OneloginPHPSAMLSdk :: processResponse()无法处理加密邮件

时间:2016-11-02 08:00:24

标签: php saml onelogin

问题

OneloginPHPSAMLSdk::processResponse()无法处理加密邮件。

OneloginPHPSAMLSdk::processResponse()已成功处理包含已签名SAML断言的签名SAML响应。

但是,如果加密了包含签名SAML断言的相同签名SAML响应,则OneloginPHPSAMLSdk::processResponse()无法处理加密的SAML响应。在这种情况下,解密成功,但XML未通过saml-schema-protocol-2.0.xsd验证。

要点:

未加密的消息成功:

  • SAML响应消息中的SAML断言已签名
  • SAML响应消息已签名
  • 完全签名的SAML响应(未加密)由OneloginPHPSAMLSdk::processResponse()成功处理

加密邮件失败:

  • 相同的完整签名SAML响应已加密(使用Onelogin在线工具)并由OneloginPHPSAMLSdk::processResponse()处理
  • 完整签名SAML响应的解密成功
  • OneloginPHPSAMLSdk::processResponse()处理解密的完整签名SAML响应失败

OneloginPHPSAMLSdk::processResponse() libxml_get_errors()返回的错误:

  

invalid_response - 无效的SAML响应。不符合   saml-schema-protocol-2.0.xsd -   [{\ “电平\”:2,\ “代码\”:1871,\ “列\”:0,\ “消息\”:\“元素   '断言':不期望这个元素。预计是其中之一(   {瓮:绿洲:名称:TC:SAML:2.0:断言}断言,   {瓮:绿洲:名称:TC:SAML:2.0:断言} EncryptedAssertion   。)\ n \ “\ ”文件\“:\ ”\ / VAR \ /万维网\ / SSO \ /应用\ /根目录\ / \“,\ ”行\“:1}]”

此邮件的未加密版本通过saml-schema-protocol-2.0.xsd验证并成功处理。

以下是所有使用的设置:

x.509 Certs

出于测试目的,Onelogin在线自签名证书工具(https://developers.onelogin.com/saml/online-tools/x509-certs/obtain-self-signed-certs)用于生成服务提供商和身份提供商x509证书:

使用的身份提供商证书

-----BEGIN CERTIFICATE-----
MIIC6DCCAlGgAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBkDELMAkGA1UEBhMCdXMx
EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAoMDU9uZWxvZ2luIFRlc3QxIjAg
BgNVBAMMGXRyaW5ldC1jbG91ZC5vbmVsb2dpbi5jb20xMDAuBgkqhkiG9w0BCQEW
IXN1cHBvcnRAdHJpbmV0LWNsb3VkLm9uZWxvZ2luLmNvbTAeFw0xNjEwMzEyMzA4
NTNaFw0xNzEwMjIyMzA4NTNaMIGQMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2Fs
aWZvcm5pYTEWMBQGA1UECgwNT25lbG9naW4gVGVzdDEiMCAGA1UEAwwZdHJpbmV0
LWNsb3VkLm9uZWxvZ2luLmNvbTEwMC4GCSqGSIb3DQEJARYhc3VwcG9ydEB0cmlu
ZXQtY2xvdWQub25lbG9naW4uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDWKr8qxoBEMEb2PuLFVfeT9fM+OKp6IxlrFkewF6KJvTPlIyJDeY6baJ0lFahV
1zi14q67iqADIk1fRqe9oMq4ZJLHZpeFazUSxiY56+paC9Tf1WGu2HmDUyxWSh+S
g0SdQQfbEKO0189mYBkcHfrHGD/QBcivsK+Su7xhDzCvaQIDAQABo1AwTjAdBgNV
HQ4EFgQUsF7CyLKVc3TUFiRNO9Q6PB90zp4wHwYDVR0jBBgwFoAUsF7CyLKVc3TU
FiRNO9Q6PB90zp4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCNqPea
KS0nlUDDCPJExXp2ovCCiNyGA2lSUOYAoBDg1LZrhE44B/KlzO0g2O4bF2nYquGF
0xfGqf9M3wNsJIybCR/MrZMZE6AQgMLN8+02QjOX2TMavO8TdYXu/kYLUQGWx0bC
UraIIKzE2L7EQR0WLes/hayMx/za9wV4rVMnyA==
-----END CERTIFICATE-----

-----BEGIN PRIVATE KEY-----
MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBANYqvyrGgEQwRvY+
4sVV95P18z44qnojGWsWR7AXoom9M+UjIkN5jptonSUVqFXXOLXirruKoAMiTV9G
p72gyrhkksdml4VrNRLGJjnr6loL1N/VYa7YeYNTLFZKH5KDRJ1BB9sQo7TXz2Zg
GRwd+scYP9AFyK+wr5K7vGEPMK9pAgMBAAECgYAtJ9IquLOurOcpYFT7+oY64i6p
PdVj7yaa15XB4RnaJNReSawdwfF5fvMzMH/PqZNBdkwVKsNWJdNedU1ExDQ5jaBz
+eY/2Rtyyv5wgkMBQdeR3mxrJ6e92KdkYoF31+SMVHg2/eTo5V8MZLLpKYGAd/Gz
wK0iDzUcAPYTKzi6aQJBAP0v5LXWabmJm7+S2c1ILPAMzOBVr5aEhzA+1Nwigq44
QhRfDiwdi8qbL2WRFs2o1PZ7rlgLXf8SJ3peuhalbYMCQQDYi9+lQ4C2dnGblJuA
uNyTjxd6UlTsT4PRUFgUi4ZNiapphw4RLMYKWhZgZzs348mRqdRXgCF7PICrtPJs
jyejAkEA57gJjhJqOJCkprRz+djwp9JPP5GsXgl04MbgcYh0KZb7g0Fr6xwvcIKO
4lnjkN3P6rZPXe0pXeTzlJ9VmJxWmQJBAJ6v0dJv5zDPF23ltxbbYXkY0SGol+cc
VgLbl9BmdqL3kVQHzn0zjGUlo2Q+Ah1w5dPC2oLMuLxwl/I8hbKcLXUCQQDTkA5n
9vNjtkNC+vAz6BEAG0OdPt602iyImHkDKj/fbJuHw8D3lhu3XV44jY7REMYP2rk0
2qzCuQBQ2T5oFCS5
-----END PRIVATE KEY-----

使用的服务提供商证书:

-----BEGIN CERTIFICATE-----
MIIDKjCCApOgAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBsTELMAkGA1UEBhMCdXMx
EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAoMC1RyaU5ldCwgSW5jMSEwHwYD
VQQDDBhzc28udHJpbmV0Y2xvdWQuY29tbG9jYWwxFTATBgNVBAcMDFNhbnRhIE1v
bmljYTEVMBMGA1UECwwMVHJpTmV0IENsb3VkMSYwJAYJKoZIhvcNAQkBFhdzdXBw
b3J0QHRyaW5ldGNsb3VkLmNvbTAeFw0xNjEwMzEyMzAyMTFaFw0xNzEwMjIyMzAy
MTFaMIGxMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UE
CgwLVHJpTmV0LCBJbmMxITAfBgNVBAMMGHNzby50cmluZXRjbG91ZC5jb21sb2Nh
bDEVMBMGA1UEBwwMU2FudGEgTW9uaWNhMRUwEwYDVQQLDAxUcmlOZXQgQ2xvdWQx
JjAkBgkqhkiG9w0BCQEWF3N1cHBvcnRAdHJpbmV0Y2xvdWQuY29tMIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQDNoMEfS6J8nYZzt6v/Zjc13A7jPZp+rDulJ6Hv
SYZ8nvoySbAyyAVO5A07Q1KOMJDciYGiNgkctx36uJtsJwb6SQr9sAddXDDV0hvl
HPk/I+ZPIi1l81jD7uUr+xVIVT5nIejAVlyqapbWm3YFywO9MVLuPDbaGXoQX0B1
U2USVwIDAQABo1AwTjAdBgNVHQ4EFgQUjc/p6B8r/hMXKeAVCKmaunvgJmYwHwYD
VR0jBBgwFoAUjc/p6B8r/hMXKeAVCKmaunvgJmYwDAYDVR0TBAUwAwEB/zANBgkq
hkiG9w0BAQ0FAAOBgQCj7Lakk9vK7PSVnP8uooKN2xU0e9Tbt9Mz6iO0F0h0ebFO
spTnju01i00KOvEdXb61Xpe8Qjex7RS94mnSunRFbXvtFecc8in2WtFcXXzLwIEr
bm3pDAD9vhhF/ilaoHkWmOAEGgc0fyFnKL32oyxbGlhpd87PGQtcCXEhHaS4Mw==
-----END CERTIFICATE-----

-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAM2gwR9LonydhnO3
q/9mNzXcDuM9mn6sO6Unoe9Jhnye+jJJsDLIBU7kDTtDUo4wkNyJgaI2CRy3Hfq4
m2wnBvpJCv2wB11cMNXSG+Uc+T8j5k8iLWXzWMPu5Sv7FUhVPmch6MBWXKpqltab
dgXLA70xUu48NtoZehBfQHVTZRJXAgMBAAECgYA1agzAlGUg+cpzRMLpFSRCWWeE
n/wB67uSqzjlb7P/q0xSw9GBX3QBijvlqRdI2FTI9O83s9GqI+cluc6lyX2GDxWs
2Gzkl6Rb7bxWsXZDNRJEipZHAJTuiPDWpZKyA1q4Erc8UeZt/AIljF31yLiYBf+L
bjegYqrtSiHGtq6QAQJBAPHk2/gP1k/E+0DHlosdCZWar+04IPBkj188Q3NCJ7qJ
8pfYgsQmVUqCbdbG+dzF2FtZe884dwUVYMKTeddzNXECQQDZnn5g9pwnO+uecCZs
Iaw+F79+qPmZobE5iKyGPZmJMKyjVkUiDPNniVFzyfYtECsc1onMOdYsSIlHwebn
5UBHAkEArHiJfq2MGQRSQTYN2NKzasAIgBNtKPoKX9UQIrYgrZh+KFZvpnvOhHnK
50CoFwnZ4ghDhtSzyCQeAZ41WbEDgQJAMc/Gi7lHCu/7QbvX/55Bh8D10y8oWtMY
9tti6iNFdpKOoaCImH+wYz2aSE+tKqltxN8SkY2XiXFdAvDOQrxF1wJAFrzpMLQs
rqOZKRf9uakwDscTwwYauzPfrcikiN9Qd8MA64xG9Z3RUxOq2UkDLZSSKzYMEKMk
Te3+629HzIPTjg==
-----END PRIVATE KEY-----

加载OneloginPHPSAMLSdk设置:

Array
(
    [strict] => 1
    [debug] => 1
    [sp] => Array
        (
            [entityId] => https://sso.serviceprovider.com/metadata
            [assertionConsumerService] => Array
                (
                    [url] => https://sso.serviceprovider.com/saml/consume
                    [binding] => urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
                )

            [singleLogoutService] => Array
                (
                    [url] => https://sso.serviceprovider.com/saml/logout
                    [binding] => urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
                )

            [NameIDFormat] => urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
            [x509cert] => -----BEGIN CERTIFICATE-----
MIIDKjCCApOgAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBsTELMAkGA1UEBhMCdXMx
EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAoMC1RyaU5ldCwgSW5jMSEwHwYD
VQQDDBhzc28udHJpbmV0Y2xvdWQuY29tbG9jYWwxFTATBgNVBAcMDFNhbnRhIE1v
bmljYTEVMBMGA1UECwwMVHJpTmV0IENsb3VkMSYwJAYJKoZIhvcNAQkBFhdzdXBw
b3J0QHRyaW5ldGNsb3VkLmNvbTAeFw0xNjEwMzEyMzAyMTFaFw0xNzEwMjIyMzAy
MTFaMIGxMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UE
CgwLVHJpTmV0LCBJbmMxITAfBgNVBAMMGHNzby50cmluZXRjbG91ZC5jb21sb2Nh
bDEVMBMGA1UEBwwMU2FudGEgTW9uaWNhMRUwEwYDVQQLDAxUcmlOZXQgQ2xvdWQx
JjAkBgkqhkiG9w0BCQEWF3N1cHBvcnRAdHJpbmV0Y2xvdWQuY29tMIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQDNoMEfS6J8nYZzt6v/Zjc13A7jPZp+rDulJ6Hv
SYZ8nvoySbAyyAVO5A07Q1KOMJDciYGiNgkctx36uJtsJwb6SQr9sAddXDDV0hvl
HPk/I+ZPIi1l81jD7uUr+xVIVT5nIejAVlyqapbWm3YFywO9MVLuPDbaGXoQX0B1
U2USVwIDAQABo1AwTjAdBgNVHQ4EFgQUjc/p6B8r/hMXKeAVCKmaunvgJmYwHwYD
VR0jBBgwFoAUjc/p6B8r/hMXKeAVCKmaunvgJmYwDAYDVR0TBAUwAwEB/zANBgkq
hkiG9w0BAQ0FAAOBgQCj7Lakk9vK7PSVnP8uooKN2xU0e9Tbt9Mz6iO0F0h0ebFO
spTnju01i00KOvEdXb61Xpe8Qjex7RS94mnSunRFbXvtFecc8in2WtFcXXzLwIEr
bm3pDAD9vhhF/ilaoHkWmOAEGgc0fyFnKL32oyxbGlhpd87PGQtcCXEhHaS4Mw==
-----END CERTIFICATE-----
            [privateKey] => -----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAM2gwR9LonydhnO3
q/9mNzXcDuM9mn6sO6Unoe9Jhnye+jJJsDLIBU7kDTtDUo4wkNyJgaI2CRy3Hfq4
m2wnBvpJCv2wB11cMNXSG+Uc+T8j5k8iLWXzWMPu5Sv7FUhVPmch6MBWXKpqltab
dgXLA70xUu48NtoZehBfQHVTZRJXAgMBAAECgYA1agzAlGUg+cpzRMLpFSRCWWeE
n/wB67uSqzjlb7P/q0xSw9GBX3QBijvlqRdI2FTI9O83s9GqI+cluc6lyX2GDxWs
2Gzkl6Rb7bxWsXZDNRJEipZHAJTuiPDWpZKyA1q4Erc8UeZt/AIljF31yLiYBf+L
bjegYqrtSiHGtq6QAQJBAPHk2/gP1k/E+0DHlosdCZWar+04IPBkj188Q3NCJ7qJ
8pfYgsQmVUqCbdbG+dzF2FtZe884dwUVYMKTeddzNXECQQDZnn5g9pwnO+uecCZs
Iaw+F79+qPmZobE5iKyGPZmJMKyjVkUiDPNniVFzyfYtECsc1onMOdYsSIlHwebn
5UBHAkEArHiJfq2MGQRSQTYN2NKzasAIgBNtKPoKX9UQIrYgrZh+KFZvpnvOhHnK
50CoFwnZ4ghDhtSzyCQeAZ41WbEDgQJAMc/Gi7lHCu/7QbvX/55Bh8D10y8oWtMY
9tti6iNFdpKOoaCImH+wYz2aSE+tKqltxN8SkY2XiXFdAvDOQrxF1wJAFrzpMLQs
rqOZKRf9uakwDscTwwYauzPfrcikiN9Qd8MA64xG9Z3RUxOq2UkDLZSSKzYMEKMk
Te3+629HzIPTjg==
-----END PRIVATE KEY-----
        )

    [idp] => Array
        (
            [entityId] => https://app.onelogin.com/saml/metadata/123456
            [singleSignOnService] => Array
                (
                    [url] => https://app.onelogin.com/trust/saml2/http-post/sso/123456
                    [binding] => urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
                )

            [singleLogoutService] => Array
                (
                    [url] => https://app.onelogin.com/trust/saml2/http-redirect/slo/123456
                    [binding] => urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
                )

            [x509cert] => -----BEGIN CERTIFICATE-----
MIIC6DCCAlGgAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBkDELMAkGA1UEBhMCdXMx
EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAoMDU9uZWxvZ2luIFRlc3QxIjAg
BgNVBAMMGXRyaW5ldC1jbG91ZC5vbmVsb2dpbi5jb20xMDAuBgkqhkiG9w0BCQEW
IXN1cHBvcnRAdHJpbmV0LWNsb3VkLm9uZWxvZ2luLmNvbTAeFw0xNjEwMzEyMzA4
NTNaFw0xNzEwMjIyMzA4NTNaMIGQMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2Fs
aWZvcm5pYTEWMBQGA1UECgwNT25lbG9naW4gVGVzdDEiMCAGA1UEAwwZdHJpbmV0
LWNsb3VkLm9uZWxvZ2luLmNvbTEwMC4GCSqGSIb3DQEJARYhc3VwcG9ydEB0cmlu
ZXQtY2xvdWQub25lbG9naW4uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDWKr8qxoBEMEb2PuLFVfeT9fM+OKp6IxlrFkewF6KJvTPlIyJDeY6baJ0lFahV
1zi14q67iqADIk1fRqe9oMq4ZJLHZpeFazUSxiY56+paC9Tf1WGu2HmDUyxWSh+S
g0SdQQfbEKO0189mYBkcHfrHGD/QBcivsK+Su7xhDzCvaQIDAQABo1AwTjAdBgNV
HQ4EFgQUsF7CyLKVc3TUFiRNO9Q6PB90zp4wHwYDVR0jBBgwFoAUsF7CyLKVc3TU
FiRNO9Q6PB90zp4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCNqPea
KS0nlUDDCPJExXp2ovCCiNyGA2lSUOYAoBDg1LZrhE44B/KlzO0g2O4bF2nYquGF
0xfGqf9M3wNsJIybCR/MrZMZE6AQgMLN8+02QjOX2TMavO8TdYXu/kYLUQGWx0bC
UraIIKzE2L7EQR0WLes/hayMx/za9wV4rVMnyA==
-----END CERTIFICATE-----
        )

    [compress] => Array
        (
            [requests] => 1
            [responses] => 1
        )

    [security] => Array
        (
            [wantMessagesSigned] => 1
            [wantAssertionsEncrypted] => 1
            [wantAssertionsSigned] => 1
            [wantNameId] => 1
            [signatureAlgorithm] => http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
        )

    [contactPerson] => Array
        (
            [technical] => Array
                (
                    [givenName] => Support
                    [emailAddress] => support@serviceprovider.com
                )

            [support] => Array
                (
                    [givenName] => Support
                    [emailAddress] => support@serviceprovider.com
                )

        )

    [organization] => Array
        (
            [en-US] => Array
                (
                    [name] => Service Provider
                    [displayname] => Service Provider
                    [url] => https://serviceprovider.com
                )

        )

)

签名的SAML响应,其中包含已使用的已签名SAML断言(由OneloginPHPSAMLSdk :: processResponse()成功处理)

使用https://developers.onelogin.com/saml/online-tools/sign/response与上述证书签名。

<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfxa414281f-8c20-d4b9-6cd5-f713aca895e9" Version="2.0" IssueInstant="2020-06-17T14:54:07Z" Destination="https://sso.serviceprovider.com/saml/consume" InResponseTo="_57bcbf70-7b1f-012e-c821-782bcb13bb38">
  <saml:Issuer>https://app.onelogin.com/saml/metadata/123456</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  <ds:Reference URI="#pfxa414281f-8c20-d4b9-6cd5-f713aca895e9"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>OH53i4NTaUj8M29kPGDQEZimvGE=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>edMuHtgqaRJiAGBUdGCSJiWxQ2CDXi3THKotbgkDhU1uMrD3vxRnopFlaUGFW/3GCt9Q9CScMmkamS2s6JZqo0iGuuzsaIl7NPhM502iHp6BIjinrGARtjOjfamLahVrIGBggvgNbbfzwPKSNCf+T9PNtnWNBwKVNIIHZeNNJ3I=</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIC6DCCAlGgAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBkDELMAkGA1UEBhMCdXMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAoMDU9uZWxvZ2luIFRlc3QxIjAgBgNVBAMMGXRyaW5ldC1jbG91ZC5vbmVsb2dpbi5jb20xMDAuBgkqhkiG9w0BCQEWIXN1cHBvcnRAdHJpbmV0LWNsb3VkLm9uZWxvZ2luLmNvbTAeFw0xNjEwMzEyMzA4NTNaFw0xNzEwMjIyMzA4NTNaMIGQMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UECgwNT25lbG9naW4gVGVzdDEiMCAGA1UEAwwZdHJpbmV0LWNsb3VkLm9uZWxvZ2luLmNvbTEwMC4GCSqGSIb3DQEJARYhc3VwcG9ydEB0cmluZXQtY2xvdWQub25lbG9naW4uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWKr8qxoBEMEb2PuLFVfeT9fM+OKp6IxlrFkewF6KJvTPlIyJDeY6baJ0lFahV1zi14q67iqADIk1fRqe9oMq4ZJLHZpeFazUSxiY56+paC9Tf1WGu2HmDUyxWSh+Sg0SdQQfbEKO0189mYBkcHfrHGD/QBcivsK+Su7xhDzCvaQIDAQABo1AwTjAdBgNVHQ4EFgQUsF7CyLKVc3TUFiRNO9Q6PB90zp4wHwYDVR0jBBgwFoAUsF7CyLKVc3TUFiRNO9Q6PB90zp4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCNqPeaKS0nlUDDCPJExXp2ovCCiNyGA2lSUOYAoBDg1LZrhE44B/KlzO0g2O4bF2nYquGF0xfGqf9M3wNsJIybCR/MrZMZE6AQgMLN8+02QjOX2TMavO8TdYXu/kYLUQGWx0bCUraIIKzE2L7EQR0WLes/hayMx/za9wV4rVMnyA==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="pfx11d47ee6-6b2f-0ccb-2ad8-045666918aca" Version="2.0" IssueInstant="2020-06-17T14:54:14Z">
    <saml:Issuer>https://app.onelogin.com/saml/metadata/123456</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  <ds:Reference URI="#pfx11d47ee6-6b2f-0ccb-2ad8-045666918aca"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>hRtng2jDhJfDGYAkp6W89Ei96Jc=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>fgNDg7BAHZgqtA67png8JVeAciUt9Bfopf/UaFvTN+vOpeK/NsCh6YQ06RBqDOGKpA7X9SiK4olXy8wqUV2wNguP77Q/48DoYoWoG8InlzL2nEFg7tjp5Fp60Ywc+zmiFPD9Xahhvjpo8QVHQbbPAnJFKMa3SFP5zS905BXOOUY=</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIC6DCCAlGgAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBkDELMAkGA1UEBhMCdXMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAoMDU9uZWxvZ2luIFRlc3QxIjAgBgNVBAMMGXRyaW5ldC1jbG91ZC5vbmVsb2dpbi5jb20xMDAuBgkqhkiG9w0BCQEWIXN1cHBvcnRAdHJpbmV0LWNsb3VkLm9uZWxvZ2luLmNvbTAeFw0xNjEwMzEyMzA4NTNaFw0xNzEwMjIyMzA4NTNaMIGQMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UECgwNT25lbG9naW4gVGVzdDEiMCAGA1UEAwwZdHJpbmV0LWNsb3VkLm9uZWxvZ2luLmNvbTEwMC4GCSqGSIb3DQEJARYhc3VwcG9ydEB0cmluZXQtY2xvdWQub25lbG9naW4uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWKr8qxoBEMEb2PuLFVfeT9fM+OKp6IxlrFkewF6KJvTPlIyJDeY6baJ0lFahV1zi14q67iqADIk1fRqe9oMq4ZJLHZpeFazUSxiY56+paC9Tf1WGu2HmDUyxWSh+Sg0SdQQfbEKO0189mYBkcHfrHGD/QBcivsK+Su7xhDzCvaQIDAQABo1AwTjAdBgNVHQ4EFgQUsF7CyLKVc3TUFiRNO9Q6PB90zp4wHwYDVR0jBBgwFoAUsF7CyLKVc3TUFiRNO9Q6PB90zp4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCNqPeaKS0nlUDDCPJExXp2ovCCiNyGA2lSUOYAoBDg1LZrhE44B/KlzO0g2O4bF2nYquGF0xfGqf9M3wNsJIybCR/MrZMZE6AQgMLN8+02QjOX2TMavO8TdYXu/kYLUQGWx0bCUraIIKzE2L7EQR0WLes/hayMx/za9wV4rVMnyA==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
    <saml:Subject>
      <saml:NameID SPNameQualifier="https://sso.serviceprovider.com/metadata" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">test@testmail.com</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData NotOnOrAfter="2040-06-17T14:59:14Z" Recipient="https://sso.serviceprovider.com/saml/consume" InResponseTo="_57bcbf70-7b1f-012e-c821-782bcb13bb38"/>
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2011-06-17T14:53:44Z" NotOnOrAfter="2040-06-17T14:59:14Z">
      <saml:AudienceRestriction>
        <saml:Audience>https://sso.serviceprovider.com/metadata</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2020-06-17T14:54:07Z" SessionNotOnOrAfter="2040-06-17T22:54:14Z" SessionIndex="_51be37965feb5579d803141076936dc2e9d1d98ebf">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
      <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">test@testmail.com</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="cn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">Norin</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="sn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">Radd</saml:AttributeValue>
      </saml:Attribute>           
    </saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>

加密的签名SAML响应,其中包含已使用的已签名SAML断言(导致OneloginPHPSAMLSdk :: processResponse()失败)

使用https://developers.onelogin.com/saml/online-tools/encrypt-decrypt/encrypt-xml使用服务提供商公钥加密。

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfx5f2c7a86-1714-916f-551a-07250ddd4edd" Version="2.0" IssueInstant="2020-06-17T14:54:07Z" Destination="https://sso.serviceprovider.com/saml/consume" InResponseTo="_57bcbf70-7b1f-012e-c821-782bcb13bb38">
  <saml:Issuer>https://app.onelogin.com/saml/metadata/123456</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  <ds:Reference URI="#pfx5f2c7a86-1714-916f-551a-07250ddd4edd"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>72IRpA9rPgadwFJ2UTi8nGQI/tM=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>buqEO/5rw/XqX8TLQ6FmejlxzdN6+DTlK+jRprQnCKOdq4vcykex5lsq1zfLS+SRfU8MYdmBbKSll04u737aMnLCvc1552MXeG55z8JtSVzfaUmNAyfl+QQDLeBSGipMTQm2Wya4VSNYt/SbDkJ1EgRNIla8VXjr3JYgbqh2RfI=</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIC6DCCAlGgAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBkDELMAkGA1UEBhMCdXMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAoMDU9uZWxvZ2luIFRlc3QxIjAgBgNVBAMMGXRyaW5ldC1jbG91ZC5vbmVsb2dpbi5jb20xMDAuBgkqhkiG9w0BCQEWIXN1cHBvcnRAdHJpbmV0LWNsb3VkLm9uZWxvZ2luLmNvbTAeFw0xNjEwMzEyMzA4NTNaFw0xNzEwMjIyMzA4NTNaMIGQMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UECgwNT25lbG9naW4gVGVzdDEiMCAGA1UEAwwZdHJpbmV0LWNsb3VkLm9uZWxvZ2luLmNvbTEwMC4GCSqGSIb3DQEJARYhc3VwcG9ydEB0cmluZXQtY2xvdWQub25lbG9naW4uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWKr8qxoBEMEb2PuLFVfeT9fM+OKp6IxlrFkewF6KJvTPlIyJDeY6baJ0lFahV1zi14q67iqADIk1fRqe9oMq4ZJLHZpeFazUSxiY56+paC9Tf1WGu2HmDUyxWSh+Sg0SdQQfbEKO0189mYBkcHfrHGD/QBcivsK+Su7xhDzCvaQIDAQABo1AwTjAdBgNVHQ4EFgQUsF7CyLKVc3TUFiRNO9Q6PB90zp4wHwYDVR0jBBgwFoAUsF7CyLKVc3TUFiRNO9Q6PB90zp4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCNqPeaKS0nlUDDCPJExXp2ovCCiNyGA2lSUOYAoBDg1LZrhE44B/KlzO0g2O4bF2nYquGF0xfGqf9M3wNsJIybCR/MrZMZE6AQgMLN8+02QjOX2TMavO8TdYXu/kYLUQGWx0bCUraIIKzE2L7EQR0WLes/hayMx/za9wV4rVMnyA==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>

<saml:EncryptedAssertion><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><xenc:CipherData><xenc:CipherValue>ke/VijNVVwAgMIRK3jz6jQ/fBMKsVOzbIKtrtoP7bQCm2iZi1UHtZ5rZzdSJgpYP8EEHddqxdv51RCQheBuCpfFjI1GRlk18sbxUkvAQ0qxV45AdBcUecvHRsRFBOl3G9QGEHr3aYD1QqQx+1CBiA+t2RYHKVaJdlX+sVRFBR/Q=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></dsig:KeyInfo>
   <xenc:CipherData>
      <xenc:CipherValue>p0e4GbSLMp+CsEfj9k1aHGK4p65JmHu/wof+GTCFtIFkr8pShqAH/6Rtnxbhcyph4rg1Hf97d5A/XArKjUfp0QCYyz/0EQTFjs1WuZFS0NuUN9lgO98exbkhCQHgxx2TkYoAY4/0hkfERMc4yWbA11K74utCqVq8o8z7QsShpzoyC+10xmbXqy1mnV1XnpkkoqWDClvTCUQvzeCo42ps4hac6l5dk+qH2jcMPNIZh92scLV3OG/A0l5zvtd67rgRQgMOOZeCX8+FJ29BYb+APAL7YPmS5ybVzzhVHY7oB1KWyy8eRW9vNfY7mVHIeIWBuZZ19cY9wNtVpOrzlebDVrygbOUl8XbT4KDW2hIcPdKcU67hixH+jc0SNq4cEr2fxM9+E8CUdkygtxa9keI6k7ipOTXTtpx1gS5U0mUdIHCC2rh/1rjwHL0MmRD8q5wKOKcXuqCvAZIsMKOWAgI43q23xD9z5zZuExWQIv38zsBkxYtLLiI1b3Jcv02NRC9Vm7FJCEUMyCM9cYaqzKv/0miXSex50VqIMj8BciC43GN/shEVJmxqJ0SFEBEzTALdGDLIU+6c7uxf5oi4ss0k1lPzsb/CoBerErtWTSucX0gLdPE32H/8FlWcr/AWujgVQYVrZdn9BxaXXmk25vyZbdI4APqHgOWzs04YcNsCLgTDpRZPSXGWByaUzfdsbYQ6eSiKfVIWVmcfA2zHjVKdLFirLiCr5OLBhzDBT/8T50PzCxFipMbPAhxuXFfYMHPiuOgDBOCdq3NdsC7G0vX74GTLZgtHbbIg2tyovsChOXfU1GmJqkWJf+hq2zUgP9cpoh8tEPycMP2fsC2pleWgw8qaJZ2q2L8BzkIkzbLVm8Rkywzf1YyyJ20m2h8ThITApth5YpOVSVaMON4HSxloKQNrxccrAt2jemXBJxRps5+WOMoQPBYjxprNsPi3AkOTfqa7G5yY4nXpdpLqXfhPdSQAvcvYNfsqimrsG+OGneCOTlQDmN6rjwHG+kj1RrK6eWafwHqMdF62ZyDc/8/t4Mmi/+U3YLh+FXS5hZ9gWXdgOImupj7fsIpeinVAUiTYtGuf9bNbhHmxjA1jV68boI2SHonwFEUYbzw+B3LpDOY++Wz2ILxclW77LE+TL1yGUS2nfMKPxGhIUlrXusZfojkziT2sGl+0NLeianUw2RwRdtPQVJn2cEEC58LtgZnTHdg17qN6/siAnWUZ9ZvPcLErz/Im5QLBM2nnEshHDGZkSXzbyTEEg4CddEjuoY8P2obuB6euqzZI+spAoguP+6+/+rAd0VKCcHsnVf828HlmLwS5X3K/YXMiFM2ArHN5ZKSnz2coge6zx8Z3AywrMbGOQHUcvgu71mDEnuP5yNjhFmhHvJ/yAaJ2Nv00zKoDsNciotLXm11tyJimHiFI0pCfQX87/ZqmkofpiF2L/dINZWbqN1iX6Wxx93/BzZ2JKvUZ4t+hjsSfFS3EK08oMCLcG2Cd1FJYQ2H3RXVx8EwPSkVDqP2cc8ful8sB3z0NatEQb7/HRFxFeQxF7QzAaBSVloag9xyaP0T6hUYh5LWPSK/qabgiYdCIl+XqvrVBCBPos3VU1OAFNkitAuZeotMONUK6X+sK7XQz4lS9zAr4szDzqFsm0QbhXDXeqYuXqwzAnb8pT+k+X1yS0p2plft9a5VSBJFo0EmSlhQ8qYItUnfBdxZ7lGfAw2tJQaOoJ2xp8ayBVew92n1H+mmvLFjOZwQ37rI9ibMrR5i59RIoMejWa2OSlTWcCSA8wR6uY2bHC6y8i3Bqky5Vv5DjSnpmXB8ssDcDZ66hMGZRNMdZch6cCqlrsEdgAw1K8Lr1oiqiqGe+Tx3UoADOibUS123tWsuUh5rmXEVJf4FFOw+o+itFvImDl7FepmDogRADUR53p01PTJ8i7QGdnensrgz16iP4TR4RpUzUP0RN5q5NhMTKEIM9XxMZ+h3M0sTpth86BedQdHSdeJWkT0PzGrA8qdxb/22/XMKzphbIP/JvjaaR4xkKx+n9LxxT5JhWEzt2UFI4LHSl6YkC9OHjr5Oed/fGJRaLuNCbZUkqq7lPJSyHwsOdOGM1kjHUvF1t66dsawaPIKdvUYdp2eIgwEGTQSzDf6bh4yZaNrdx17JkfViyWlG9I9e7A3iKEZMqmCl0kwthMjlZpjFIYZkQWIlgiGtz4OACTgnkk7MrIu+pwFu4z+wSADHuDF+dhq33epZ7yywq2ITEtEa2gQxYG4HaU4/z2AGlJi+ggeqVKK4rlN4k+Ss9Y9Rr5Grji66wh+UlDmMd8zF+rvpoSs3vf0Ck1eymWz4jkBLdTyd4+my9cM+Qg/CWc+zLKCsR8CK0YOuhUWMKY43oos20ekz55+JWZM6eIQbOy1quEFsLCZU2jJLhG6g2T8zOb28NBVxIqPl4Ea6fqQpk1lkJxg0d4AfIQBgO6b0qoOrAC7ZmB6QkpB5+kLRXiUsvRxgjQIrJZ8GRTPR02eW/QvyNdsgFlsLKf5MQ2gd4tlCwUjZEtlQS7J5UxbVpKF7WCfixG9qef3br+BXYXRges2ebWE4/DJPT0WM61AqQXXQ/MdGMxymB22JH6ZdXpe17MsE/mukrsZyILIM57yEilfENVRZzR7ebeq5VMvZYARjdhatE6C3nhpE+BoCul+DtKEFU5Yz9eve232vxqP9fmqrmxhouWzdjgCs+A8UgKpdRmYKfAbAknVxbIOmxBwfs66Sgx2C7+LfLK0uNKQMsA7M6O7m+CbTA9tfljbvR3fX/gKZC/5bpzNDt+xr+zdxE48sXcl5rflPxURu29HxFBme1qeo0fw==</xenc:CipherValue>
   </xenc:CipherData>
</xenc:EncryptedData></saml:EncryptedAssertion></samlp:Response>

1 个答案:

答案 0 :(得分:1)

当您拥有包含整个邮件签名的有效SAMLResponse并加密Assertion元素时,您将修改XML,以便签名验证失败。

如果要在签名的整个消息上生成加密的无符号断言,则该过程为:

  1. 加密断言。
  2. 签署整条信息。
  3. 带有加密断言元素的备用有效SAMLResponse是签名在解密断言上的那个。为了生成:

    1. 签署断言
    2. 加密断言
    3. (可选)您也可以签署整个邮件。