我已经有一段时间遇到这个问题了,这让我疯了。我正在尝试创建一个客户端(在C#.NET 2.0中),它将使用SAML 1.1登录WebLogic 10.0服务器(即使用浏览器/帖子配置文件的单点登录方案)。客户端位于WinXP计算机上,WebLogic服务器位于RHEL 5计算机上。
我的客户主要基于此处示例中的代码:http://www.codeproject.com/KB/aspnet/DotNetSamlPost.aspx(源代码中有SAML 1.1的部分)。
我根据SAML目标网站的说明设置了WebLogic:http://www.oracle.com/technology/pub/articles/dev2arch/2006/12/sso-with-saml4.html
我使用VS 2005附带的makecert创建了一个证书。
makecert -r -pe -n "CN=whatever" -b 01/01/2010 -e 01/01/2011 -sky exchange whatever.cer -sv whatever.pvk
pvk2pfx.exe -pvk whatever.pvk -spc whatever.cer -pfx whatever.pfx
然后我将.pfx安装到我的个人证书目录,并将.cer安装到WebLogic SAML Identity Asserter V2中。
我在另一个网站上读到,在签名后将响应格式化为可读(即添加空格)会导致此问题,因此我尝试了打开/关闭.Indent XMLWriterSettings和打开/关闭的各种组合。加载XML文档时保留白色空间,但没有任何区别。我已经在编码/发送消息之前以及在消息到达/解码之后打印了SignatureValue,它们是相同的。
因此,要明确:响应似乎已经形成,编码,发送和解码(我在WebLogic日志中看到了完整的响应)。 WebLogic查找我希望它使用的证书,验证是否提供了密钥,获取签名信息,然后无法验证签名。
代码:
public string createResponse(Dictionary<string, string> attributes){
ResponseType response = new ResponseType();
// Create Response
response.ResponseID = "_" + Guid.NewGuid().ToString();
response.MajorVersion = "1";
response.MinorVersion = "1";
response.IssueInstant = System.DateTime.UtcNow;
response.Recipient = "http://theWLServer/samlacs/acs";
StatusType status = new StatusType();
status.StatusCode = new StatusCodeType();
status.StatusCode.Value = new XmlQualifiedName("Success", "urn:oasis:names:tc:SAML:1.0:protocol");
response.Status = status;
// Create Assertion
AssertionType assertionType = CreateSaml11Assertion(attributes);
response.Assertion = new AssertionType[] {assertionType};
//Serialize
XmlSerializerNamespaces ns = new XmlSerializerNamespaces();
ns.Add("samlp", "urn:oasis:names:tc:SAML:1.0:protocol");
ns.Add("saml", "urn:oasis:names:tc:SAML:1.0:assertion");
XmlSerializer responseSerializer =
new XmlSerializer(response.GetType());
StringWriter stringWriter = new StringWriter();
XmlWriterSettings settings = new XmlWriterSettings();
settings.OmitXmlDeclaration = true;
settings.Indent = false;//I've tried both ways, for the fun of it
settings.Encoding = Encoding.UTF8;
XmlWriter responseWriter = XmlTextWriter.Create(stringWriter, settings);
responseSerializer.Serialize(responseWriter, response, ns);
responseWriter.Close();
string samlString = stringWriter.ToString();
stringWriter.Close();
// Sign the document
XmlDocument doc = new XmlDocument();
doc.PreserveWhiteSpace = true; //also tried this both ways to no avail
doc.LoadXml(samlString);
X509Certificate2 cert = null;
X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection coll = store.Certificates.Find(X509FindType.FindBySubjectDistinguishedName, "distName", true);
if (coll.Count < 1) {
throw new ArgumentException("Unable to locate certificate");
}
cert = coll[0];
store.Close();
//this special SignDoc just overrides a function in SignedXml so
//it knows to look for ResponseID rather than ID
XmlElement signature = SamlHelper.SignDoc(
doc, cert, "ResponseID", response.ResponseID);
doc.DocumentElement.InsertBefore(signature,
doc.DocumentElement.ChildNodes[0]);
// Base64Encode and URL Encode
byte[] base64EncodedBytes =
Encoding.UTF8.GetBytes(doc.OuterXml);
string returnValue = System.Convert.ToBase64String(
base64EncodedBytes);
return returnValue;
}
private AssertionType CreateSaml11Assertion(Dictionary<string, string> attributes){
AssertionType assertion = new AssertionType();
assertion.AssertionID = "_" + Guid.NewGuid().ToString();
assertion.Issuer = "madeUpValue";
assertion.MajorVersion = "1";
assertion.MinorVersion = "1";
assertion.IssueInstant = System.DateTime.UtcNow;
//Not before, not after conditions
ConditionsType conditions = new ConditionsType();
conditions.NotBefore = DateTime.UtcNow;
conditions.NotBeforeSpecified = true;
conditions.NotOnOrAfter = DateTime.UtcNow.AddMinutes(10);
conditions.NotOnOrAfterSpecified = true;
//Name Identifier to be used in Saml Subject
NameIdentifierType nameIdentifier = new NameIdentifierType();
nameIdentifier.NameQualifier = domain.Trim();
nameIdentifier.Value = subject.Trim();
SubjectConfirmationType subjectConfirmation = new SubjectConfirmationType();
subjectConfirmation.ConfirmationMethod = new string[] { "urn:oasis:names:tc:SAML:1.0:cm:bearer" };
//
// Create some SAML subject.
SubjectType samlSubject = new SubjectType();
AttributeStatementType attrStatement = new AttributeStatementType();
AuthenticationStatementType authStatement = new AuthenticationStatementType();
authStatement.AuthenticationMethod = "urn:oasis:names:tc:SAML:1.0:am:password";
authStatement.AuthenticationInstant = System.DateTime.UtcNow;
samlSubject.Items = new object[] { nameIdentifier, subjectConfirmation};
attrStatement.Subject = samlSubject;
authStatement.Subject = samlSubject;
IPHostEntry ipEntry =
Dns.GetHostEntry(System.Environment.MachineName);
SubjectLocalityType subjectLocality = new SubjectLocalityType();
subjectLocality.IPAddress = ipEntry.AddressList[0].ToString();
authStatement.SubjectLocality = subjectLocality;
attrStatement.Attribute = new AttributeType[attributes.Count];
int i=0;
// Create SAML attributes.
foreach (KeyValuePair<string, string> attribute in attributes) {
AttributeType attr = new AttributeType();
attr.AttributeName = attribute.Key;
attr.AttributeNamespace= domain;
attr.AttributeValue = new object[] {attribute.Value};
attrStatement.Attribute[i] = attr;
i++;
}
assertion.Conditions = conditions;
assertion.Items = new StatementAbstractType[] {authStatement, attrStatement};
return assertion;
}
private static XmlElement SignDoc(XmlDocument doc, X509Certificate2 cert2, string referenceId, string referenceValue) {
// Use our own implementation of SignedXml
SamlSignedXml sig = new SamlSignedXml(doc, referenceId);
// Add the key to the SignedXml xmlDocument.
sig.SigningKey = cert2.PrivateKey;
// Create a reference to be signed.
Reference reference = new Reference();
reference.Uri= String.Empty;
reference.Uri = "#" + referenceValue;
// Add an enveloped transformation to the reference.
XmlDsigEnvelopedSignatureTransform env = new
XmlDsigEnvelopedSignatureTransform();
reference.AddTransform(env);
// Add the reference to the SignedXml object.
sig.AddReference(reference);
// Add an RSAKeyValue KeyInfo (optional; helps recipient find key to validate).
KeyInfo keyInfo = new KeyInfo();
keyInfo.AddClause(new KeyInfoX509Data(cert2));
sig.KeyInfo = keyInfo;
// Compute the signature.
sig.ComputeSignature();
// Get the XML representation of the signature and save
// it to an XmlElement object.
XmlElement xmlDigitalSignature = sig.GetXml();
return xmlDigitalSignature;
}
要在我的客户端应用中打开该页面,
string postData = String.Format("SAMLResponse={0}&APID=ap_00001&TARGET={1}", System.Web.HttpUtility.UrlEncode(builder.buildResponse("http://theWLServer/samlacs/acs",attributes)), "http://desiredURL");
webBrowser.Navigate("http://theWLServer/samlacs/acs", "_self", Encoding.UTF8.GetBytes(postData), "Content-Type: application/x-www-form-urlencoded");
答案 0 :(得分:1)
reference.AddTransform(new XmlDsigExcC14NTransform());
据我所知,将规范化方法更改为独占。我认为这已经完成了(因为CanonicalizationMethod元素出现在Response中),但显然不是。
现在我遇到了一个不同的错误,告诉我“持票人”主题确认方法无效。我以为我在某处读到了承载方法是用于浏览器/ POST的方法,但在这一点上,我很高兴能够克服我几乎不关心的第一个错误。