AuthenticationServiceException:验证SAML消息时出错:: AuthNResponse; FAILURE;响应具有无效的状态代码:状态消息为空

时间:2017-05-03 11:40:39

标签: spring-security saml adfs spring-saml

我正在尝试使用ADFS配置Spring SAML扩展。

我收到消息 - 状态消息为空。最后提供了详细的日志。

我在stackoverflow上经历了类似的帖子。他们建议在ADFS服务器上启用RSA1。

org.opensaml.common.SAMLException: Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Responder, status message is null

Issues while integrating ADFS with Spring SAML Extension

我的日志似乎有RSA1正常,服务器上的设置相同。

注意

  1. 服务器证书是自签名的。
  2. 服务器上有发夹并且有设置主机文件条目以解决此问题。

    3. 修改1:

    1. IdP启动单点登录正在运行。但是,只有SP启动的登录才会发生错误。此外,在ADFS服务器端没有观察到日志

      2. 日志 

      DEBUG DigesterOutputStream:55 - Pre-digested input:
DEBUG DigesterOutputStream:60 - <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://mysite-dev:443/empdServer/saml/SSO" ID="_4fba4628-a5d1-4fb6-85d4-f9366db2385a" InResponseTo="a4g74i6f5sdi3ebg778g3f4jab0j9c" IssueInstant="2017-05-02T14:28:51.502Z" Version="2.0"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.myserver/adfs/services/trust</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"></samlp:StatusCode></samlp:Status></samlp:Response>
DEBUG Reference:784 - Verification successful for URI "#_4fba4628-a5d1-4fb6-85d4-f9366db2385a"
DEBUG Manifest:344 - The Reference has Type 
DEBUG SignatureValidator:70 - Signature validated with key from supplied credential
DEBUG BaseSignatureTrustEngine:148 - Signature validation using candidate credential was successful
DEBUG BaseSignatureTrustEngine:101 - Successfully verified signature using KeyInfo-derived credential
DEBUG BaseSignatureTrustEngine:102 - Attempting to establish trust of KeyInfo-derived credential
DEBUG ExplicitKeyTrustEvaluator:91 - Successfully validated untrusted credential against trusted key
DEBUG BaseSignatureTrustEngine:104 - Successfully established trust of KeyInfo-derived credential
INFO  SAMLProtocolMessageXMLSignatureSecurityPolicyRule:129 - Validation of protocol message signature succeeded, message type: {urn:oasis:names:tc:SAML:2.0:protocol}Response
DEBUG SAMLProtocolMessageXMLSignatureSecurityPolicyRule:131 - Authentication via protocol message signature succeeded for context issuer entity ID http://adfs.myserver.com/adfs/services/trust
DEBUG BaseMessageDecoder:85 - Successfully decoded message.
DEBUG BaseSAMLMessageDecoder:191 - Checking SAML message intended destination endpoint against receiver endpoint
DEBUG BaseSAMLMessageDecoder:210 - Intended message destination endpoint: https://mysite-dev:443/myapp/saml/SSO
DEBUG BaseSAMLMessageDecoder:211 - Actual message receiver endpoint: https://mysite-dev/myapp/saml/SSO
DEBUG BaseSAMLMessageDecoder:219 - SAML message intended destination endpoint matched recipient endpoint
DEBUG SAMLUtil:349 - Found endpoint org.opensaml.saml2.metadata.impl.AssertionConsumerServiceImpl@4189c9e9 for request URL https://mysite-dev/myapp/saml/SSO based on location attribute in metadata
DEBUG ProviderManager:162 - Authentication attempt using org.springframework.security.saml.SAMLAuthenticationProvider
DEBUG SAMLAuthenticationProvider:98 - Error validating SAML message
  org.opensaml.common.SAMLException: Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Responder, status message is null
    at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:113)
    at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:87)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167)
    at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:87)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:184)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:616)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1104)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1519)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1475)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Unknown Source)
2017-05-02 07:28:51 INFO  SAMLDefaultLogger:127 - AuthNResponse;FAILURE;1x.1x.1x.1x;urn:myapp.mysite;http://adfs.myserver.com/adfs/services/trust;;;org.opensaml.common.SAMLException: Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Responder, status message is null
    at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:113)
    at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:87)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167)
    at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:87)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:184)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:616)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1104)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1519)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1475)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Unknown Source)

DEBUG SAMLProcessingFilter:350 - Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Error validating SAML message
DEBUG SAMLProcessingFilter:351 - Updated SecurityContextHolder to contain null Authentication
DEBUG SAMLProcessingFilter:352 - Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@20088b6d

1 个答案:

答案 0 :(得分:0)

错误发生在AD FS端。您的日志仅报告AD FS报告错误。

您应该查看AD FS事件日志,以查看应用程序和服务\ ad fs \ admin事件日志中的内容。

如果IDP启动登录工作,则意味着SP方具有与AD FS相对应的正确详细信息。您只需要确保AD FS根据您在AD FS端配置的内容接收请求。

https://technet.microsoft.com/en-us/library/adfs2-troubleshooting-configuring-computers(v=ws.10).aspx应该有帮助。

相关问题
最新问题