我尝试在 samltool.com 网站上验证我的 saml 响应,但不断收到“签名验证失败。参考验证失败”的消息。我在网上搜索并找到了一些建议,但是它要么不能修复错误,要么会产生新的错误。
这是我的回复,如有任何建议,我们将不胜感激
<samlp2:Response xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" ID="SAML-027a0db7-ecd3-464e-b4e0-400870b6ab5a" IssueInstant="2020-11-19T10:41:21Z" Destination="[Destination]">
<samlp2:Status>
<samlp2:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp2:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_83213680-19ae-4e12-8ccd-d24a818ec1a6" IssueInstant="2020-11-19T16:41:21.370Z" Version="2.0">
<saml2:Issuer>[Issuer]</saml2:Issuer>
<saml2:Signature xmlns:saml2="http://www.w3.org/2000/09/xmldsig#">
<saml2:SignedInfo>
<saml2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<saml2:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<saml2:Reference URI="#_83213680-19ae-4e12-8ccd-d24a818ec1a6">
<saml2:Transforms>
<saml2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<saml2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</saml2:Transforms>
<saml2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<saml2:DigestValue>[DigestValue]</saml2:DigestValue>
</saml2:Reference>
</saml2:SignedInfo>
<saml2:SignatureValue>[SignatureValue]</saml2:SignatureValue>
<saml2:KeyInfo>
<saml2:X509Data>
<saml2:X509Certificate>[X509Cert]</saml2:X509Certificate>
</saml2:X509Data>
</saml2:KeyInfo>
</saml2:Signature>
<saml2:Subject>
<saml2:NameID>[emailId]</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="[ipaddress]" NotOnOrAfter="2020-11-29T06:00:00.000Z" Recipient="[Recipient]"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2020-11-19T16:41:21.370Z" NotOnOrAfter="2020-11-29T06:00:00.000Z">
<saml2:AudienceRestriction>
<saml2:Audience>[SPEntityId]</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2020-11-19T16:41:21.370Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue>[firstName]</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="lastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue>[lastName]</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="emailId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue>[emailId]</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="custCode" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue>[custCode]</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="phone" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue>[phone]</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="ssoId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue>[ssoId]</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</samlp2:Response>
我在响应之外但在状态之前添加了颁发者和签名,现在我收到“发现无效的签名元素。SAML 响应被拒绝”
<samlp2:Response Version="2.0" ID="SAML-18b9737d-5969-4231-a074-0ff5ca3ab0df" IssueInstant="2020-11-19T01:00:24Z" Destination="[Destination]" xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://www.lacitizens.com</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_1a4fdd97-53f3-4676-aec3-e00213f226eb"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>[DigestValue]</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>[SignatureValue]</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>[X509Certificate]</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
<samlp2:Status>
<samlp2:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp2:Status>
<saml2:Assertion ID="_1a4fdd97-53f3-4676-aec3-e00213f226eb" IssueInstant="2020-11-19T19:00:24.563Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:Issuer>https://www.lacitizens.com</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_1a4fdd97-53f3-4676-aec3-e00213f226eb"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>[DigestValue]</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>[SignatureValue]</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>[X509Certificate]</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID>[emailId]</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData Address="[ipaddress]" NotOnOrAfter="2020-11-29T06:00:00.000Z" Recipient="[recipient]" /></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2020-11-19T19:00:24.563Z" NotOnOrAfter="2020-11-29T06:00:00.000Z"><saml2:AudienceRestriction><saml2:Audience>[audience]</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2020-11-19T19:00:24.563Z"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue>[firstName]</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="lastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue>[lastName]</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="emailId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue>[emailId]</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="custCode" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue>[custCode]</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="phone" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue>[phone]</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="ssoId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue>[ssoId]</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion>
</samlp2:Response>
希望你一切都好。首先请告诉我们您是否解决了问题?
接下来基本上是我的问题部分(如果您熟悉,或者其他人对此有想法,请告诉我)。
不幸的是没有答案但是观察在我的情况下,如果samlResponseXMLString被格式化,我的具有正确签名的saml响应会由于参考验证失败(即计算的摘要值与预期不匹配)而失败。
详细说明(代码块是 XMLString 格式的示例,以提供示例):
<?xml version="1.0" encoding="UTF-8" standalone="no"?><saml2p:Response
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://app.com/api/saml/assertion" ID="_c0c49e3157cb4882002e5a3a505b5457" InResponseTo="6miJTbk50XLxlggXwUG8vn(5OUUO3-awq9MTzoYedJfK-NH" IssueInstant="2024-01-10T13:45:05.049Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://accounts.google.com/o/saml2?idpid=C_IdOfIDP</saml2:Issuer><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_4a146c4e23e148bdc45d3bf6fe12f74b" IssueInstant="2024-01-10T13:45:05.049Z" Version="2.0"><saml2:Issuer>https://accounts.google.com/o/saml2?idpid=C02d32jyc</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_4a146c4e23e148bdc45d3bf6fe12f74b"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>Zw(DigestValue)+IP1/eifT4=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>LEsM/5cBZ(Signature)kUI1G/yrJEYyAdIvE
3nQFRgjvxrZzT/ZmOccDdOmL28flmMHX2mL2slYGk0W7o/4nYm686ttheMESWx0qrHlhdnsSPaFp
k7aVCvfX17+/5Fl2lsN1kAuPBqMIQsbD83tYumOcvqi+gm0RZ8iVuaM94OdmBzAwcU8hFj7Ewt86
pU0UehMq5EVJXZ36sXE5iq+kxLI8/pkULMYjztWKuL4KjBid+PMdSPXnAlrckatUg+G6WhYRtl8m
wzIGqwmWAjZ52iZAZK8OtUBJpXZG/HDs2qITOw==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509SubjectName>ST=California,C=US,OU=Google For Work,CN=Google,L=Mountain View,O=Google Inc.</ds:X509SubjectName><ds:X509Certificate>MIIDdDCCAlygAwIBAgIGAXJhuXJxMA0(CertificateEncoded)gNVBAoTC0dvb2dsZSBJ
bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MQ8wDQYDVQQDEwZHb29nbGUxGDAWBgNVBAsTD0dv
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://app.com/api/saml/assertion" ID="_c0c49e3157cb4882002e5a3a505b5457"
InResponseTo="6miJTbk50XLxlggXwUG8vn(5OUUO3-awq9MTzoYedJfK-NH"
IssueInstant="2024-01-10T13:45:05.049Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
https://accounts.google.com/o/saml2?idpid=C_IdOfIDP</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_4a146c4e23e148bdc45d3bf6fe12f74b" IssueInstant="2024-01-10T13:45:05.049Z" Version="2.0">
<saml2:Issuer>https://accounts.google.com/o/saml2?idpid=C02d32jyc</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_4a146c4e23e148bdc45d3bf6fe12f74b">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>Zw(DigestValue)+IP1/eifT4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>LEsM/5cBZ(Signature)kUI1G/yrJEYyAdIvE
3nQFRgjvxrZzT/ZmOccDdOmL28flmMHX2mL2slYGk0W7o/4nYm686ttheMESWx0qrHlhdnsSPaFp
k7aVCvfX17+/5Fl2lsN1kAuPBqMIQsbD83tYumOcvqi+gm0RZ8iVuaM94OdmBzAwcU8hFj7Ewt86
pU0UehMq5EVJXZ36sXE5iq+kxLI8/pkULMYjztWKuL4KjBid+PMdSPXnAlrckatUg+G6WhYRtl8m
wzIGqwmWAjZ52iZAZK8OtUBJpXZG/HDs2qITOw==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509SubjectName>ST=California,C=US,OU=Google For Work,CN=Google,L=Mountain View,O=Google Inc.</ds:X509SubjectName>
<ds:X509Certificate>MIIDdDCCAlygAwIBAgIGAXJhuXJxMA0(CertificateEncoded)gNVBAoTC0dvb2dsZSBJ
bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MQ8wDQYDVQQDEwZHb29nbGUxGDAWBgNVBAsTD0dv
PS:我尝试添加空格和' ' 在 XMLString_RAW 但它仍然 通过。但是当我将其格式化为 XMLString_FORMATTED 时,我不断收到 错误的消化值。专门搞乱了签名标签,但是 仍然无法理解。无法制作 XMLString_FORMATTED 手动按其通过的方向。目前正在研究它(更彻底地消化价值 计算,形成 mda(消息摘要算法),让我们看看。