我已经使用github中的gosaml和go-saml软件包在狂欢中构建了一个IdP。两个软件包都使用xmlsec来获取私钥以填写已签名的SAML,但在尝试通过Google进行身份验证时,我收到以下错误:“Google Apps - 无法访问此帐户,因为我们无法解析登录请求。”我使用了两个不同的服务器,Windows和Linux来验证它不是xmlsec的问题,来自bitium的响应的修改变体,以及okta。使用openSSL和OneLogin测试工具构建密钥。以下是从Firefox上的SAML Trace中提取后生成的SAML导致错误:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlsig="http://www.w3.org/2000/09/xmldsig#"
Destination="https://www.google.com/a/wikiplays.org/acs"
ID="_b521e7bc-9917-4c18-7e89-25032fb49278"
Version="2.0"
IssueInstant="2015-10-14T05:42:57.6982498Z"
InResponseTo="ncgobkpepepgfjhanlpafamijhhpklilagehhfee"
>
<saml:Issuer>http://104.175.190.209</saml:Issuer>
<samlsig:Signature Id="Signature1">
<samlsig:SignedInfo>
<samlsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<samlsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<samlsig:Reference URI="#_b521e7bc-9917-4c18-7e89-25032fb49278">
<samlsig:Transforms>
<samlsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
</samlsig:Transforms>
<samlsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<samlsig:DigestValue>n9fNsHr4zU9oR6Ycjx1jAdzzb64=</samlsig:DigestValue>
</samlsig:Reference>
</samlsig:SignedInfo>
<samlsig:SignatureValue>YG9ZHBkr5NMm4b5N0NOnasgiLR5U17o9jMTrx6wXtklqx8DxV1uiI7siFRFlsnLy
wk+htqAOhMmTX/pSye6gbIO0xVBNlcRGuMF9uf4CE8dunbQx6cy3nVTKI0MKQtBq
Wpsu6y/v/z/xa+Xg4DDaEprgxi2NwlDOedZ+deUnA54=</samlsig:SignatureValue>
<samlsig:KeyInfo>
<samlsig:X509Data>
<samlsig:X509Certificate>MIICZjCCAc+gAwIBAgIBADANBgkqhkiG9w0BAQ0FADBQMQswCQYDVQQ GEwJ1czET
MBEGA1UECAwKQ0FMSUZPUk5JQTEPMA0GA1UECgwGWmVhbG90MRswGQYDVQQDDBJ6
ZWFsb3RuZXR3b3Jrcy5jb20wHhcNMTUxMDEzMDMyMDAxWhcNMjUxMDEwMDMyMDAx
WjBQMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ0FMSUZPUk5JQTEPMA0GA1UECgwG
WmVhbG90MRswGQYDVQQDDBJ6ZWFsb3RuZXR3b3Jrcy5jb20wgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAMZJ+2Yg2hg0gBI+O9eglZ5pwvC7CXjaN+R4ZCpOm9w3
82iidvdeWzHxEXpkmEgSPSbot9AO9LhiL0io5vJ9ro6Xh87x/5zuB9IxnFtSAH9S
K4LA4A7lhpA5HrhDUYBIUksqyIc+TBUXA+Blpexs9b5fcjkzN2iVFyBWR2xn17Hl
AgMBAAGjUDBOMB0GA1UdDgQWBBQ7o5RDaoy91nhHgLt8L2YilDlCkjAfBgNVHSME
GDAWgBQ7o5RDaoy91nhHgLt8L2YilDlCkjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
DQEBDQUAA4GBAEFxqDwc2X/cP6YX8neW1AgBxZ4AOAlJ9YgRKQKDuHzOJX22s2ah
65XCA16Tnw8xG0AdZUU5dn07Y05EYgYW+cktvitT9fNTdpJ9JDnGB1KAlVqGlB7d
oIn8BV7bDA+YkeAgH98UE6OOEkNYnygkg2eT9H0FoyXkMyiizixeH8BO</samlsig:X509Certificate>
</samlsig:X509Data>
</samlsig:KeyInfo>
</samlsig:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
ID="_f7437494-03ce-4eb1-483c-169f43f6e1f7"
Version="2.0"
IssueInstant="2015-10-14T05:42:57.6982498Z"
>
<saml:Issuer>http://104.175.190.209</saml:Issuer>
<saml:Subject>
<saml:NameID SPNameQualifier="google.com/a/wikiplays.org"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email"
>vince@wikiplays.org</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="ncgobkpepepgfjhanlpafamijhhpklilagehhfee"
NotOnOrAfter="2015-10-14T05:47:57.6982498Z"
Recipient="https://www.google.com/a/wikiplays.org/acs"
/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2015-10-14T05:37:57.6982498Z"
NotOnOrAfter="2015-10-14T05:47:57.6982498Z"
/>
<saml:AttributeStatement>
<saml:Attribute Name="Email"
FriendlyName="Email Address"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xsi:type="xs:string">vince@wikiplays.org</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>