Question

我正在使用WSO2 Identity Server评估SSO。我遇到了以下问题/场景。我有一个或几个SSO ServiceProvider（aka网站）。我有一个WSO2身份服务器。我希望商业客户能够自己管理他们的用户，并且用户能够登录到相同的ServiceProviders。我建立了一个服务提供商，我可以登录到它，用户在wso2中定义。我成立了一个房客。我在租户和全球范围内添加了相同的发行人。我通常可以使用全局用户登录sso受保护的站点。我可以使用租户用户登录，但是：当请求返回时，登录后，我在屏幕上看到以下错误（并在日志中）：

org.wso2.carbon.identity.sso.agent.exception.SSOAgentException: Signature validation failed for SAML Response
    org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.validateSignature(SAML2SSOManager.java:467)
    org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processSSOResponse(SAML2SSOManager.java:215)
    org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processResponse(SAML2SSOManager.java:142)
    org.wso2.carbon.identity.sso.agent.SSOAgentFilter.doFilter(SSOAgentFilter.java:87)

我在日志中也看到很多，以

结尾

16:45:39.399 [http-bio-8080-exec-1] WARN  o.a.x.s.signature.XMLSignature - Signature verification failed.
16:45:39.399 [http-bio-8080-exec-1] DEBUG o.o.xml.signature.SignatureValidator - Signature did not validate against the credential's key`

直接在异常之前。如果我只是点击F5，我登录并可以使用该网站（意味着我的SSOAgentSesisonBean返回一个有效的主题）。

如果我尝试从此会话退出，我现在在WSO2 IS的对面站点收到错误：

TID: [0] [IS] [2014-05-05 16:38:54,589] DEBUG {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} -  Query string : SAMLRequest=nZLBbsIwDIZfJcqdtkCRRkTLkBASEgNpbDvsFlpDA6nNEjNtb79Ax0AcOEzKIYp%2F%2B7c%2FZzD8qq34BOcNYSbbUSIFYEGlwU0mX18mrQc5zAde17azVzPa0IGf4eMAnkXIRK%2BaUCYPDhVpb7xCXYNXXKjl6GmmOlGi9o6YCrJSjEOiQc0nt4p571Uc056NBe8pKiKNxBU4oyMEVv007cZHhxCUYjrO5BZ3ZGlH5Yq2dqc3Vbmt1xZwbUjbra1WdVWVWhdB7f0BpuhZI2eyk7TTVtIL56Wdqm5fJZ2o3UvepZgTL3DhRmsGd6tL04vuGbQ%2Fdr0MaCyIhoUUb2d2YVD5S0qdvN01ofuAtPfgjlBkHsa%2BQBjE1%2FXO1echfzr%2BT3UxIVdrvi8%2FvpiytT5JFSAb%2FpZ5syRd1gYfm3tUwrm%2FpqO%2Ff7IMywx2UyzhK85%2FRTffJ%2F8B&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=A9nB2Mt6aK%2Be8jlOau4ERjw6C1FX3ZiO%2FOzZ77oWhkNalypG7OSTYk6dndt8j4BpAeSfYEfQAh8VBhygL%2BBmcY8RFb93HpB6UnYEdoO0sQy3dhg1iZYoLEMnwScv8odbA54nXdPFT%2B%2FbTBK4rFJ6GcCphKHP9wJcwIPF0KVjKHU%3D {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet}
TID: [0] [IS] [2014-05-05 16:38:54,590] DEBUG {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} -  Request message <?xml version="1.0" encoding="UTF-8"?><saml2p:LogoutRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://xxx.c.anotheria.net:9443/samlsso" ID="jnkolokodbojlkaghdjmflenfioaljlhbmhhdaac" IssueInstant="2014-05-05T14:39:02.150Z" NotOnOrAfter="2014-05-05T14:44:02.150Z" Reason="Single Logout" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">net.anotheria</saml2:Issuer><saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">xxxadmin@xxx.de</saml2:NameID><saml2p:SessionIndex/></saml2p:LogoutRequest> {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil}
TID: [0] [IS] [2014-05-05 16:38:54,595] ERROR {org.wso2.carbon.identity.sso.saml.processors.LogoutRequestProcessor} -  Error Processing the Logout Request {org.wso2.carbon.identity.sso.saml.processors.LogoutRequestProcessor}
java.lang.NullPointerException
    at org.wso2.carbon.identity.sso.saml.processors.LogoutRequestProcessor.process(LogoutRequestProcessor.java:116)
    at org.wso2.carbon.identity.sso.saml.SAMLSSOService.validateSPInitSSORequest(SAMLSSOService.java:115)
    at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleSPInitSSO(SAMLSSOProviderServlet.java:236)
    at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleRequest(SAMLSSOProviderServlet.java:132)
    at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.doGet(SAMLSSOProviderServlet.java:75)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
    at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)
    at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
    at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
    at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
    at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
    at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:178)
    at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
    at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:56)
    at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
    at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:141)
    at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
    at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:52)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1653)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:744)
TID: [0] [IS] [2014-05-05 16:38:54,596] ERROR {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} -  Error when processing the authentication request! {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet}
org.wso2.carbon.identity.base.IdentityException: Error Processing the Logout Request
    at org.wso2.carbon.identity.sso.saml.processors.LogoutRequestProcessor.process(LogoutRequestProcessor.java:206)
    at org.wso2.carbon.identity.sso.saml.SAMLSSOService.validateSPInitSSORequest(SAMLSSOService.java:115)
    at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleSPInitSSO(SAMLSSOProviderServlet.java:236)
    at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleRequest(SAMLSSOProviderServlet.java:132)
    at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.doGet(SAMLSSOProviderServlet.java:75)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
    at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)
    at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
    at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
    at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
    at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
    at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:178)
    at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
    at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:56)
    at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
    at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:141)
    at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
    at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:52)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1653)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:744)
Caused by: java.lang.NullPointerException
    at org.wso2.carbon.identity.sso.saml.processors.LogoutRequestProcessor.process(LogoutRequestProcessor.java:116)
    ... 38 more

我可以使用globalusers登录和注销，没有任何问题。我假设错误是在第一次登录返回方面，但我无法想象哪一个。

Answer 1

首先检查您是否可以使用您创建的租户用户登录WSO2 IS。

如果您创建了租户，然后在租户中注册SP，那么您应该能够使用租户用户登录使用WSO2 Identity Server作为IDP的网站。

根据您看到的消息，这似乎是身份验证中的错误。不是特定于SSO。

谢谢， Pushpalanka

WSO2 SSO和多租户问题

1 个答案: