我需要一些帮助。我使用此project (play-pac4j-scala-demo)来测试我的wso2is SAML服务器,我所做的唯一更改是在google.script.run
.withSuccessHandler(google.script.host.close)
.gsSheetCreateSuccess();
文件中,替换为此内容:
openidp-feide.xml以上是Idp元数据。接下来,在wso2is服务器中,我创建了一个发行者,如下所示:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
entityID="https://localhost:9443/samlsso" validUntil="2023-09-23T06:57:15.396Z">
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:X509Data >
<ds:X509Certificate >
MIIEVTCCAz2gAwIBAgIQIzI6SPzN4kG8sJ2/gY6QDTANBgkqhkiG9w0BAQsFADCB
hDE7MDkGA1UECwwyZ2VuZXJhdGVkIGJ5IGF2YXN0ISBhbnRpdmlydXMgZm9yIFNT
TC9UTFMgc2Nhbm5pbmcxHzAdBgNVBAoMFmF2YXN0ISBXZWIvTWFpbCBTaGllbGQx
JDAiBgNVBAMMG2F2YXN0ISBXZWIvTWFpbCBTaGllbGQgUm9vdDAeFw0xNTAxMjAy
MDA2MzlaFw0xNjAxMjAyMDA2MzlaMD8xITAfBgNVBAsTGERvbWFpbiBDb250cm9s
IFZhbGlkYXRlZDEaMBgGA1UEAwwRKi5qZndlYnBvcnRhbC5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvNSZgsBqc+0iEQL//mc/sWCKsTQTnxCEs
4FL4JN7RzoV0rftB0XkxxSdss66YeSwZ1/hN8hNkswDyL9ttlsum8r4brirJdRgI
XaXYj5gzGKWa5fhbQjeUQ3FqXQbM+ytnHvUvD4JqRgs3ccXEpHf35dk/2MtveI0b
us8IeCbvrScerbG5a6zdz2pPmlh5jRc/MQ8mHWQjYZTf4/hLMZR2iXzVAhCD59BG
aPAWUBbv4uz44xs288QDhA8Ty0+M0fHNxH6v5v1AFENMaMVwoeLb8d2VkFZK+1nm
kRTgGeVupab3k4+3XlV7QKD9EqsfDso+oAiRIrvvmAXC3BMkwEflAgMBAAGjggEF
MIIBATAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjAOBgNVHQ8BAf8EBAMCBaAwUwYDVR0gBEwwSjBIBgtghkgBhv1tAQcXATA5MDcG
CCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9z
aXRvcnkvMB8GA1UdIwQYMBaAFBlpv0JwXwGkdtayZXqLgJRKp/VxMC0GA1UdEQQm
MCSCESouamZ3ZWJwb3J0YWwuY29tgg9qZndlYnBvcnRhbC5jb20wHQYDVR0OBBYE
FBpRAaygfEl1uFhj8ijqTcjA71V0MA0GCSqGSIb3DQEBCwUAA4IBAQCT7CS4yUUd
VI+oE7KGsGmTgtjEc7Ui211v5f6HUmscz2g/udFJwppKkutoRVovrVl6S64LVIpY
pgmwDCreBwxhwmn+x4W1GpQ97R9PLTW2QAh5AoBbUCT8y/RbLvxY9W9Qz5gj5RIi
NRi7i2J/omo/qh5mQfC6WRmHz91mKSv6+Ts5S+PGB30kkezYXc7KG/1z4L7nBlLs
brsIcG7fVu7fRJEyxG64ePONIm0zu4agOWd+AqBbfz6PS+RimgqGbIBNjBjJxGNi
ySG0z4s5NUsOxMgWc54HEOyTu6ULCaslrWVQqAZIYRDBoYt98LfkhDSMmT7+YN04
aWezsyuqis2V
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:9443/samlsso" ResponseLocation="https://localhost:9443/samlsso"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:9443/samlsso"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:9443/samlsso"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>
其他属性保留默认选项。
但是当我尝试验证project (play-pac4j-scala-demo)时会抛出此例外:
Issuer : http://localhost:9000/callback?client_name=Saml2Client
Assertion Consumer URL *: http://localhost:9000/callback?client_name=Saml2Client
NameID format : urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Enable Attribute Profile: true
这里有什么问题?有人可以帮忙吗? 谢谢!
答案 0 :(得分:0)
我是play-pac4j的创建者,但遗憾的是没有SAML专家。我想您的IdP的SAML响应不包含必要的数据,因为它是一个明确的检查:https://github.com/pac4j/pac4j/blob/pac4j-1.7.0/pac4j-saml/src/main/java/org/pac4j/saml/sso/Saml2WebSSOProfileHandler.java#L127在pac4j(和pac4j-saml v1.7.1)中,SAML支持已经发展:也许你应该试一试......
答案 1 :(得分:0)
这表示方法decoder.decode无法确定要从SAML身份验证响应中使用的IDP。
如果您此时遇到错误,我假设您已成功重定向到您的IDP,输入您的凭据并重定向回您的应用程序,这是一个很好的起点。
请使用调试工具(例如适用于Firefox的SAML Tracer)读取SAML断言并检查IDP实体ID是否与您的设置一致。