0

我正在测试一个使用 spring-security-saml 并使用 KeyCloak 作为身份提供程序进行测试的应用程序。KeyCloak 默认在 http 和带有自签名证书的 https 上运行。

在 https://localhost:8543/auth/realms/master/protocol/saml/descriptor 的浏览器中通过 https 检索元数据时,它会正确返回以下内容:

<md:EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Name="urn:keycloak">
<md:EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://localhost:8543/auth/realms/master">
<md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:KeyName>phlmLKZ2YqrT_0hsZQYSpBPrZxPmgNdI3I2AmPQFjg8</ds:KeyName>
<ds:X509Data>
<ds:X509Certificate>MIICmzCCAYMCBgF05GlTszANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjAxMDAxMTM0NDAyWhcNMzAxMDAxMTM0NTQyWjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCYxMG75gqear+r+4fyvmyNSMcHzB46HRk7sNd0Y9LDbuUT24KoyBz5A0ln1WyvCszoxpKcuKMcwGUP+kszbo8D3FjH+2zET+KoilEzDBn3g0JP6K8BUPyOoBftmRCujaI/kEjya1AQzM44xvFPp6hFlsGICqk6NJe8eWlRyv6/VE2MB+WSKq0OOtZz+PrMHvJC6R50xm4DLXLRCPXJ3HA9J78ghQTziPs69kCi90xsuYubX+qs8KfDPy1i8geZZM+PXQrPfM1BcAnwe7hUayqMLk5OeVrixm1KEZhqHMKaCXhDJE3uH4c++/TR++zIbdz2x15k24D569gxPSKlcYpjAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAB5SYnR0JFWMRE1qutLArc4NeD3DjbyBwvOZaCsLRz3T7paZe3O0SmKQGPkUyARrERvV01R8Q04OVuf+/UJ2fgYqRTthh5G0Y2qak9UL7oefrsuB15C4ZEjBJnoBZNzDXhmDYoOguxrxXMN9XPgJSO08+7l8nJE6V1cu4811+ksV67JaNkk6oU1V3/HU5+tRc2GpjiwO0qr4dKOGrrfRuRZ7BqzgLh/KcZOxvc5hbmxvtJrGh/xuuspAG/3akeEXTD754YLoZVFJTJOdXlbaBrfSvvIndV/gVfJyAavTGQBCcz+bucJ2ijNa394S36t5KrU9Hu4hXC0TgPbFPq7IrIk=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:8543/auth/realms/master/protocol/saml"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:8543/auth/realms/master/protocol/saml"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:8543/auth/realms/master/protocol/saml"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:8543/auth/realms/master/protocol/saml"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://localhost:8543/auth/realms/master/protocol/saml"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>
</md:EntitiesDescriptor>

当我将相同的元数据位置提供给我的应用程序时,它最终会尝试将我发送到没有端口 8543 的 URL,即使该端口位于上述所有位置:

https://localhost/auth/realms/master/protocol/saml

调试 OpenSAML 代码,看起来端口在从解析原始 IDP 元数据的 AbstractMetadataProvider 的第 460 行返回后丢失了:

protected XMLObject unmarshallMetadata(InputStream metadataInput) throws UnmarshallingException {
        try {
            log.trace("Parsing retrieved metadata into a DOM object");
            Document mdDocument = parser.parse(metadataInput);

有什么方法可以控制它并让它尊重元数据 xml 中的端口?

4

1 回答 1

0

进一步调试后,HTTPMetadataProvider 获得的原始响应中也不存在该端口。

事实证明,问题是由于 HttpClient 的配置错误,它没有在主机头中发送端口,因此 Keycloak 没有响应端口。

于 2020-10-26T13:05:23.573 回答