带有WSO2身份服务器的PHP webapp的SSO。身份验证请求失败

时间:2014-03-04 20:30:19

标签: php wso2 single-sign-on saml

我正在尝试使用WSO2 Identity Server在PHP中为SSO配置Web应用程序。我可以在java中配置一个webapp,它可以运行,但是php。

对于PHP,我使用:http://support.onelogin.com/entries/268420-saml-toolkit-for-php

我正面临关注错误[IS控制台]:

[2014-03-04 14:58:26,891] DEBUG {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} -  Query string : SAMLRequest=fVPLbtswELznKwLeZVGyYieEJUB1%2BjDg2oKt9NAbQ
65rARSpcqnG%2FftSDzdO0XgvBIazw9kHF8hr1bC8dUe9g58toLu59XGqlUbWX6aktZoZjhUyzWtA5gTb51%2FXLJ5Q1ljjjDCK%2FJN2PYsjgnWV0UPa6jEl283H9fbzaiPo7E7OHzg9zO%2BnMBPJLJJ0SiGR8TymQj7HCQcZw
ZD5DSx6mZR41VELsYWVRse18zCNkoBOA5qU0QO7u2fx7PvAK0bjHyotK%2F3jut%2FngYTsS1kWQbHdl4NIfq5jaTS2Ndg92F%2BVgKfdOiVH5xoWhsoIro4GXdgcm6DrTSgG9sQDJOuFFh3Oeu82O%2FMW4SX6ymvYxjtcPRZGV
eJ3j3fxydiau%2FcLiSZRj1QyOPRUBjWvVC6lBUTyVydXyrwsLXAHKXG2BZINTt6%2B%2B8bQuDsg%2B03y3XBwcrdLUzfcVtgNCE5cuLHa14ov6Uvl12IHh%2Bzq5ggmOp6HC3%2B8GCu7SYLwb5eWa2yMdWPj%2Fis%2BuA6v2
M5uzteX3yL7Aw%3D%3D
[2014-03-04 14:58:26,893] DEBUG {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} -  Request message <samlp:AuthnRequest
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="ONELOGINc065d79a0f783e6c461d030e4d2720cdb24aed1e"
    Version="2.0"
    IssueInstant="2014-03-04T19:58:26Z"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    AssertionConsumerServiceURL="http://localhost/php-saml/consume.php">
    <saml:Issuer>php-saml</saml:Issuer>
    <samlp:NameIDPolicy
        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
        AllowCreate="true"></samlp:NameIDPolicy>
    <samlp:RequestedAuthnContext Comparison="exact">
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
[2014-03-04 14:58:26,898] DEBUG {org.wso2.carbon.identity.sso.saml.validators.SPInitSSOAuthnRequestValidator} -  Authentication Request Validation is successful..
[2014-03-04 14:58:26,903] DEBUG {org.wso2.carbon.identity.application.authentication.framework.CommonApplicationAuthenticationServlet} -  CommonApplicationAuthenticationSer
vlet sessionDataKey: a0eef9ff-73cc-4862-87f3-afe17c21c2fc
[2014-03-04 14:58:26,905] DEBUG {org.wso2.carbon.identity.application.authentication.framework.CommonApplicationAuthenticationServlet} -  The query-string sent by the calli
ng servlet is: SAMLRequest=fVPLbtswELznKwLeZVGyYieEJUB1+jDg2oKt9NAbQ65rARSpcqnG/ftSDzdO0XgvBIazw9kHF8hr1bC8dUe9g58toLu59XGqlUbWX6aktZoZjhUyzWtA5gTb51/XLJ5Q1ljjjDCK/JN2PYsjg
nWV0UPa6jEl283H9fbzaiPo7E7OHzg9zO+nMBPJLJJ0SiGR8TymQj7HCQcZwZD5DSx6mZR41VELsYWVRse18zCNkoBOA5qU0QO7u2fx7PvAK0bjHyotK/3jut/ngYTsS1kWQbHdl4NIfq5jaTS2Ndg92F+VgKfdOiVH5xoWhsoIr
o4GXdgcm6DrTSgG9sQDJOuFFh3Oeu82O/MW4SX6ymvYxjtcPRZGVeJ3j3fxydiau/cLiSZRj1QyOPRUBjWvVC6lBUTyVydXyrwsLXAHKXG2BZINTt6++8bQuDsg+03y3XBwcrdLUzfcVtgNCE5cuLHa14ov6Uvl12IHh+zq5ggmO
p6HC3+8GCu7SYLwb5eWa2yMdWPj/is+uA6v2M5uzteX3yL7Aw==&issuer=php-saml&sessionDataKey=77a7f01b-1fd1-4637-a0d8-7ffdb8094163&type=samlsso&commonAuthCallerPath=..%2F..%2Fsamlsso&
forceAuthenticate=true
[2014-03-04 14:58:26,908] DEBUG {org.wso2.carbon.identity.application.authentication.framework.CommonApplicationAuthenticationServlet} -  BasicAuthenticator has set custom
status code: 11
[2014-03-04 14:58:30,660] DEBUG {org.wso2.carbon.identity.application.authenticator.basicauth.BasicAuthenticator} -  User is successfully authenticated.
[2014-03-04 14:58:30,663]  INFO {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} -  'admin@carbon.super [-1234]' logged in at [2014-03-04 14:58:30,663-0500]
[2014-03-04 14:58:30,665] DEBUG {org.wso2.carbon.identity.application.authentication.framework.CommonApplicationAuthenticationServlet} -  Authenticaticated by BasicAuthenti
cator in single-factor mode
[2014-03-04 14:58:30,666] DEBUG {org.wso2.carbon.identity.application.authentication.framework.CommonApplicationAuthenticationServlet} -  Sending response back to: ../../sa
mlsso
[2014-03-04 14:58:30,669] DEBUG {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} -  Query string : null
[2014-03-04 14:58:30,672]  WARN {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor} -  Destination validation for Authentication Request failed. R
eceived: [null]. Expected: [https://localhost:9443/samlsso]

正如您所看到的那样:

[2014-03-04 14:58:30,672]  WARN {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor} -  Destination validation for Authentication Request failed. R
eceived: [null]. Expected: [https://localhost:9443/samlsso]

在Identity Server中,我在Web控制台中看到此消息:

基于SAML 2.0的单点登录 处理身份验证请求时出错! 请再次尝试登录。

更新1:在IS源代码中搜索我找到了这个片段:

 if (authnReqDTO.getCertAlias() != null) {

                // Validate 'Destination'
                String idpUrl = IdentityUtil.getProperty(IdentityConstants.ServerConfig.SSO_IDP_URL);

                if (authnReqDTO.getDestination() == null
                        || !idpUrl.equals(authnReqDTO.getDestination())) {
                    String msg = "Destination validation for Authentication Request failed. " +
                            "Received: [" + authnReqDTO.getDestination() + "]." +
                            " Expected: [" + idpUrl + "]";
                    log.warn(msg);
                    return buildErrorResponse(authnReqDTO.getId(),
                            SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, msg);
                }

                // validate the signature
                boolean isSignatureValid = SAMLSSOUtil.validateAuthnRequestSignature(authnReqDTO);

                if (!isSignatureValid) {
                    String msg = "Signature validation for Authentication Request failed.";
                    log.warn(msg);
                    return buildErrorResponse(authnReqDTO.getId(),
                            SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, msg);
                }
            }

UPDATE2: 我开始比较来自PHP应用程序和JAVA应用程序的AuthnRequest发送。 PHP应用程序:

<samlp:AuthnRequest
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="ONELOGIN7a1cbb4a8d17af21129b185b43801b84481658f9"
    Version="2.0"
    IssueInstant="2014-03-04T21:09:14Z"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    AssertionConsumerServiceURL="http://localhost/php-saml/consume.php">
    <saml:Issuer>php-saml</saml:Issuer>
    <samlp:NameIDPolicy
        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
        AllowCreate="true"></samlp:NameIDPolicy>
    <samlp:RequestedAuthnContext Comparison="exact">
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

JAVA app:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
AssertionConsumerServiceURL="http://localhost:8080/travelocity.com/samlsso-home.jsp" 
AttributeConsumingServiceIndex="1701087467" 
Destination="https://localhost:9443/samlsso" 
ForceAuthn="false" 
ID="0" 
IsPassive="true" 
IssueInstant="2014-03-04T21:10:49.696Z" 
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
<samlp:Issuer xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">travelocity.com</samlp:Issuer>
<saml2p:NameIDPolicy xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="Issuer"/>
<saml2p:RequestedAuthnContext xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact">
    <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
        urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
    </saml:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
</samlp:AuthnRequest>

我认为我需要在PHP中配置我的webapp中的Destination参数。

1 个答案:

答案 0 :(得分:2)

最后我有这个场景。

在OneLogin的AuthRequest.php文件中,我更改了这段代码以包含Destination属性:

        $request = <<<AUTHNREQUEST
<samlp:AuthnRequest
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="$id"
    Version="2.0"
    IssueInstant="$issueInstant"
    Destination="{$this->_settings->idpSingleSignOnUrl}"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    AssertionConsumerServiceURL="{$this->_settings->spReturnUrl}">
    <saml:Issuer>{$this->_settings->spIssuer}</saml:Issuer>
    <samlp:NameIDPolicy
        Format="{$this->_settings->requestedNameIdFormat}"
        AllowCreate="true"></samlp:NameIDPolicy>
    <samlp:RequestedAuthnContext Comparison="exact">
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
AUTHNREQUEST;

在WSO2 IS中,我选中启用响应签名和启用断言签名选项。

要使其正常工作,我必须取消选中“由于WSO2 IS中的此错误而在身份验证请求和注销请求中启用签名验证”选项:

[2014-03-04 19:12:10,914] ERROR {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} -  Error validating deflate signature
org.opensaml.ws.security.SecurityPolicyException: Could not extract the Signature from query string
        at org.wso2.carbon.identity.sso.saml.validators.SAML2HTTPRedirectDeflateSignatureValidator.getSignature(SAML2HTTPRedirectDeflateSignatureValidator.java:139)
        at org.wso2.carbon.identity.sso.saml.validators.SAML2HTTPRedirectDeflateSignatureValidator.validateSignature(SAML2HTTPRedirectDeflateSignatureValidator.java:63)
        at org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil.validateDeflateSignature(SAMLSSOUtil.java:625)
        at org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil.validateAuthnRequestSignature(SAMLSSOUtil.java:578)
        at org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor.process(SPInitSSOAuthnRequestProcessor.java:108)
        at org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor.process(SPInitSSOAuthnRequestProcessor.java:301)
        at org.wso2.carbon.identity.sso.saml.SAMLSSOService.validateSPInitSSORequest(SAMLSSOService.java:102)
        at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleSPInitSSO(SAMLSSOProviderServlet.java:236)
        at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleRequest(SAMLSSOProviderServlet.java:132)
        at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.doGet(SAMLSSOProviderServlet.java:75)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
        at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)
        at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
        at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
        at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
        at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
        at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:178)
        at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
        at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:56)
        at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
        at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:141)
        at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
        at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:52)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1653)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
        at java.lang.Thread.run(Thread.java:722)
[2014-03-04 19:12:11,012]  WARN {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor} -  Signature validation for Authentication Request failed.
[2014-03-04 19:12:11,048] DEBUG {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} -  Invalid SAML SSO Request
[2014-03-04 19:12:11,054] ERROR {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} -  Error when processing the authentication request!
org.wso2.carbon.identity.base.IdentityException: Invalid SAML SSO Request
        at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleSPInitSSO(SAMLSSOProviderServlet.java:262)
        at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleRequest(SAMLSSOProviderServlet.java:132)
        at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.doGet(SAMLSSOProviderServlet.java:75)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
        at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)
        at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
        at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
        at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
        at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
        at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:178)
        at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
        at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:56)
        at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
        at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:141)
        at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
        at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:52)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1653)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
        at java.lang.Thread.run(Thread.java:722)
[2014-03-04 19:12:31,348] DEBUG {org.wso2.carbon.identity.core.dao.SAMLSSOServiceProviderDAO} -  Service Provider php-saml is added successfully.