2

我正在实施 SAML2 单一注销协议。

我的身份提供者使用 HTTP-Redirect 绑定向我发送注销请求。此请求的内容如下所示:

?SAMLRequest=7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ%2fff%2fz9cZmQBbPbOStrJniGAqsgfP358Hz8iHjfZolw9el5dVOv2Vf6L1nnTpmdPP%2fvo99%2bd3t%2b5f3BwsJ3t759v7x8c7G5nn%2b5Mth%2fe26f%2f7WXnDyaffpT%2bZF43RbX87KO98c5H6VnTrPOzZdNmy5Y%2b2tnd3cb%2f7r%2fZffBoZ%2ffR3sH44acHP%2fVR%2bpR6KZZZy2%2fO23bVPLp7dzUt2lne7O6Np3m9HE%2fnd4Hb3t3XL1%2bX1at8VtT5tL27yNvsuCyy5m6z%2big9qZZNjr7W9fJRlTVF82iZLfLmUTt99Pr4i%2bePCK1HU2n0aL1sVvm0OC%2fy2Ufpi6r9cvllfXze5nUP1U8F1V1C9d2iXDaPmEqbe1nVVVtNq%2fKjo8dMhlpe3fxS1jR5DTJ8dGTIYAZfVhfF8vFdgXX0%2bAW9e%2fY0fVbVi2zDeHfHu%2fxJMds%2b56aP8kVWlMezWZ03jQ7n1jiV66IZ19WsLi7W%2bQ%2fG54RatpzlP%2fg9FcnHdwWtI2Wj19QHvXhGbd4d%2ff47n%2b4d7O7dP99%2bcP7w%2fvb%2b3nS6nc0O8u3zWX7waZY%2f3JlM8sd3I2%2baDwOuPPp%2fAA%3d%3d&Signature=i1JxpKbaInBXsqTzPwG3E3NIPqCmK4mgLaYgUy%2fraNgscBBLLrQGObKm%2bLIu6Skh7iOb4r39HX6tCsq6p5CO97U7WfCwOnkJpgzAFjA0T9ByAzomh6LIC%2bpXGaINzhw2DPcv4cZYrUoSuEQl0OCaAAtYaarm%2f53qR0DMF5OhZkU%3d&SigAlg=http%3a%2f%2fwww.w3.org%2f2001%2f04%2fxmldsig-more%23rsa-sha256

按照OASIS 安全断言标记语言 (SAML) V2.0 的绑定,我将使用?SAMLRequest=value&SigAlg=value字符串并尝试使用Signature=value字符串进行验证。我正在使用的代码(JAVA)是这样的:

// Retrieve the public key sent by the IdP FileInputStream inputStream = new FileInputStream("/path/to/the/idp/sent/public/key"); CertificateFactory cf = CertificateFactory.getInstance("X.509"); Certificate certificate = cf.generateCertificate(inputStream); PublicKey publicKey = certificate.getPublicKey();

// Create the signature
Signature signature = Signature.getInstance("SHA256withRSA");
signature.initVerify(publicKey);
signature.update("SAMLRequest=7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ%2fff%2fz9cZmQBbPbOStrJniGAqsgfP358Hz8iHjfZolw9el5dVOv2Vf6L1nnTpmdPP%2fvo99%2bd3t%2b5f3BwsJ3t759v7x8c7G5nn%2b5Mth%2fe26f%2f7WXnDyaffpT%2bZF43RbX87KO98c5H6VnTrPOzZdNmy5Y%2b2tnd3cb%2f7r%2fZffBoZ%2ffR3sH44acHP%2fVR%2bpR6KZZZy2%2fO23bVPLp7dzUt2lne7O6Np3m9HE%2fnd4Hb3t3XL1%2bX1at8VtT5tL27yNvsuCyy5m6z%2big9qZZNjr7W9fJRlTVF82iZLfLmUTt99Pr4i%2bePCK1HU2n0aL1sVvm0OC%2fy2Ufpi6r9cvllfXze5nUP1U8F1V1C9d2iXDaPmEqbe1nVVVtNq%2fKjo8dMhlpe3fxS1jR5DTJ8dGTIYAZfVhfF8vFdgXX0%2bAW9e%2fY0fVbVi2zDeHfHu%2fxJMds%2b56aP8kVWlMezWZ03jQ7n1jiV66IZ19WsLi7W%2bQ%2fG54RatpzlP%2fg9FcnHdwWtI2Wj19QHvXhGbd4d%2ff47n%2b4d7O7dP99%2bcP7w%2fvb%2b3nS6nc0O8u3zWX7waZY%2f3JlM8sd3I2%2baDwOuPPp%2fAA%3d%3d&SigAlg=http%3a%2f%2fwww.w3.org%2f2001%2f04%2fxmldsig-more%23rsa-sha256".getBytes());

// Verify
if (signature.verify((new BASE64Decoder()).decodeBuffer("i1JxpKbaInBXsqTzPwG3E3NIPqCmK4mgLaYgUy%2fraNgscBBLLrQGObKm%2bLIu6Skh7iOb4r39HX6tCsq6p5CO97U7WfCwOnkJpgzAFjA0T9ByAzomh6LIC%2bpXGaINzhw2DPcv4cZYrUoSuEQl0OCaAAtYaarm%2f53qR0DMF5OhZkU%3d"))) {
            System.out.println("Signature OK!!!");
        } else {
            System.out.println("Bad Signature!!!");
        }

我总是收到错误签名的消息!!!

有任何想法吗?

4

1 回答 1

2

我没有对 Signature 值进行 URL 解码!!!

http://www.w3schools.com/tags/ref_urlencode.asp

还要注意 URL 编码的大写/小写:.net UrlEncode - 小写问题

希望能帮助到你,

路易斯

于 2011-11-21T17:02:23.787 回答