02-15 15:30:24,356     at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
2018-02-15 15:30:24,356     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
2018-02-15 15:30:24,356     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
2018-02-15 15:30:24,356     at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
2018-02-15 15:30:24,356     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
2018-02-15 15:30:24,356     at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
2018-02-15 15:30:24,356     at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
2018-02-15 15:30:24,356     at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
2018-02-15 15:30:24,356     at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
2018-02-15 15:30:24,356     at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:24,356     at com.test.marlin.action.TstsFilter.doFilter(TstsFilter.java:79)
2018-02-15 15:30:24,356     at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:24,356     at com.test.mycode.access.InitSessionFilter.doFilter3(InitSessionFilter.java:226)
2018-02-15 15:30:24,356     at com.test.mycode.access.InitSessionFilter.doFilter2(InitSessionFilter.java:160)
2018-02-15 15:30:24,356     at com.test.mycode.access.InitSessionFilter.doFilter(InitSessionFilter.java:95)
2018-02-15 15:30:24,356     at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:24,356     at com.test.modules.servlet.ForwardFilter.doFilter(ForwardFilter.java:230)
2018-02-15 15:30:24,356     at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:24,356     at com.test.modules.servlet.FakeIpFilter.doFilter(FakeIpFilter.java:43)
2018-02-15 15:30:24,356     at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:24,356     at com.test.modules.servlet.ClientIpFilter.doFilter(ClientIpFilter.java:114)
2018-02-15 15:30:24,356     at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:24,356     at com.test.mycode.frontend.filter.HttpSecurityHeadersFilter.doFilter(HttpSecurityHeadersFilter.java:98)
2018-02-15 15:30:24,356     at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:24,356     at com.caucho.server.webapp.WebAppFilterChain.doFilter(WebAppFilterChain.java:156)
2018-02-15 15:30:24,356     at com.caucho.server.webapp.AccessLogFilterChain.doFilter(AccessLogFilterChain.java:95)
2018-02-15 15:30:24,356     at com.caucho.server.dispatch.ServletInvocation.service(ServletInvocation.java:289)
2018-02-15 15:30:24,356     at com.caucho.server.http.HttpRequest.handleRequest(HttpRequest.java:838)
2018-02-15 15:30:24,356     at com.caucho.network.listen.TcpSocketLink.dispatchRequest(TcpSocketLink.java:1349)
2018-02-15 15:30:24,356     at com.caucho.network.listen.TcpSocketLink.handleRequest(TcpSocketLink.java:1305)
2018-02-15 15:30:24,357     at com.caucho.network.listen.TcpSocketLink.handleRequestsImpl(TcpSocketLink.java:1289)
2018-02-15 15:30:24,357     at com.caucho.network.listen.TcpSocketLink.handleRequests(TcpSocketLink.java:1197)
2018-02-15 15:30:24,357     at com.caucho.network.listen.TcpSocketLink.handleAcceptTaskImpl(TcpSocketLink.java:993)
2018-02-15 15:30:24,357     at com.caucho.network.listen.ConnectionTask.runThread(ConnectionTask.java:117)
2018-02-15 15:30:24,357     at com.caucho.network.listen.ConnectionTask.run(ConnectionTask.java:93)
2018-02-15 15:30:24,357     at com.caucho.network.listen.SocketLinkThreadLauncher.handleTasks(SocketLinkThreadLauncher.java:169)
2018-02-15 15:30:24,357     at com.caucho.network.listen.TcpSocketAcceptThread.run(TcpSocketAcceptThread.java:61)
2018-02-15 15:30:24,357     at com.caucho.env.thread2.ResinThread2.runTasks(ResinThread2.java:173)
2018-02-15 15:30:24,357     at com.caucho.env.thread2.ResinThread2.run(ResinThread2.java:118)
2018-02-15 15:30:24,357 Caused by: org.opensaml.common.SAMLException: Assertion invalidated by missing Audience Restriction
2018-02-15 15:30:24,357     at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertionConditions(WebSSOProfileConsumerImpl.java:431)
2018-02-15 15:30:24,357     at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertion(WebSSOProfileConsumerImpl.java:303)
2018-02-15 15:30:24,357     at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:214)
2018-02-15 15:30:24,357     ... 50 more
2018-02-15 15:30:25,939 org.opensaml.common.SAMLException: Response doesn't have any valid assertion which would pass subject validation
2018-02-15 15:30:25,939     at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:229)
2018-02-15 15:30:25,939     at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:87)
2018-02-15 15:30:25,939     at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167)
2018-02-15 15:30:25,939     at com.test.marlin.action.sso.saml2.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:61)
2018-02-15 15:30:25,939     at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217)
2018-02-15 15:30:25,939     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
2018-02-15 15:30:25,939     at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
2018-02-15 15:30:25,939     at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:184)
2018-02-15 15:30:25,939     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
2018-02-15 15:30:25,939     at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
2018-02-15 15:30:25,939     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
2018-02-15 15:30:25,939     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
2018-02-15 15:30:25,939     at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
2018-02-15 15:30:25,939     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
2018-02-15 15:30:25,939     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
2018-02-15 15:30:25,939     at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
2018-02-15 15:30:25,939     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
2018-02-15 15:30:25,939     at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
2018-02-15 15:30:25,939     at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
2018-02-15 15:30:25,939     at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
2018-02-15 15:30:25,939     at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
2018-02-15 15:30:25,939     at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:25,939     at com.test.marlin.action.TstsFilter.doFilter(TstsFilter.java:79)
2018-02-15 15:30:25,939     at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:25,939     at com.test.mycode.access.InitSessionFilter.doFilter3(InitSessionFilter.java:226)
2018-02-15 15:30:25,939     at com.test.mycode.access.InitSessionFilter.doFilter2(InitSessionFilter.java:160)
2018-02-15 15:30:25,939     at com.test.mycode.access.InitSessionFilter.doFilter(InitSessionFilter.java:95)
2018-02-15 15:30:25,939     at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:25,939     at com.test.modules.servlet.ForwardFilter.doFilter(ForwardFilter.java:230)
2018-02-15 15:30:25,939     at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:25,939     at com.test.modules.servlet.FakeIpFilter.doFilter(FakeIpFilter.java:43)
2018-02-15 15:30:25,939     at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:25,939     at com.test.modules.servlet.ClientIpFilter.doFilter(ClientIpFilter.java:114)
2018-02-15 15:30:25,939     at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:25,939     at com.test.mycode.frontend.filter.HttpSecurityHeadersFilter.doFilter(HttpSecurityHeadersFilter.java:98)
2018-02-15 15:30:25,939     at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:25,939     at com.caucho.server.webapp.WebAppFilterChain.doFilter(WebAppFilterChain.java:156)
2018-02-15 15:30:25,939     at com.caucho.server.webapp.AccessLogFilterChain.doFilter(AccessLogFilterChain.java:95)
2018-02-15 15:30:25,939     at com.caucho.server.dispatch.ServletInvocation.service(ServletInvocation.java:289)
2018-02-15 15:30:25,939     at com.caucho.server.http.HttpRequest.handleRequest(HttpRequest.java:838)
2018-02-15 15:30:25,939     at com.caucho.network.listen.TcpSocketLink.dispatchRequest(TcpSocketLink.java:1349)
2018-02-15 15:30:25,939     at com.caucho.network.listen.TcpSocketLink.handleRequest(TcpSocketLink.java:1305)
2018-02-15 15:30:25,939     at com.caucho.network.listen.TcpSocketLink.handleRequestsImpl(TcpSocketLink.java:1289)
2018-02-15 15:30:25,939     at com.caucho.network.listen.TcpSocketLink.handleRequests(TcpSocketLink.java:1197)
2018-02-15 15:30:25,939     at com.caucho.network.listen.TcpSocketLink.handleAcceptTaskImpl(TcpSocketLink.java:993)
2018-02-15 15:30:25,939     at com.caucho.network.listen.ConnectionTask.runThread(ConnectionTask.java:117)
2018-02-15 15:30:25,939     at com.caucho.network.listen.ConnectionTask.run(ConnectionTask.java:93)
2018-02-15 15:30:25,939     at com.caucho.network.listen.SocketLinkThreadLauncher.handleTasks(SocketLinkThreadLauncher.java:169)
2018-02-15 15:30:25,939     at com.caucho.network.listen.TcpSocketAcceptThread.run(TcpSocketAcceptThread.java:61)
2018-02-15 15:30:25,939     at com.caucho.env.thread2.ResinThread2.runTasks(ResinThread2.java:173)
2018-02-15 15:30:25,939     at com.caucho.env.thread2.ResinThread2.run(ResinThread2.java:118)
2018-02-15 15:30:25,939 Caused by: org.opensaml.common.SAMLException: Assertion invalidated by missing Audience Restriction
2018-02-15 15:30:25,939     at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertionConditions(WebSSOProfileConsumerImpl.java:431)
2018-02-15 15:30:25,939     at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertion(WebSSOProfileConsumerImpl.java:303)
2018-02-15 15:30:25,939     at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:214)
    ... 50 more

任何人都可以帮助我吗?

4

1 回答 1

1

我遇到了这个问题,因为我没有启动我的请求表单服务提供者站点(我的站点)包含“saml2 颁发者”的 saml 请求,因此身份提供者站点将不知道请求发送者,并且在他们成功登录AudienceRestriction后将不包含在响应中并且SAMLException将被抛出

作为解决方案,我要求 Idinety 提供商永久添加以下内容AudienceRestriction

    <saml:Conditions NotBefore="2018-02-19T18:51:12.596Z" NotOnOrAfter="2018-02-19T19:51:12.596Z">
        <saml:AudienceRestriction>
            <saml:Audience>urn:test:system:stag:sp:test</saml:Audience>
        </saml:AudienceRestriction>
    </saml:Conditions>
于 2018-02-19T19:16:37.970 回答