我正在集成OneLogin进行SAML2身份验证。我在QA服务器上工作得很好但我的生产环境却出错了。
Warning: DOMDocument::schemaValidate(): Invalid Schema in
\Classes\OneLogin\src\Saml2\Utils.php on line 133
invalid_response
OneLogin\Saml2\Auth Object
(
[_settings:OneLogin\Saml2\Auth:private] => OneLogin\Saml2\Settings Object
(
[_paths:OneLogin\Saml2\Settings:private] => Array
(
[base] => \\Classes\OneLogin/
[config] => \\Classes\OneLogin/
[cert] => \\Classes\OneLogin/certs/
[lib] => \\Classes\OneLogin/src/
)
[_baseurl:OneLogin\Saml2\Settings:private] =>
[_strict:OneLogin\Saml2\Settings:private] => 1
[_debug:OneLogin\Saml2\Settings:private] =>
[_sp:OneLogin\Saml2\Settings:private] => Array
(
[entityId] => tools
[assertionConsumerService] => Array
(
[url] => https://example.com/login/saml2.php
[binding] => urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
)
[NameIDFormat] => urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
[x509cert] => -----BEGIN CERTIFICATE-----
听起来,无效的架构是由于响应回来了?它必须不是与.xsd匹配的预期格式?
如果是这种情况,这通常表明证书无效?
$settingsInfo = array(
'strict' => true,
'sp' => array(
'entityId' => 'tools',
'assertionConsumerService' => array(
'url' => "https://" . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'],
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
),
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
'x509cert' => file_get_contents('lb-sso.pem', FILE_USE_INCLUDE_PATH),
'privateKey' => file_get_contents('lb-sso.key', FILE_USE_INCLUDE_PATH),
),
'idp' => array(
'entityId' => 'https://sso.example.com',
'singleSignOnService' => array(
'url' => 'https://sso.example.com/idp/SSO.saml2',
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
),
'singleLogoutService' => array(
'url' => 'https://sso.example.com/idp/SSO.saml2',
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
),
'x509cert' => file_get_contents('sso.pem', FILE_USE_INCLUDE_PATH)
),
'compress' => array(
'requests' => true,
'responses' => true
),
'security' => array(
'authnRequestsSigned' => true,
'signatureAlgorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
)
);
$auth = new OneLogin\Saml2\Auth($settingsInfo);
更新:
我能够为此打印出一些额外的错误。
Warning: DOMDocument::schemaValidate(): Invalid Schema in \\Classes\OneLogin\src\Saml2\Utils.php on line 134
failed to load external entity "/Classes/OneLogin/src/Saml2/schemas/xmldsig-core-schema.xsd"
Element '{http://www.w3.org/2001/XMLSchema}import': Failed to locate a schema at location '/Classes/OneLogin/src/Saml2/schemas/xmldsig-core-schema.xsd'. Skipping the import.
failed to load external entity "/Classes/OneLogin/src/Saml2/schemas/xenc-schema.xsd"
Element '{http://www.w3.org/2001/XMLSchema}import': Failed to locate a schema at location '/Classes/OneLogin/src/Saml2/schemas/xenc-schema.xsd'. Skipping the import.
Element '{http://www.w3.org/2001/XMLSchema}element', attribute 'ref': The QName value '{http://www.w3.org/2001/04/xmlenc#}EncryptedData' does not resolve to a(n) element declaration.
Element '{http://www.w3.org/2001/XMLSchema}element', attribute 'ref': The QName value '{http://www.w3.org/2001/04/xmlenc#}EncryptedKey' does not resolve to a(n) element declaration.
文件xsd文件确实存在,但路径似乎可能缺少前面的另一个/
。 //Classes/OneLogin/...
更新2:
似乎idp将我们的生产服务器的响应发送回QA服务器的方式可能有所不同。
OneLogin文件在两个站点上都是相同的,但我必须在wantXMLValidation = false
的安全方面切换一个设置。
这使我相信他们为响应发回的XML格式与预期的xsd格式不匹配。
它表明身份验证和证书都是有效的,并且正在建立连接,只是不再验证XML的格式。
如果有任何或更多的内务检查以确保它包含所有预期的节点,这可能会带来什么安全隐患?
由php-saml工具包处理的SAML响应不遵循xsd模式,这就是您看到该错误的原因。
您可以尝试使用SAML Tracer记录SAML响应,然后使用qazxsw poi来获取XML失效的原因