SAML响应和断言是签名/未签名的?

时间:2016-07-22 10:22:03

标签: security spring-security saml spring-saml

我已成功部署并运行spring saml示例。从下面显示的SAML响应(IdP - > SP),可以确定是否:

  1. SAML回复是签名还是未签名?
  2. 断言是否加密? (我猜它是加密的)
  3. 断言是签名还是未签名?
    4. 
    <?xml version="1.0" encoding="UTF-8"?><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://MY_SP/spring-security-saml2-sample/saml/SSO" ID="_22bf0c00-9cfa-5dbb-7af7-d34eec7d9b6f" InResponseTo="we3977191e5g4try1b3g52j4f84e43f" IssueInstant="2016-07-22T08:22:41.568Z" Version="2.0">
       <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://MY_ADFS_SERVER/adfs/services/trust</Issuer>
       <samlp:Status>
          <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
       </samlp:Status>
       <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
          <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">
             <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
             <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                   <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                      <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                   </e:EncryptionMethod>
                   <KeyInfo>
                      <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                         <ds:X509IssuerSerial>
                            <ds:X509IssuerName>CN=apollo, OU=R&amp;D, O=RM5 Software Oy, L=Helsinki, S=Uusimaa, C=FI</ds:X509IssuerName>
                            <ds:X509SerialNumber>2343092425</ds:X509SerialNumber>
                         </ds:X509IssuerSerial>
                      </ds:X509Data>
                   </KeyInfo>
                   <e:CipherData>
                      <e:CipherValue>Mpz3raT40LBmwUfzz+a52+ryijTMqVqtnk8T2YOJ27Xs/dS
    jMZHShDfMGsD1wwXb2a2jGjpjCLgLWsZ1t8LWgxevSbmTZuGGSfAMhfdOwmJMijRYdKrHdiyn+syFUof
    0MDMykI135ulCL9MGWVUvR1pNz+W+tZzQKcQ+is6USH4OGnUKiMSaow==</e:CipherValue>
                   </e:CipherData>
                </e:EncryptedKey>
             </KeyInfo>
             <xenc:CipherData>
                <xenc:CipherValue>iefcMnnYFLtb
    EObkQpItoZk4tRuMDX9dqt1DucK91ZZRigHeQ2DuUYe2FZpGtQ2vFVtS2ycXSnVR2V4wx4Vd2VeR/G3I
    GHkqQ9GtOxv8RvkRtEbJTptmjoMT1t7ZNE4tn+hDmzMMK7Xy9f+xkk/z5IHvNKlscnsG/wXoRuMykKnJ
    tODd0ILiVF/ygQqY477lxVFDlaa4HH/rcx+DZOcDFiFjiuLj41dF1rdG90XCmWvr2BfUTzYl3SHakoyK
    AmmgesyCJQcHN54ckFiO/wvLttw09wdvC4sg92xlhhfGtQqMuvfT7YESOvHnC1FOEsf4CjoMaByZjwN2
    QBRHPRJTBPjwmfVgTk+g==</xenc:CipherValue>
             </xenc:CipherData>
          </xenc:EncryptedData>
       </EncryptedAssertion>
    </samlp:Response>

    从我的SP服务器的调试日志中,在解析上述SAML响应之后,可以看到下面的内容。这使我对消息和/或断言是否未签名感到困惑。

    - Evaluating security policy of type 'org.opensaml.ws.security.provider.BasicSecurityPolicy' for decoded message
- Evaluating simple signature rule of type: org.opensaml.saml2.binding.security.SAML2HTTPPostSimpleSignRule
- HTTP request was not signed via simple signature mechanism, skipping
- SAML protocol message was not signed, skipping XML signature processing
- Successfully decoded message.

1 个答案:

答案 0 :(得分:0)

  1. SAML回复未签名。
  2. SAML断言已加密。 (你可以看到&#34; EncryptedAssertion&#34;)
  3. SAML断言未签名。

    4. 尝试设置WantAssertionsSigned =&#34; true&#34;在您的SP元数据中,与IdP交换并检查您是否收到签名的SAML响应。

    参考:http://docs.spring.io/spring-security-saml/docs/current/reference/html/configuration-metadata.html

相关问题
最新问题