我正在开发一个使用pac4j进行SAML身份验证的播放应用程序。我已经设置了一个基于shibboleth的IDP,它可以与几个SP一起正常工作。 我已经将播放应用程序基于pac4j demo,它可以与openidp-feide一起使用,但是对我的shibboleth IDP失败了。 我按照说明生成了密钥库,并在应用程序中配置了IDP元数据。请求很顺利,我会通过身份验证页面提示。一旦我输入凭证并且响应返回到播放应用程序,就会出现问题。 我得到的错误消息如下
[debug] - org.apache.xml.security.signature.Reference - Verification successful for URI "#_3b44b10eeb4a12dcf2abfe318a01885e"
[debug] - org.apache.xml.security.signature.Manifest - The Reference has Type
[debug] - org.opensaml.xmlsec.signature.support.provider.ApacheSantuarioSignatureValidationProviderImpl
- Signature validated with key from supplied credential [debug] - org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine - Signature validation using candidate credential was successful [debug]
- org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine - Successfully verified signature using KeyInfo-derived credential
[debug] - org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine - Attempting to establish trust of KeyInfo-derived credential
[debug] - org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine - Failed to establish trust of KeyInfo-derived credential
[debug] - org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine - Failed to verify signature and/or establish trust using any KeyInfo-derived credentials [debug] - org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine
- Attempting to verify signature using trusted credentials [debug] - org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine
- Failed to verify signature using either KeyInfo-derived or directly trusted credentials
[error] - play.core.server.netty.PlayDefaultUpstreamHandler - Cannot invoke the action org.pac4j.saml.exceptions.SAMLException: Signature is not trusted
at
org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateSignature(SAML2DefaultResponseValidator.java:690) ~[pac4j-saml-1.8.3.jar:na]
at org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validateSamlProtocolResponse(SAML2DefaultResponseValidator.java:206) ~[pac4j-saml-1.8.3.jar:na]
at org.pac4j.saml.sso.impl.SAML2DefaultResponseValidator.validate(SAML2DefaultResponseValidator.java:144) ~[pac4j-saml-1.8.3.jar:na]
at org.pac4j.saml.sso.impl.SAML2WebSSOMessageReceiver.receiveMessage(SAML2WebSSOMessageReceiver.java:96) ~[pac4j-saml-1.8.3.jar:na]
at org.pac4j.saml.sso.impl.SAML2WebSSOProfileHandler.receive(SAML2WebSSOProfileHandler.java:55) ~[pac4j-saml-1.8.3.jar:na]
at org.pac4j.saml.client.SAML2Client.retrieveCredentials(SAML2Client.java:246) ~[pac4j-saml-1.8.3.jar:na]
at org.pac4j.saml.client.SAML2Client.retrieveCredentials(SAML2Client.java:75) ~[pac4j-saml-1.8.3.jar:na]
at org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:191) ~[pac4j-core-1.8.3.jar:na]
我已经检查了shibboleth正在发送的响应,并且明确表示已经使用SP元数据中配置的相同证书进行签名。我还检查过IDP的签名证书与IDP元数据中提供的签名证书相同
shibboleth的SAML响应如下
2016-01-24 23:47:12,017 - DEBUG [org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder:198] - Marshalling and Base64 encoding SAML message
2016-01-24 23:47:12,024 - DEBUG [org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder:220] - Setting RelayState parameter to: 'myappidp', encoded as 'myappidp'
2016-01-24 23:47:12,040 - DEBUG [PROTOCOL_MESSAGE:70] -
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response
Destination="http://lms.myapp.in/auth/complete/tpa-saml/"
ID="_51e20c09b33474416b337650cea49879"
InResponseTo="ONELOGIN_3873668f77ebeefc8e0f4011223f8877d98b17db"
IssueInstant="2016-01-24T18:17:11.804Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.myapp.in/idp/shibboleth</saml2:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference
URI="#_51e20c09b33474416b337650cea49879">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>nuS/WnS4LarO4u0tcLy99kbZwXVk9RG/fD8ooZi/Mbs=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
kaESN6JGaUfMs1SbAr1BsmJCD/2kddZFCarJcO1jmULQJHrqfRkBrnaqQeFT129+jKXqksxSdv0C
nSENGWDVJS+A2KCJn7MzJdMjUTokJEf6M76dKycYD9/W0zQFKG6FFcCUReeH/GZm9iezCyP9C4Wc
qpeaC+2po61TTQ82OtGh3pIvZ2bUcDmbU/UWBbUX1EJv7twvCayW5+jlIfIWjZjpt73PqtvwMxht
IT9vwcme5i6NYZTxYlJ9w2wvIFLXInLOM73pD+TG4eEZtONeztW+BGgGZ5McJdpPMnkiNouOo+WA
B77yGBq8w+ubIIlxPU5ASv5r/YqxOPJyZZIhEw==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDMzCCAhugAwIBAgIUf9lIsNpjiw9W3K/sv9ZtXwDb5PkwDQYJKoZIhvcNAQELBQAwHDEaMBgG
A1UEAwwRd3d3LnRlYW1yYWluY2xvdWQwHhcNMTUxMDEyMTczNjE3WhcNMzUxMDEyMTczNjE3WjAc
MRowGAYDVQQDDBF3d3cudGVhbXJhaW5jbG91ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAJVLITrYciKJv6y/LWAkrAdDfW5wUCNFMwMy6zA2CKZQFAWNCrqzLUztOgVL0Yob/9onxaGX
Mx5khA96/kHrJ3UNy1tZy9s9JDkvwVxzyPgkevHO9wCcT3NDqwyqJk9Xyw9qN3ve0KYpJglXuy/z
dVYVmIoJF+6rdk/dIg2mTSMCRFccyJijMcfw7ceL9tEJw1iOry5HO9emJYKkAS2WwAxPXerYvNGn
AA13kb/501dzWjsCkTnG8ip0gzCMFAFnqi+sgsEHr3YzN20mZTEohpHs5hPUqnk36FK4a9Q4lLMe
KO487DxdT5RBxty9VjqYPWRYfZWAUEhQ75YepBZPJA0CAwEAAaNtMGswHQYDVR0OBBYEFHwNiLBy
y3pf+1YL48M0RcW+zyPGMEoGA1UdEQRDMEGCEXd3dy50ZWFtcmFpbmNsb3VkhixodHRwczovL3d3
dy50ZWFtcmFpbmNsb3VkLmNvbS9pZHAvc2hpYmJvbGV0aDANBgkqhkiG9w0BAQsFAAOCAQEAkhXy
6blk5vMcmIRkQhMit8D7STzUGx+qiaYo/MYWBBNDu4NBbmNvzdvhwpNdmHvIYHbbB6TcWeaELYo9
kIjMtw/70RTI6K40DRZDtt33SE5R87AxHIlGPDhGXQgC1oB6FWcJjvTq3rKYYMmxDLJLl8orHxiI
OKb9SYZR96bXDdqygV5PPJfe68TaIPJ1TRechFDxKTam+8HNEstOot66k+ERXfvu6gsGe+EbyIUZ
913zHxlf0xM+YH7O+OPcNkKo9jGpLyzbJZa7NsBM7RzVdH1RyGF1El1JyzDNyD2H1sQ3YCqxLdnu
UCQ8Q7+2cB3xRWgjGrPXc+y8zWMmI5CQxg==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData Id="_53e9ea4d7ce2e06dd7dc5f447e03f248"
Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey
Id="_1f15b021e3b9352a57cc33a7ef00626e"
Recipient="http://lms.myapp.in/saml" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
</xenc:EncryptionMethod>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIEBzCCAu+gAwIBAgIJAKFBsY8ExEytMA0GCSqGSIb3DQEBCwUAMIGZMQswCQYDVQQGEwJJTjEL
MAkGA1UECAwCS0ExEjAQBgNVBAcMCUJhbmdhbG9yZTESMBAGA1UECgwJUmFpbkNsb3VkMQswCQYD
VQQLDAJJVDEbMBkGA1UEAwwSbG1zLmFzc2Vzc3JpdGUuY29tMSswKQYJKoZIhvcNAQkBFhxqZXJy
eWt1cmlhbkB0ZWFtcmFpbmNsb3VkLm9tMB4XDTE1MTAwNTE4MDUwN1oXDTI1MTAwNDE4MDUwN1ow
gZkxCzAJBgNVBAYTAklOMQswCQYDVQQIDAJLQTESMBAGA1UEBwwJQmFuZ2Fsb3JlMRIwEAYDVQQK
DAlSYWluQ2xvdWQxCzAJBgNVBAsMAklUMRswGQYDVQQDDBJsbXMuYXNzZXNzcml0ZS5jb20xKzAp
BgkqhkiG9w0BCQEWHGplcnJ5a3VyaWFuQHRlYW1yYWluY2xvdWQub20wggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQChj08jTkeW2JpUeIFSm8vVjtSkOtKHPsjHuKTEvSHY1ms2+bKPOvZr
lRAsVnRZxFBG95hQe5/SLGvX2K58dbKb/T1AVxDdn6l/v2wfPyVhIlRFvc4S1nDnrdGTMnA6jLuR
r7dtUkMS7UiuT+riVxH9S4Mdj6q5Yo2hI0tIDSSSlD/wxDeN6siyU0uLRbt/cxHjphGNx8aU59in
BDfiKd8M8y1wDmzUxALYgohIKJWugblFOxcTFkU6fdTlOyw6uxKdyo8wT0Cf2K9u9uXM47Xkc5/O
RCrKKL2KduWOekKSrTWZ8gswWIAb1QEOkBbkasvoFepVmsazoF7WxBShXhILAgMBAAGjUDBOMB0G
A1UdDgQWBBRCd7MD6nA1pdlwSeLASZ+VJ8g0SjAfBgNVHSMEGDAWgBRCd7MD6nA1pdlwSeLASZ+V
J8g0SjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBPj0rv+GLPB51+0w8gcLzR38vb
Byd2rpSFy3H+5gNjMBXo4hDqip4VCarvYNHH2UX0P87mprdryakdF+woLgTuZg0RPqlyaeNvMECC
osyo9hmY+MFIPZXECASu96FKh6IhWMXdljEcUCjQo06xrFEMKS4NVrIJMasRcPg3KO+VZ55Zn3hB
OANDcXqT6X0o4ml5ZvsRDs+Yk4b4DTVzGrErz2/AKcKdyjNUnAA9UNBe1aQXiJ4HGGyOPAfxwJnt
DgSGiHnk3B8ru3c5sDICxjVyebgtJFa/Q0AeTy9gPAVLWKp6Y4kcincl5T00j0IWchM/fNsXiViL
NRoMrvixc9eU</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:CipherValue>Ewo8Qu6Wq/rDo06DoiiTkyIx8FJTio1gltDg1rz9x+R6hHkXuJKJupTHF4Idk2K3CoF8uwFPDPNp
f95/EOzYfWAVMI8VDH1hv8DCez+ArKLIcqYywgZc2zRk4ZETSLkIznzemqF8fiCpD/F+jQhFz0xX
o5YA0jkOUel25iW7+3VvPOWwXmJBZrZn3kmTmoM3wiC5DQQnkOoJJFDUNLSax8ptKn8CiQfQeiG1
/2EyTBIW+EKvrahCVjyE8k5sbeXlRY3YIsX8ep0tY9QbMEZkyOD4E4DNpXJqsNBBsEsrpW6+nnQJ
3Chx8ofq1eAWeT+bVa+fLkx2BiNWrQicEhfDPg==</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</ds:KeyInfo>
<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:CipherValue>ad2hJpuF+fEwR0CjvpZkNvOhk5jvEjz55UvpeUWyBHxVLK2Loo2GvUCTZIOmQMNfcovK19BPAjZd
OK5ib3oUYU7RhliymjCGT/ItJ5E5DeTx25+jBaoX+Mv9H2lfGgNAQ70KHuCDsjvOT3xyOWicjRIC
JCIM4dB9LD37mut0C+Q3ukUAGKv/QkNd6GgOS2j9Cda6dJCmgBoFOUGgQ69xLDBqSqIwsupwd7k1
X6qad/5grNscc2q07FO5oi4OLPooI3CjAdCm0iYpLXnIaNi5VxXddD7H0XQ+jslLnGF6sN6uS+YF
d6cZK7X/Gl5uIO6h/+N0uKicqX6ZC4DyCr+5dUIzOgZJRtedO3eSgj13WKbOaRURFYpeCRLYiY4K
Xymv1UFTkIw5VKjFxL2VewWQfnj1R5yKR7AIJzaEtKUH9rXonSBluyYJ0HpdTBp2zh7X3DirPna4
hRtGUg5x+3cLfR6u38jEAdSS5NkzpgftUE0tm9VXjMyEfXozseqBHKycPcmFWRLai/2lpCk04jn/
ExNKOOagBnQqD0jfM4lnQfkFTKtUMeNoVk/WL0ae7WEZpLMwsl6bRFfdSsLipKgHSuM3RKkQUWwl
4aIhN3v/ViM46j0CJWF0ZJmwplXR/WuBoxNelFFrqIJKTVAtXhxeTHAhDsABnNxmwt32UFJiGuBx
5mCYDrCUu7p6pHWyej44khnolCIwpdVIgbsue0hj6tenkwo76MjxW2KtOaWbAKAbQ/fVBezjBdol
red/N+FLri/aoVFx/hio5iXc1ZUye+ULNV8kvcR6Xz9QR8HpipxfmXze7IyN0rT8iMWICSolhEhk
LxhWD7oJd7ES/HhwiDd047nDEy/rofnMMxrSwScGnv5gk1mCddHOMjQFiRFN8j9v0b35StAtqFzF
WE1VsZa3PeaCnqy6/VDHUai840FGdzMQVAsN/r4Se5ohKQOVK8kHHS1zD4ejIIMcWC0hRkcXS3X0
MAxfmRkTljTRRdoTkw0HK7uhYjcrkLdhenPdrtBKj01Po6m50SnVmGEtx8FZdv2X3s2BTpT/sNcy
BGI/dVE5aBJRF+nyUZzts7kx+o9nN8Wwmfy5gIqdd9F3TVTVbOQW046gC+LPFWa8Ux9qaTRkQKJS
t8Cdw+cLMW3OA8zHIhXnOKSY86m6fUwKa4fZ2/EDPDQRkwnhtNRdmdbOfwrJyN0IMerQ2k3F9zQ9
5HeF2VMBQvhAXfTELdsitetiVByftqxxq5cGujewNRQwGSK5DVbg8NIbNHJmJt8ywoBcozNBkS5x
6KhYOHDQ5HdpFrYgj3JpU7FhKYzQqBO8qdQKoOACD5MA5eehrVJd2IyJxTkrVUfVnCQNnj3WiYC+
C+X29i39uhaCorFsetAejz33rHUCGN8RggCEpbRLF/feK4n6bpmSjgMzujekRsLZl7Rxpu3Lamsh
bPWxvGwB9BdnX9qgyrOz+QDJY1jX6eY2whXx8qekTX3waINkFeSDZJvhFLbZbOjAZgNUu8/MxQzR
6oM8bUrgVR4JV+pqkMkNhK2PyWu51Vw8i5f2OSylRRdd0TPLOPoDvmUejUjG/G8amvIi+BMQDUXX
C8VNibgNt5znGGpOcN/B9Dz7C7+y/rS5UcPRkOwtCe+tvASWUh85FGWNzJ/g5iHri/sT+Cv5QwNj
xHRQ2sdyGLI1la8k0KJV9KCCTnBxenlgtZ2ITT7Hojq3cmOG9db0MUzgV/LyJVkQSo1xGX8LaNys
K9prHaAD0fy+Dtonm92ElXHsYrR+YgZlF5ZsIRq2evQR0weapB8jWrDVluroq7YO8g1lg823y900
baNx10NjHrLoovKHq7M996or0og0W41hSjfKamm7bRMYYzPQS5B6Y4tqI0d+7y+Czt8F37jGkmn+
HOLgmKorJn3Vyrn1JW+KvQW7M9cvwGkC68MV5m/NAVcm6UdU6OqyeRcbkyd+degdL+RiLv8pTHYK
aC/zGr8OrUTl0Hz3VnFo/YRY6mL0Ss3ERNEG2NuYSjyPtuACa68RxUUl0kInafZ6aYIZ0g/ZvRII
ji0q5qSS36VOVgfC3ZS1H5uF9DKOEuUvklvL62jnXILSdd4ZoTyKCOxW+N0mmao5XgzQ4ExckUJq
nS0AuQPKRMzZ//FabfTI0y9yIhOrNADGRl1MqkrmBAmdSwDnzKzJzhUWiI0E9r/Vr56i895/X5Cv
HxR6NwBisvn1StHPekqD25HAqrpd6gaLjmbZJlQYssHNSzrfiMyErOAfsuDL/lD+qLR7vp8q3QXa
LT6F50dTfn3dlWQ/q1bpAaQtGNpaBvzaeDvH8fNVuE0SUQt2Yk0TKqweAXqByQ/S7bV8Qse2cy7r
mADzoat6cJyCpGtfp6juOLpVGD9b4HSwPBWOYK9OorlGd7MU1jO/DXm1hSPT+/hfD5vjK1XGZSiS
EJjbEduk05WZ55aWu493XqLunsGrPaSfGCeKAme7T0HR44bRsITFcpcOZQAAdZvBGDg+CMcEVhff
Kb6a40lm2YVe/+B1BFKbZRi19VDtu7GTq1EhVqkqnUQ1V++EF7zd3VibjJhINiJQbQ0Kg3sG1W+S
tWqOQwsDpexwCcxoQJUxWLT5XL201qTQyQCCF6ym</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</saml2:EncryptedAssertion>
</saml2p:Response>
Play上收到的SAML响应如下
[debug] - org.apache.xml.security.signature.Manifest - verify 1 References
[debug] - org.apache.xml.security.signature.Manifest - I am not requested to follow nested Manifests
[debug] - org.apache.xml.security.utils.ElementProxy - setElement("ds:Reference", "")
[debug] - org.apache.xml.security.utils.ElementProxy - setElement("ds:Transforms", "")
[debug] - org.apache.xml.security.algorithms.JCEMapper - Request for URI http://www.w3.org/2001/04/xmlenc#sha512
[debug] - org.apache.xml.security.utils.resolver.ResourceResolver - I was asked to create a ResourceResolver and got 0
[debug] - org.apache.xml.security.utils.resolver.ResourceResolver - check resolvability by class org.apache.xml.security.utils.resolver.ResourceResolver
[debug] - org.apache.xml.security.utils.resolver.implementations.ResolverFragment - State I can resolve reference: "#_3b44b10eeb4a12dcf2abfe318a01885e"
[debug] - org.apache.xml.security.utils.resolver.implementations.ResolverFragment - Try to catch an Element with ID _3b44b10eeb4a12dcf2abfe318a01885e and Element was [saml2p:Response: null]
[debug] - org.apache.xml.security.utils.ElementProxy - setElement("ds:Transform", "")
[debug] - org.apache.xml.security.transforms.Transforms - Perform the (0)th http://www.w3.org/2000/09/xmldsig#enveloped-signature transform
[debug] - org.apache.xml.security.utils.ElementProxy - setElement("ds:Transform", "")
[debug] - org.apache.xml.security.utils.DigesterOutputStream - Pre-digested input:
[debug] - org.apache.xml.security.utils.DigesterOutputStream - <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://portal.myapp.in/callback?client_name=SAML2Client" ID="_3b44b10eeb4a12dcf2abfe318a01885e" InResponseTo="_ryoorwhqkqx08jkedtd54lx4ar5ebfgwryqn5bz" IssueInstant="2016-01-24T18:16:25.262Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.myapp.in/idp/shibboleth</saml2:Issuer><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></saml2p:StatusCode></saml2p:Status><saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_1d9472da7abbc00140a313b15b4a6874" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></xenc:EncryptionMethod><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey Id="_d87aeb230d3dc2281f31f0ad9df7bfee" Recipient="http://portal.myapp.in/saml"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod></xenc:EncryptionMethod><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDhjCCAm6gAwIBAgIEVqTnkzANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCSU4xCzAJBgNV
BAgTAktBMRIwEAYDVQQHEwlCYW5nYWxvcmUxEjAQBgNVBAoTCVJhaW5DbG91ZDEWMBQGA1UECxMN
UmFpbkNsb3VkIERldjEoMCYGA1UEAxMfaHR0cDovL3BvcnRhbC5yYWluY2xvdWQuaW4vc2FtbDAe
Fw0xNjAxMjQxNTAyNDNaFw0yNjAxMjExNTAyNDNaMIGEMQswCQYDVQQGEwJJTjELMAkGA1UECBMC
S0ExEjAQBgNVBAcTCUJhbmdhbG9yZTESMBAGA1UEChMJUmFpbkNsb3VkMRYwFAYDVQQLEw1SYWlu
Q2xvdWQgRGV2MSgwJgYDVQQDEx9odHRwOi8vcG9ydGFsLnJhaW5jbG91ZC5pbi9zYW1sMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAswYEntA5SkySM0F4bLhAAwP/UwBH8R6q+nWPGOUk
EZBZ0t1HVEV5U4IRsNzxRCWE+qmNmmhjuYoi4xABTz3dxdS3iHyqBz96/aydNbHoc0g1Yv5XPmNJ
CH+z+atJPMTatQd8zOfeFmueBXM1YYSIzjiJEI6RFAKM8qPzgpMU6TZV+fsHQCkhsDyHBO4PS120
trCskm4x5gOYw4hJBkL7t7WWSJQOVl8TsmfYtHZXErV3f/E9USCb52SFpNrc2nSLarSoqvu59156
TfoKu86gYhKJnGm8wx/cURA8fC9JsQCL/GaHe5rzvby63lLQUVsfK2cQW7O2yJE+6gfaWFlTOwID
AQABMA0GCSqGSIb3DQEBBQUAA4IBAQAKzPLph0TK+MSpya1P7cD8EsO7d8C+xH0Rn07C5/ieYYrp
0yNispd6FfegaxBPk7tmIWeAlfviEGSLZqXlW/bPQrL1oOASB++LiGoTedj2lPjnsygvu1B8v6ze
6vi8+yJy1vhg9k94ll5+3w8jG7uFZhodXzChjiTeC948mqeI+27CJglsH4M1YddmdBz1oaEhBb/8
Y00zMipDdX9p/wW20wGyWVt1a3VLtHX02bbb70vp5/TnECimU8GvUr2Ku2zrdRrc39PAXH2RT8n8
B7kbwRQ0I+0PGc8jaf/gSKXEpUzjTGBjya2pHV51qSgAR+nBErgZJTsJQuDsnBrS6OmF</ds:X509Certificate></ds:X509Data></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>LjiZaaGgldyQS4AJ3y2sJbbnQHF+4epKHQ9kUiGdOphITxClArrqpSUXO+9DlQnhfLLhvfk+yBkg
OyTkMhTq+UA9oTKTGLDRkwwAnhRiaILfIW3ajTMXsfE0SBJFBnhoWERyk0EMppPa+2Q3d+ErxJGS
0RA14nOfweNtX8S/Utl1uwoewFnIjobSVxHbwQB3ARxK92nXfJnRNEDaAVp73MPkhib9n51GlVNt
yjyqN+YuM1MHbfxZxN7KMvtcborhCz2oyhfq9ZSVkJA0nO+mSWZkiuF0fBG2TwrbABd/zecTTy/U
lGUR4AkqpFfuMvL3KouOrJHVrQ4ipZGw8BA7oQ==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>zW0B1jmTWtbx6GDm/l6hzErGhDDE+I9tnsWIWjvlmsIw2s9lbEji/+BAJs7WN1pIfds06oIPT+1A
rq8xJ5FEmJEM7X3V0ZjMvSVHmlT2ZXryQn35CVoO7kT6qBQVrRrUPIwZdqunMia3uZLF/Iw3QuOJ
1Nb6lI2qtoLSueoQXFVXvJK7WFNweCULsLrJQU6O26BDQ8Ym79CWkKJF2UjgEerJc+9V5QC/0iPF
NDJgaMJ8dTztRoK2keMjqQHhSrEDscxYuGu5SrYEmAHRTe+szOf3FNb+1mzcOM70dyND5tqL666W
aWwIsxWICmDqEugzVdJir8nEgx454cX4RmhdnANpTCwwvRuOrjdMRQVp2UMtaN2T1VvL/tdRgFy4
MR+oijH/LU4oaQMUju5/aFslHvp8rj0X1SwufujA/SWssbZ6VBs09ggMUj517zhjtYCxH5JnbgKa
dmFs4zf0ATgnd2QJPxXaRTSMcjSxykYau7bQOROy9FmczInOooUVHqbayAc7v9j1jMDUXDZ/9/cp
J+VOcA895QkzKR7frPoJyXQEHGPvPXkwpA0Knb4LlZO+M7+49nyGPP85IsHLd/AE8QkyjaHWjuW9
4HC2fNUHFLpnHNpRsZqt4jq4nsHvjRP/iJdMnj2mwZ4iqcocBTrv9nvVk7jPFlJCajic9UESyL7E
VAAT4q0Xx3PVtBE71DNMpRrCIRD0zxbXflIFQMkRUKGTXV00ncF4ZtsUKuM9/3c2xY7aeAdRDhg4
oVA06vOh9agvF0VIIgjY1hno+qZZWzhD8CT+H5EZTLIiITRVFTK9C2tyEwPtBG/WehVokrdcLSHW
DR1sOv9ES3fsJCWzKn5gqc7iP1bSO7QeYz2FVluXF7EOFVtqBhIg9hOZau3Jl9FZ+YonHYYNTkxJ
9j7d55ZmspJsIUfywFEqO3aILBMh3k3Rm0wsG9vgckr0rLCBv9gYzF40u+8i2jZVR3Ejr8ThBJWh
329hjQiyMwYPXoOGLn+gbQCIR2tXAspYAbuO2OUfzBja/CyF4QMFKmfZXutTq3CAdI/6VYR30QOD
Oxit6cvuNwok5RtJwihxM72tVNzMxms6E4OZ5kDGsQdTF8azo9GpbsHLvpXn4ekjPuwI6WG5HQAn
QCqxJstlEKM+MD0UcHk4onzi8v71KzEvQrl3Mi6cxv7PUK/0q0Ttyzghgx3ms0ppC1S/RLdbziXd
gPox1GDztEv/pzFNF3Q4phR+CzlY/TMKYCpq5hfNsY/PUykKfy6pmudanMtrazIdJfsp0qHnY0+C
7lcB7TPWkv2DDn7iSbYchUZxvRrOAfchF2wV73YgFNIfRtxg9mRH0rfmo9PbnUNsAPy6HDuUDVoX
eSDD+UXRwg8gsjnmK7V5/Y9EDGgMKBBLwaZLdgSLyIrdjM8uaZa2uYvgp3KhuBTe16Nv51mPhQtx
mMUeXou7sR0fR4xp4F4nOUEvzAHEpCIfkC8kw2JOdud/uYvoB5x/F1yGkz0s9+0Gddq761lD1XGt
XbfqOYCGq2xhPywQco2dBJThA93keLitW4CaYwwvLF7vzqmwKsa0jlXjqBQCEy0hAuNCMsi5QfdG
Y2QK/BzCAxi/ult+Ja9BQ6EERmXJguefZcJVkwq1UQr3E4FDSP3qbMaRhZSZ4th4Z6xFFm0fI1+4
JwL+V6iHrNcc9FV6VSiy2UigGwnM5Dtn5Ez3IuGVOVSSGZXShv86WPwjo0y67GSr5qsvPxc8MaCM
XEtX+kpLesvpM3FCKjOtixojpgeoImM40lTQKTOyh3Xwa3Uy/e+rVICVCkgjPH9gjJGq007bRa/F
6aqF3pNwpHX7FVbqQ5Ys5vXZ5d92EsGIJA+oIaD85+AlcOe+SId9pQPAOzHwg7ntqWFXWIoSrLr3
XN65FiEfWTlbGhlFFeulnXMwnGOcOWNg6AH92Z/5gEDwJ/3OdBJ49YWVAiH05KrXsjUVV0Ug1VEJ
Jn79hR3FP9B3nfSJjcmA8gjFFJEu9HrBuORsy2fB0qv41YJ5BTl+GQ2kxK7DfMureCyPlfuUaao7
isMcSXB6Q93tavRfdj5vRdv8WnCniK0A0/s149jdpYqy3NID4gbJBg7hvfp8qDWdhzFZi68hawcb
GNwZssn5l/5Zuntyc7kYJmDzZXv78K5E8pWMo3j/1wZUohHkHlu/djfpVvyYa6KhLGolkJl4cluo
F0iu+41l3ls1SiAF2FBpiD0dY9Q+T/DaTI0nRBuKsppKgBI+kriG9QnFj1kdGfSMiCI8YdM1750J
ZUYCVleGxzfuYLD99REAhA8Htam+Jl5X+Rht49y+4V8vJwgYnXNPHmyvTrrDkn28/Y8=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></saml2:EncryptedAssertion></saml2p:Response>
真的不确定我在这里做错了什么。感谢这方面的任何帮助。
答案 0 :(得分:0)
您需要将IdP的证书导入密钥库。 keytool
应该询问您是否要信任证书,您将回答“是”(当然,在视觉上验证指纹之后)。
证书也在您应该拥有的IdP元数据XML文件中(它们应该匹配)。