SAML邮件签名错误

时间:2016-04-10 07:55:11

标签: meteor adfs2.0

我有一个运行在Windows Server 2012 r2上的流媒体应用程序,iis 8.5作为我的应用程序的反向代理(也尝试使用nginx的ubuntu),我正在尝试使用saml对ADFS 2.0进行身份验证。

我一直收到以下错误:

Event 303, AD FS 2.0
The Federation Service encountered an error while processing the SAML authentication request. 

Additional Data
Exception details:
MicrosoftidentityModel.Protocols.XmISignature.SignatureVerificationFailedException: M5I50038: SAML Message has wrong signature. Issuer:
at MicrosoftldentityServer.Protocols.Saml.Contract.SamIContractUtility,CreateSamIMessage(MSISSamlBindingMessage message)
at Microsoft.IdentityServer.Service.Sam1Protocol.Sam1ProtocolService.CreateErrorMessage(CreateErrorMe.ssageRequest
createErrorMessageRequest)r
at Microsoft.IdentityServer.Service.Sam1Protocol.SarnIProtocolService.ProcessRequest(Message requestMessage)
Log Name:
AD FS 2.0/Admin
Source:
AD FS 2.0
Logged:
10/04/2016 09:0S:1
Event ID:
303
Task Category:
None
Level:
Error
Keywords:
AD F
User:
NETWORK SERVICE
Computer:

我尝试根据https://social.technet.microsoft.com/Forums/en-US/4acc04b7-aac7-43e9-ba50-9570503045f9/msis0038-saml-message-has-wrong-signature?forum=windowsazureaditpro

安装kb2896713

不幸的是,到目前为止没有运气。

有人有任何想法吗?问题的根源是什么?

修改

这是我使用的开源:Rocket.Chat https://github.com/RocketChat/Rocket.Chat/tree/develop/packages/meteor-accounts-saml

1 个答案:

答案 0 :(得分:0)

  1. 我建议使用此工具生成证书,密钥https://www.samltool.com/self_signed_certs.php
  2. 您可以在https://www.samltool.com/validate_logout_req.php
    3. 处签名验证您的请求
  3. 编码/解码网址http://meyerweb.com/eric/tools/dencoder/
    4. 的工具
  4. 安装SAML跟踪器以查看Firefox https://addons.mozilla.org/ru/firefox/addon/saml-tracer/
    5. 上的SAML请求/响应
  5. 解码/编码SAML消息的工具https://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php

    6. SAML.prototype.requestToUrl = function(请求,操作,回调){

    console.log("requestToUrl:");
request = request.replace(/(\r\n|\n|\r)/gm,"");
console.log("Logout request:" + request);

var self = this;
var result;
zlib.deflateRaw(request, function (err, buffer) {
if (err) {
    return callback(err);
}

var base64 = buffer.toString('base64');
var target = self.options.entryPoint;

if (operation === 'logout') {
    if (self.options.idpSLORedirectURL) {
    target = self.options.idpSLORedirectURL;
    }
}

if (target.indexOf('?') > 0)
    target += '&';
else
    target += '?';

var samlRequest = {
    SAMLRequest: base64
};

var relayState;

// TBD. We should really include a proper RelayState here
if (operation === 'logout') {
    relayState = self.options.issuer;
} else {
    relayState = self.options.provider;
}

// URL Encode the bytes
var encodedRequest = encodeURIComponent(base64);
console.log("encodedRequest:"+encodedRequest);
var encodedRelayState = encodeURIComponent(relayState);
var finalSignatureValue = "";

var encodedSigAlg = encodeURIComponent("http://www.w3.org/2000/09/xmldsig#rsa-sha1");
var strSignature = "SAMLRequest=" + encodedRequest.replace(/(\r\n|\n|\r)/gm,"");
strSignature += "&RelayState=" + encodedRelayState;
strSignature += "&SigAlg=" + encodedSigAlg;

var signer = crypto.createSign('RSA-SHA1');
signer.update(strSignature);
var signature = signer.sign(self.options.privateKey, 'base64');
console.log("signature:" + signature);

var b = new Buffer(signature);
var s = b.toString('base64');
var encodedSignature = encodeURIComponent(signature);
console.log("encodedSignature:" + encodedSignature);

var finalSignatureValue = "&SigAlg=" + encodedSigAlg + "&Signature=" + encodedSignature;

target += "SAMLRequest=" + encodedRequest.replace(/(\r\n|\n|\r)/gm,"");
target +="&RelayState=" + encodedRelayState;
target += finalSignatureValue;


if (Meteor.settings.debug) {
    console.log("requestToUrl: " + target);
}
if (operation === 'logout') {
    // in case of logout we want to be redirected back to the Meteor app.
    result = target;
    return callback(null, target);

} else {
    callback(null, target);
}
});

    }

相关问题
最新问题