我正在尝试在运行Weblogic 10.2的服务器上为两个域设置SSO测试环境。我能够成功利用SAML源域上的示例servlet上的登录,并连接到SAML目标域上的servlet的链接。这是使用SAML 1.1与浏览器/ POST依赖方,因为这是在Oracle文档中提供两个域的示例,使用虚拟appA和appB。 (我没有方便指示的链接,但效果很好)
但是我的目标是使用浏览器/工件方案测试SAML 1.1。因此,我使用了相同的安全领域,为Destination域设置了一个新的AP,为Source域设置了一个新的RP(请记住,这些都在同一台机器上运行)。我使用了相同的SSL信息和密钥库/信任库/别名(实际上它们都使用与别名“localhost”相同的自签名证书)。它在目标应用程序上失败并显示403错误。我可以看到字符串中生成的工件:
https://localhost:7012/samlacs/acs?APID=ap_00002&SAMLart=AAH9R8ftHOp8ZwdBGik0ijXWFCYQZuUL%2FwTHd8JU%2Fo3aOkNGzkqbtuBm&TARGET=http://localhost:7010/appB/admin/services.jsp
但断言查找中存在错误(或者在工件解除引用之前): (工件与日志不匹配,因为我再次运行它) (来源域名):
Kernel>> <> <> <1352329499359> <BEA-000000> <SAMLSourceSite: lookupStoredAssertions: fetching assertion for artifact 'AAH9R8ftHOp8ZwdBGik0ijXWFCYQZoF3demE97Ls8pVqYxvva+3Mka/9'>
####<Nov 7, 2012 5:04:59 PM CST> <Debug> <SecuritySAMLService> <blah> <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1352329499359> <BEA-000000> <SAMLSourceSite: verifyDestinationSite: auth failure for partner 'rp_00002', client cert required but not provided>
####<Nov 7, 2012 5:04:59 PM CST> <Debug> <SecuritySAMLService> <blah> <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1352329499359> <BEA-000000> <SAMLSourceSite: lookupStoredASsertions: auth failure: missing/invalid credentials for partner 'rp_00002'>
####<Nov 7, 2012 5:04:59 PM CST> <Debug> <SecuritySAMLService> <blah> <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1352329499359> <BEA-000000> <SAMLSourceSite: dispatchAssertionRequest: destination site auth failure, returning FORBIDDEN>
####<Nov 7, 2012 5:04:59 PM CST> <Debug> <Http> <blah> <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1352329499359> <BEA-000000> <HttpRequest@20065100 - /samlars/ars: Writing headers for HttpRequest@20065100 - /samlars/ars>
####<Nov 7, 2012 5:04:59 PM CST> <Debug> <SecuritySSL> <blah> <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1352329499359> <BEA-000000> <write APPLICATION_DATA, offset = 0, length = 160>
####<Nov 7, 2012 5:04:59 PM CST> <Debug> <Http> <blah> <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1352329499359> <BEA-000000> <Response committed. request: 'HttpRequest@20065100 - /samlars/ars' response: weblogic.servlet.internal.ServletResponseImpl@ea013e[
HTTP/1.1 403 Forbidden
Date: : Wed, 07 Nov 2012 23:04:59 GMT
Content-Length: : 1216
Content-Type: : text/html; charset=UTF-8
X-Powered-By: Servlet/2.5 JSP/2.1
]>
(目标域名):
####<Nov 7, 2012 5:04:59 PM CST> <Debug> <SecuritySAMLService> <blah> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1352329499359> <BEA-000000> <SAMLDestinationSiteHelper: Exception while sending/receiving request/response: org.opensaml.SAMLException: SAMLSOAPBinding.send(): Error response from server: '403 Forbidden'>
####<Nov 7, 2012 5:04:59 PM CST> <Debug> <SecuritySAMLService> <blah> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1352329499359> <BEA-000000> <SAMLDestinationSiteHelper: Unable to dereference artifact -- returning SC_FORBIDDEN>
###<Nov 7, 2012 5:04:59 PM CST> <Debug> <Http> <blah> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1352329499359> <BEA-000000> <HttpRequest@6557952 - /samlacs/acs: Writing headers for HttpRequest@6557952 - /samlacs/acs>
####<Nov 7, 2012 5:04:59 PM CST> <Debug> <Http> <blah> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1352329499359> <BEA-000000> <HttpRequest@6557952 - /samlacs/acs: Wrote cookie: JSESSIONID=bkLSQhphfgFQGRnZNprd2kHJ71GGyPjsF91TMsn4pKkTMgLxcxVr!-98623638; path=/; HttpOnly>
####<Nov 7, 2012 5:04:59 PM CST> <Debug> <SecuritySSL> <7PSS2Q1> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1352329499359> <BEA-000000> <write APPLICATION_DATA, offset = 0, length = 250>
####<Nov 7, 2012 5:04:59 PM CST> <Debug> <Http> <blah> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1352329499359> <BEA-000000> <Response committed. request: 'HttpRequest@6557952 - /samlacs/acs' response: weblogic.servlet.internal.ServletResponseImpl@2c3cd3[
HTTP/1.1 403 Forbidden
Date: : Wed, 07 Nov 2012 23:04:58 GMT
Content-Length: : 1216
Content-Type: : text/html
Set-Cookie: JSESSIONID=bkLSQhphfgFQGRnZNprd2kHJ71GGyPjsF91TMsn4pKkTMgLxcxVr!-98623638; path=/; HttpOnly
X-Powered-By: Servlet/2.5 JSP/2.1
]>
我无法在依赖方或断言方中看到任何其他地方附加此缺少的客户端证书。有谁知道可能是什么问题?