我正在研究一个项目,基本上已达到了一个我不知道如何做得更远的地步。
尝试与供应商合作,使用SAML设置SSO流程。我们目前正在手工完成这个过程,因为我们没有像SimpleSAMLPHP那样实现解决方案。
为了测试这个过程,我们将SimpleSAMLPHP设置为服务提供者。它在我们的测试阶段一直是一个很大的帮助,但我们目前正在收到此错误:
SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 /portal/server/htdocs/saml/www/module.php:180 (N/A)
Caused by: SimpleSAML_Error_Exception: Neither the assertion nor the response was signed.
Backtrace:
3 /portal/server/htdocs/saml/modules/saml/lib/Message.php:554 (sspmod_saml_Message::processAssertion)
2 /portal/server/htdocs/saml/modules/saml/lib/Message.php:518 (sspmod_saml_Message::processResponse)
1 /portal/server/htdocs/saml/modules/saml/www/sp/saml2-acs.php:96 (require)
0 /portal/server/htdocs/saml/www/module.php:135 (N/A)
以下是我们发送给SP的SAML请求,以确定我们是否可以进行身份验证。
<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="efmlkhlddlofoifkbikjkbemicpndhjingeioamb" Version="2.0" IssueInstant="2014-04-14T15:09:50Z" Destination="https://mytest.mediumuniversity.edu/saml/www/module.php/saml/sp/saml2-acs.php/default-sp" InResponseTo="_bf9dc3aa65b9899c565fdc153cefe40c06c1209229">
<saml:Issuer>https://mydevl.mediumuniversity.edu/portal/services/academicworks/process_response.php</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="llgkdlffdpoobdkjfkgjcabphgifgfgbammdibjm" Version="2.0" IssueInstant="2014-04-14T15:09:50Z">
<saml:Issuer>https://mydevl.mediumuniversity.edu/portal/services/academicworks/process_response.php</saml:Issuer>
<saml:Subject>
<saml:NameID SPNameQualifier="https://mytest.mediumuniversity.edu/saml/www/module.php/saml/sp/metadata.php/default-sp" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">123456789</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2014-04-14T15:19:50Z" Recipient="https://mytest.mediumuniversity.edu/saml/www/module.php/saml/sp/saml2-acs.php/default-sp" InResponseTo="_bf9dc3aa65b9899c565fdc153cefe40c06c1209229"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2014-04-14T15:04:50Z" NotOnOrAfter="2014-04-14T15:19:50Z">
<saml:AudienceRestriction>
<saml:Audience>https://mytest.mediumuniversity.edu/saml/www/module.php/saml/sp/metadata.php/default-sp</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2014-04-14T15:09:50Z" SessionNotOnOrAfter="2014-04-14T16:09:50Z" SessionIndex="hkckflaackcdmckckpipgjpdgdlhmiieclpigaij">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="eagleID" NameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
<saml:AttributeValue xsi:type="xs:string">123456789</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="emailAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
<saml:AttributeValue xsi:type="xs:string">cwsterling@mediumuniversity.edu</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#llgkdlffdpoobdkjfkgjcabphgifgfgbammdibjm"><ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> </ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>p/aLBlix/UI0oNiHgg4t5fgkwJg=</ds:DigestValue></ds:Reference> </ds:SignedInfo> <ds:SignatureValue>AsVSwH8mVNHhOak3z2A9j8F/1Q67Yuw472K9BI649EUePdT8QOCW/+BTS+OG+CM++Yn1J7ceT+pwYvOLMr5HFcUcdr8VMZNfPuk2oefs4afK8BpP2ndskPlGhfFx7UlkdXdu41dzWMJeaULo1KfcHtKF0e1ZgObucN3GCNDs97s=</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data> <ds:X509Certificate>MIIC2DCCAkGgAwIBAgIJAMCu9vwLblc3MA0GCSqGSIb3DQEBBQUAMIGEMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHR2VvcmdpYTETMBEGA1UEBwwKU3RhdGVzYm9ybzEkMCIGA1UECgwbR2VvcmdpYSBTb3V0aGVybiBVbml2ZXJzaXR5MSgwJgYDVQQLDB9FbnRlcnByaXNlIEFwcGxpY2F0aW9uIFNlcnZpY2VzMB4XDTE0MDMyNTEyMjg1NVoXDTE0MDQyNDEyMjg1NVowgYQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdHZW9yZ2lhMRMwEQYDVQQHDApTdGF0ZXNib3JvMSQwIgYDVQQKDBtHZW9yZ2lhIFNvdXRoZXJuIFVuaXZlcnNpdHkxKDAmBgNVBAsMH0VudGVycHJpc2UgQXBwbGljYXRpb24gU2VydmljZXMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANN71CK2aSfTTd63cEkhG/DlpIOMtkUTLQLRfUFZ1U5RX8TA0NcmVMwJcIKVHllsJiwNZBl2RT/GUb+1PwLUkiUxFNZ6eT1qQ6t8SaPosv40ofnD4AXEGwG5Rzx3BvBSuz+viCc8/yjNY4RqSQ/wS34tMd0Eu9Z+Q6MZsmVmBWefAgMBAAGjUDBOMB0GA1UdDgQWBBS46JUAvJGsu79wMjdba7q3iOQ3xTAfBgNVHSMEGDAWgBS46JUAvJGsu79wMjdba7q3iOQ3xTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAL+iVErbdU6lCISWWE7Dr3efaDAhyAxQVU/nLIi8aHvniQCQ6uACQhkQbfZpRdB6cbBDKzzsZD2pqIwY+N/yeomyRhpGqw0Y+q3Wa5tOoyY/AheCfqfRgVSfWkNFLv8Ri4G5Gz+2PJeMuZq4aJ5II/m0OUCn+84OOXDBiPs8+K</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature></samlp:Response>
现在,在为代码格式化时,我错误地在那里抛出了几个空格。
我正在使用此PHP库签署SAML文件:https://code.google.com/p/xmlseclibs/并使用以下代码:
$doc = new DOMDocument();
$doc->load($tempFileName);
$objDSig = new XMLSecurityDSig();
$objDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N);
$objDSig->addReference($doc, XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature'), array('force_uri' => true,'uri_context'=>$encHash1));
$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type'=>'private'));
/* load private key */
$objKey->loadKey( $privKey, TRUE);
$objDSig->sign($objKey);
/* Add associated public key */
$objDSig->add509Cert(file_get_contents('gsukeys/academicworks_pub.pem'));
$objDSig->appendSignature($doc->documentElement);
$doc->save($tempFileName.'.out');
我会说,如果我没有这一行的最后部分
$objDSig->addReference($doc, XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature'), array('force_uri' => true,'uri_context'=>$encHash1));
特别是, array('force_uri' => true,'uri_context'=>$encHash1)
服务提供商看到该文件并成功验证我的请求。
有关如何创建此文件以发送的任何建议吗?我们不希望将SimpleSAMLPHP作为我们的登录实现,因为这需要更改我们整个登录过程,我们在夏季已经改变以与CAS集成。
编辑以阐明我所做的更改如何使其发挥作用。
当我告诉它去除引用URI部分时,它摆脱了这个:URI="#llgkdlffdpoobdkjfkgjcabphgifgfgbammdibjm"
并且不再指向签名文档的特定部分。所以我觉得整个文档都已签名,或者签名刚刚添加到文档中,而SimpleSAMLPHP只是忽略了签名。
编辑2:我忘了更新这个,我最终找到了这个代码:http://michaelseiler.net/2013/08/23/cas-and-google-sso-integration/这对我很有帮助,我在2次尝试后能够做我想做的事。
答案 0 :(得分:0)
您可以考虑使用lightsaml库。使用断言进行签名的响应看起来像这样
$response = new Response();
$response->setID(Helper::generateID());
$response->setInResponseTo($request->getID());
$response->setIssueInstant(time());
$response->setDestination($destination);
$assertion = new Assertion();
$response->addAssertion($assertion);
$subject = new Subject();
$assertion->setSubject($subject);
$assertion->setNameID(NameID($username, NameIDPolicy::PERSISTENT));
$subjectConfirmation = new SubjectConfirmation();
$subject->addSubjectConfirmation($subjectConfirmation);
$subjectConfirmation->setMethod(Protocol::CM_BEARER);
$data = new SubjectConfirmationData();
$subjectConfirmation->setData($data);
$data->setInResponseTo($request->getID());
$data->setNotOnOrAfter(time()+$this->expirationTime);
$data->setRecipient($recipient);
$assertion->setNotBefore(time());
$assertion->setNotOnOrAfter(time()+$this->expirationTime);
$assertion->setValidAudience(array($request->getIssuer()));
$authnStatement = new AuthnStatement();
$authnStatement->setAuthnContext($this->authnContextClassRef);
$assertion->setAuthnStatement($authnStatement);
$assertion->addAttribute(new Attribute(ClaimTypes::COMMON_NAME, array('username'), 'Common Name'));
$signatureCreator = new SignatureCreator();
$signatureCreator->setXmlSecurityKey($xmlSecKey);
$signatureCreator->setCertificate($certificate);
$response->setSignature($signatureCreator);
$bindingManager = new BindingManager();
$r = $bindingManager->send($response);
$r->render();