Question

我是SAML的新手，在这一点上非常困惑。我正在使用Kentor生成一个Saml2Response，但它看起来并不像我的依赖方期待的那样。他们专门寻找嵌入在响应中的证书。

我需要生成这个。

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" ID="_09f6a725ecf844128a5f7ef8cc1e7620"
IssueInstant="2013-12-11T03:52:21.770Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
            <ds:Reference URI="#_09f6a725ecf844128a5f7ef8cc1e7620" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <ds:Transform
                    Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                        <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs" />
                    </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
                <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">DATA_REMOVED</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">DATA_REMOVED</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:KeyName>[removed]</ds:KeyName>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </saml2p:Status>
    <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_cadd3488f62c6d3b9933fdb56d9e8ddc"
    IssueInstant="2013-12-11T03:52:21.770Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
        <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">[removed]</saml2:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
                <ds:Reference URI="#_cadd3488f62c6d3b9933fdb56d9e8ddc" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs" />
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
                    <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">DATA_REMOVED</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">DATA_REMOVED</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:KeyName>CN=, O=, C=US</ds:KeyName>
            </ds:KeyInfo>
        </ds:Signature>
        <saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="com.sms">0500555</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData NotBefore="2013-12-11T03:47:21.770Z" NotOnOrAfter="2013-12-11T03:57:21.770Z" />
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2013-12-11T03:52:21.770Z" NotOnOrAfter="2013-12-11T03:57:21.770Z"
    xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" />
        <saml2:AuthnStatement AuthnInstant="2013-12-11T03:52:21.770Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
        <saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml2:Attribute Name="AppData" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">A_Party_PI.Person.FirstName =John& A_Party_PI.Person.LastName =Smith</saml2:AttributeValue>
            </saml2:Attribute>
            </saml2:Attribute>
        </saml2:AttributeStatement>
    </saml2:Assertion>
</saml2p:Response>

我从Kentor得到的是：

<?xml version="1.0"?>
<saml2p:Response
    Destination="https://[destinationUrl]"
    ID="ide5470d1f5a9a48d1822f71ea5a5363f2"
    IssueInstant="2015-05-28T13:35:44Z"
    Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        ritterim.com
    </saml2:Issuer>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <Reference URI="#ide5470d1f5a9a48d1822f71ea5a5363f2">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <DigestValue>7YmTpqZR6Ba4/eDrEqQt7BGit0A=</DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
        </SignatureValue>
    </Signature>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </saml2p:Status>
    <saml2:Assertion ID="_77b39d8e-bcc4-48c2-b6c7-fe6e87414461"
        IssueInstant="2015-05-28T13:35:44Z" Version="2.0"
        xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml2:Issuer>ritterim.com</saml2:Issuer>
        <saml2:Subject>
            <saml2:NameID>0500555</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
        </saml2:Subject>
        <saml2:Conditions NotOnOrAfter="2015-05-28T13:37:44Z"/>
        <saml2:AttributeStatement>
            <saml2:Attribute Name="AppData">
                <saml2:AttributeValue>A_Party_PI.Person.FirstName =John&amp; A_Party_PI.Person.LastName =Smith</saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>
    </saml2:Assertion>
</saml2p:Response>

任何帮助都会受到赞赏，因为我甚至不确定我是否在正确的舞台上。

Answer 1

我将通过评论回复中的差异来回答。

xml声明中没有编码。可能无所适从。
添加了Issuer，它是可选的。
我假设您已从AuthServices响应中删除了SignatureValue。
AuthServices目前不在签名中包含KeyInfo（可选）
AuthServices不签署断言，只签署响应。
XML名称空间声明由AuthServices放在一个地方，而不是全部重复。
主题名称上没有格式（可选）
主题名称上没有NameQualifier（可选）
属性上没有NameFormat（可选）
AttributeValue上没有xml类型（xsi：string）（它是可选的）

基本上Kentor.AuthServices遗漏了一堆可选的东西，但其他消息是等价的。

您必须提供更多有关导致问题的问题的详细信息，以获取相关帮助。

如何生成目标指定的SAML2Response

1 个答案: