1

我在签署以下 saml 消息时遇到了一些麻烦:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://sp/sso/assert" ID="id-qOKj7lEjHF9LLlTjt" InResponseTo="_cd59dfa2245177f214bfc5252c873e702ad29640c3" IssueInstant="2018-07-06T07:34:48Z" Version="2.0">
    <saml2:Issuer>http://myidp/sso</saml2:Issuer>
    <ds:Signature>
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <ds:Reference URI="#_50247aab9621ee91aaca836e20de20dc">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <ds:DigestValue/>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue/>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIIC8jCCAlugAwIBAgIJAJHg2V5J31I8MA.....</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </saml2p:Status>
    <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="id-RytehFWT2t5Bem6UH" IssueInstant="2018-07-06T07:34:48Z" Version="2.0">
        <saml2:Issuer>http://myidp/sso</saml2:Issuer>
        <saml2:Subject>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">test@test.com</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData InResponseTo="_cd59dfa2245177f214bfc5252c873e702ad29640c3" NotOnOrAfter="2018-07-06T07:34:48Z" Recipient="https://sp/assert"/>
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2018-07-06T07:34:48Z" NotOnOrAfter="2018-07-08T08:52:24.242Z">
            <saml2:AudienceRestriction>
                <saml2:Audience>test_audience</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement AuthnInstant="2018-07-06T07:34:48Z" SessionIndex="_72c6639cdbf65c0b2eed63847990b13a">
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
    </saml2:Assertion>
</saml2p:Response>

每当我启动使用 xmlsec1 进行签名的命令时,都会收到以下消息:

Error: failed to find default node with name="Signature"
Error: failed to load template "/tmp/test.xml"
Error: failed to sign file "/tmp/test.xml"

正如您在我的 SAML 消息中看到的那样,我已经有一个 Signature 标签,并且我检查了我的 XML 是否有效,所以我现在有点卡住了。谁能找到我的问题?

4

1 回答 1

0

事实证明,我在消息的断言部分缺少签名节点,如果你想对消息和断言进行签名,你需要同时拥有这两个节点。

于 2018-08-13T08:55:56.543 回答