我正在尝试在PHP中执行SP启动的SAML 2.0 SLO,我的问题:LogoutResponse状态代码AuthnFailed,因此没有IdP注销。根据Okta(IdP)仪表板,原因是无效签名。 我正在使用robrichards / xmlseclibs安全库和POST绑定。该请求会在https://www.samltool.com/validate_logout_req.php和http://php.net/manual/en/domdocument.schemavalidate.php上验证。
这是我的美化要求:
<?xml version="1.0" encoding="utf-8"?>
<samlp:LogoutRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="_logout_1_5ab86804b6057"
Version="2.0"
Destination="https://dev-680804.oktapreview.com/app/catalystitdev680000_xxxx_1/exkeb8o4nbMQ7xxxxxxx/slo/saml"
IssueInstant="2018-03-26T16:24:52+13:00">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://xxxxxxx/</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference>
<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>5SXEPj5gyXWuf/BXfZ7QTVrUuJaF3Khh...</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>TmAUPHY4rO...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIFUzCCAzugAwIBAgI...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">and...</saml:NameID>
<samlp:SessionIndex>_authn_5ab8680105723</samlp:SessionIndex>
</samlp:LogoutRequest>
这是我创建我的pkey和crt的方式:
#!/bin/bash
# https://github.com/mattermost/docs/blob/master/source/scripts/generate-certificates/gencert.md
umask 377
certname="${CRT_FILENAME:-"nzta-x509"}"
openssl x509 \
-in <(
openssl req \
-days 3650 \
-newkey rsa:4096 \
-nodes \
-keyout "${certname}.key" \
-subj "/C=${CRT_C:-"NZ"}/L=${CRT_L:-"Wellington"}/O=${CRT_O:-"XXXX"}/OU=${CRT_OU:-"Sysadmins"}/CN=${CRT_CN:-"xxxx-xxxx"}"
) \
-req \
-signkey "${certname}.key" \
-sha256 \
-days 3650 \
-out "${certname}.crt" \
-extfile <(echo -e "basicConstraints=critical,CA:true,pathlen:0")
chmod 600 ${certname}.crt
我的想法已经不多了。如何获得更多错误上下文。 &#34;签名无效&#34;对我帮助不大......
答案 0 :(得分:0)
“无效签名”表示LogoutRequest未正确签名。典型的问题是:
答案 1 :(得分:0)
感谢Zeitgeist。我发现了一个很好的工具:
xmlsec1 --verify LogoutRequest.xml
输出非常冗长,给了我很多东西:
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto library function failed:subj=/C=NZ/L=Wellington/O=XXX/OU=Sysadmins/CN=xxx-xxx;err=18;msg=self signed certificate
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate verification failed:err=18;msg=self signed certificate
func=xmlSecKeysMngrGetKey:file=keys.c:line=1370:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec library function failed:
func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key is not found:
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed:
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec library function failed:
Error: signature failed
ERROR
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
Error: failed to verify file "LogoutRequest.xml"
答案 2 :(得分:0)
将传输的ds:X509Certificate文本内容与IDP端配置的内容进行比较。我发现传输的版本包括换行符和白人节奏字符,它们将在字符串匹配中失败。我删除了它们并进行了验证。
最新答复,但希望这对某人有帮助