Question

我正在实施Single Sign On解决方案的服务提供商方面。我们正在使用PHP和Onelogin提供的samlphp库。一切都很顺利。用户可以尝试访问我们的服务并重定向到IDP登录。一旦他们登录，他们就会被重定向回我们的网站。

这是问题发生的地方。回到我们的网站后，我们收到了错误...

<Entry reference="REF_56dea40aa6419" TimeStamp="2016/03/08 12:06:02" Category="Exception" Type="Error"><![CDATA[

Description         Failure decrypting Data
File  Library/SSO/OneLogin/extlib/xmlseclibs/xmlseclibs.php
Line                357
Class               Exception
Stack               

UI                  Business console
User                -
Code                0
When                2016/03/08 12:06:02
URL called          https://stage.icky-yuk.co.za/?acs
Referred by         https://signon.blarg.co.za/adfs/ls/?SAMLRequest=hVNdrxIxEH038T%2BQfWc%2FgYsNYBD8IEEggD74YsZ2gCbddu10vVx%2Fvd2l5KJR7MsmM3NOzzmdHRGUqmLT2p30Fr%2FXSO7li44%2F51JpYm13HNVWMwMkiWkokZjjbDf9uGR5nLLKGme4UdGfuPswIELrpNEBt5iPo%2FXq7XL9frH6iv2ByDjvwzDvYZr3Hl7lw%2F6gKHp9gCLvpUWRP4iC5wH7GS15pnHkiX0pEBLVuNDkQDvfSbNBNy266XCfpSwdsDT7EtBz71lqcC3DybmKWJKQPGqjY6NEWbsaVMxN%2FBMSEAdKFCUBugne30gtpD7ed%2FztMkTsw36%2F6W7Wu31gmV6jmBlNdYl2h%2FaH5Phpu7wR5OCIsbHyKDU9kcOSgqbXwCmaXKhGTfCstW4n%2F4eW6ECAg7g6VaPkFntDV7GV97KYb4yS%2FOnSaM47Y0tw%2F%2FacxVlbkaJ7aEcZliDVVAiLRNEz0VQp8zizCA7HkbM1Rp3kdwFhM1G0e%2Bpjcnh2nZkpK7CSmnfDM3B3TeE5idv5mfI7t8XD5O5acsabOV%2Fe%2BM%2BjsaJ5ZOT%2B8r0FTZWxLkT1V%2FKgO7kj3M9c%2B7f%2F3eQX&RelayState=https%3A%2F%2Fstage.icky-yuk.co.za%2F
]]></Entry>

我们正在使用SAML工具包的元数据如下。它采用数组形式，但我将它编成json编码，因此更容易阅读。

{
    "sp": {
        "entityId": "https:\/\/stage.icky-yuk.co.za\/metadata.php",
        "assertionConsumerService": {
            "url": "https:\/\/stage.icky-yuk.co.za\/?acs"
        },
        "singleLogoutService": {
            "url": "https:\/\/stage.icky-yuk.co.za\/?slo"
        },
        "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
    },
    "idp": {
        "entityId": "http:\/\/signon.blarg.co.za\/adfs\/services\/trust",
        "singleSignOnService": {
            "url": "https:\/\/signon.blarg.co.za\/adfs\/ls\/",
            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
        },
        "singleLogoutService": {
            "url": "https:\/\/signon.blarg.co.za\/adfs\/ls\/",
            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
        },
        "x509cert": "MIIC6DCCAdCgAwIBAgIQWs7JU0DcbYBHCIni\/zAt\/jANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDEyVBREZTIFNpZ25pbmcgLSBzaWdub24ub2xkbXV0dWFsLmNvLnphMB4XDTE1MDkyMzEzMTIzNloXDTE2MDkyMjEzMTIzNlowMDEuMCwGA1UEAxMlQURGUyBTaWduaW5nIC0gc2lnbm9uLm9sZG11dHVhbC5jby56YTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALlEeD4FX2CxAjacT+EJKbOFcAy604yvSPjy2NjKhjqGBeiJ4NLP4YKU28cEVa11IjqN18GE7bsk8wmA6yXEcAXgJs869fj1ZIXXil06DMSB4eUD0CaERpUSt7o6JR15kdmOEHq9tQp\/rAYoux3rSKBjmdZQlYeUTe13jfabrov3ftvWX6lTOUpZuJ2t61yCyxNNMN9pp0RlfYP8M03kq2boAoUxbYSxf\/Kpli0HrkRxtBaBiwy9TyVNjyY39ItHgAr\/gUA4vnAZj0kmSZwAc7gS6IXVbqo0A50yARzz\/6yrvMhkiFaJxFhwqck2hvoBWKwVBSSjozmDYw++gNUstj0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEArSA6CrhdDvJXX120n0RJesumZAGHWBdb9NpE8p6hBq5gE0BcJm8lp\/PvgAyY+ZkZVpQEXv05q4po4FkkV2NcsyLHWzZ3S\/7OrleblqUIGm83a9o9mko6RuPrxdVpiwnatDAdV8gzebcr2OvedXGvkNJryblxkW7Gepoh8iPo9pFQ78NMoTGia+eLb+PtkuSV5yqtSSi9ggk8mdO+L9rZxrc9Uvkod+FLbtFg0DClsN5b3qvzd00UDmmbQfvSVGB40UGC5KqmJGSXrXSk6jUokm+h2VOUNSDyArMuiRtyFNrfY8GrWCc5Kz\/3ACuzEEhhTwD+67+qJH5jDD7KTDPQ\/w=="
    }
}

我已经仔细检查了x509认证，这很好。我承认，在任何想象中，我都不是SAML或单点登录专家。我显然在这里忽略了一些东西。除了证书之外，加密还有其他一些组件吗？我不知道在哪里看。

Answer 1

如果IdP正在发送加密的SAML响应，为什么在提供的设置的“sp”部分没有公共证书私钥？： 'x509cert'和'privateKey'

或者您将它们定义为cert文件夹中的文件？

SP x509cert必须与IdP共享才能加密断言（SP将使用SP私钥解密）。

P.S我无法解码SAMLRequest，但似乎是LogoutRequest ..与所收到的SAMLResponse无关。

单点登录SAML服务无法解密

1 个答案: