我正在使用spring-boot-security-saml-sample并尝试将其连接到使用vmware身份设备进行SSO的应用程序。
我可以运行vanilla示例应用程序,但是当我将IDP元数据更改为指向vmware身份服务器时,我遇到了一些问题。
我的应用程序使用包含私钥的本地密钥库,并且我已将IDP元数据中的证书手动导入其中。当应用程序重定向时,我在vmware身份服务器端看到错误:
java.lang.NullPointerException
com.vmware.identity.samlservice.impl.SamlServiceImpl.verifySignature(SamlServiceImpl.java:124)
com.vmware.identity.samlservice.AuthnRequestState.parseRequestForTenant(AuthnRequestState.java:341)
com.vmware.identity.BaseSsoController.processSsoRequest(BaseSsoController.java:63)
com.vmware.identity.SsoController.sso(SsoController.java:68)
sun.reflect.GeneratedMethodAccessor113.invoke(Unknown Source)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:606)
org.springframework.web.method.support.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:215)
org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:132)
org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:104)
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandleMethod(RequestMappingHandlerAdapter.java:749)
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:689)
org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:83)
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:938)
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:870)
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:961)
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:852)
javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:837)
javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
我的假设是我做错了,因为身份服务器在尝试验证签名()时出错了。我的应用程序中没有看到任何错误。
这是我的idp元数据:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:vmes="http://vmware.com/schemas/attr-names/2012/04/Extensions" entityID="https://hostname:7444/websso/SAML2/Metadata/vsphere.local">
<Extensions>
<vmes:ExportedOn>2015-02-26T02:52:39Z</vmes:ExportedOn>
<vmes:ExportedBy>Exported by VMware Identity Server (c) 2012</vmes:ExportedBy>
</Extensions>
<IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://hostname:7444/websso/SAML2/SLO/vsphere.local"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://hostname:7444/websso/SAML2/SLO/vsphere.local"/>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
<NameIDFormat>http://schemas.xmlsoap.org/claims/UPN</NameIDFormat>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://hostname:7444/websso/SAML2/SSO/vsphere.local"/>
<saml:Attribute FriendlyName="Groups" Name="http://rsa.com/schemas/attr-names/2009/01/GroupIdentity" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<saml:Attribute FriendlyName="givenName" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<saml:Attribute FriendlyName="surname" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<saml:Attribute FriendlyName="Subject Type" Name="http://vmware.com/schemas/attr-names/2011/07/isSolution" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<saml:Attribute FriendlyName="userPrincipalName" Name="http://schemas.xmlsoap.org/claims/UPN" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<saml:Attribute FriendlyName="email" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
</IDPSSODescriptor>
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://hostname:7444/websso/SsoClient/SLO/vsphere.local"/>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
<NameIDFormat>http://schemas.xmlsoap.org/claims/UPN</NameIDFormat>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://hostname:7444/websso/SsoClient/SSO/vsphere.local" index="0"/>
</SPSSODescriptor>
我对该示例所做的唯一修改是更改元数据提供程序,将密钥库指向本地文件,将两个证书从元数据文件导入密钥库,并指向extendedMetadata以引用其中一个证书并使用私钥作为signingKey
任何可能出错的想法?
答案 0 :(得分:0)
我将密钥库中的私钥更改为带有sigalg SHA1WithRSA的RSA密钥,这似乎解决了这个问题。不确定vmware身份服务器是否限制sigalg,但无论哪种方式,它看起来都是一个bug。为了完整起见,我用这个命令创建了我的私钥:
keytool -genkey -alias server -keyalg RSA -sigalg SHA1WithRSA -keysize 2048 -keystore mykeystore -dname&#34; CN = www.mycompany.com,OU = it,O = mycompany,L = city,ST = state ,C = US&#34; -storepass keystorepass