我在WSO2 API Manager(9445端口)中找到“Oauth的SAML2 Bearer Assertion配置文件”时遇到问题。
我的设置
我在API管理器租户域(wso2.com)中创建了一个应用程序(app1)并生成了密钥。
当我以wso2.com租户域的管理员身份登录IS时,我看到为我的应用程序(app1)创建了一个服务提供商。
SAML断言
<?xml version="1.0" encoding="UTF-8"?>
<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="alajckjphcbadkfhacmcfnnanohlnlpbhfomlmjm" IssueInstant="2017-06-13T08:05:36.500Z" Version="2.0">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">TestSP</saml:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#alajckjphcbadkfhacmcfnnanohlnlpbhfomlmjm">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml xs xsi"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>ISNhVVsEbeRLN2MQdob0qs1QEXc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
XrMqLJO6z8BERlmrysn9aV9m1GPte3hOUqxNUhr8eTMtho2zjYE5fJkbT+pf8oHxXUaozefs5G+o
N0tWQc9pqXxuYtk6Lk/EimMzF2xEgrtEzZqksVebJagz9UeOr1mfubZpSGcfdWMHSJdkOuAmsW0E
rqIc1RZDh+95aoh3VmE=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UE
CAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxv
Y2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQsw
CQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UE
AwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTou
sMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5
HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQID
AQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44i
QlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJR
O4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="0" NotOnOrAfter="2017-06-13T08:10:36.500Z" Recipient="https://localhost:9445/oauth2/token"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2017-06-13T08:05:36.500Z" NotOnOrAfter="2017-06-13T08:10:36.500Z">
<saml:AudienceRestriction>
<saml:Audience>https://localhost:9445/oauth2/token</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2017-06-13T08:05:36.601Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="C">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">:
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
命令java -jar SAML2AssertionCreator.jar TestSP admin https://localhost:9445/oauth2/token https://localhost:9445/oauth2/token .../wso2/wso2is-5.1.0/repository/resources/security/resources/security/wso2carbon.jks wso2carbon wso2carbon wso2carbon
令牌CMD-
curl -k -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<Assertion_provided_by_client>&scope=PRODUCTION" -H "Authorization: Basic <Base64 encoded consumer key:consumer secret>" -H "Content-Type:application/x-www-form-urlencoded" https://<IP of the APIM server>:9445/oauth2/token
日志
[2017-06-13 12:56:17,036] DEBUG - OAuth2Service Access Token request received for Client ID 0rD1Hf7ZT5ZMz5ZJkMDpCZSBOHka, User ID null, Scope : [PRODUCTION] and Grant Type : urn:ietf:params:oauth:grant-type:saml2-bearer
[2017-06-13 12:56:17,036] DEBUG - AbstractClientAuthHandler Can authenticate with client ID and Secret. Client ID: 0rD1Hf7ZT5ZMz5ZJkMDpCZSBOHka
[2017-06-13 12:56:17,039] DEBUG - AbstractClientAuthHandler Grant type : urn:ietf:params:oauth:grant-type:saml2-bearer Strict client validation set to : null
[2017-06-13 12:56:17,043] DEBUG - OAuth2Util Client credentials were available in the cache for client id : 0rD1Hf7ZT5ZMz5ZJkMDpCZSBOHka
[2017-06-13 12:56:17,045] DEBUG - OAuth2Util Successfully authenticated the client with client id : 0rD1Hf7ZT5ZMz5ZJkMDpCZSBOHka
[2017-06-13 12:56:17,055] DEBUG - SAML2BearerGrantHandler SAML Assertion Audience Restriction validation failed against the Audience : https://192.168.0.4:9445/oauth2/token of Identity Provider : IS in tenant : carbon.super
[2017-06-13 12:56:17,055] DEBUG - AccessTokenIssuer Invalid Grant provided by the client Id: 0rD1Hf7ZT5ZMz5ZJkMDpCZSBOHka
[2017-06-13 12:56:17,060] DEBUG - AccessTokenIssuer OAuth-Error-Code=invalid_grant client-id=0rD1Hf7ZT5ZMz5ZJkMDpCZSBOHka grant-type=urn:ietf:params:oauth:grant-type:saml2-bearer scope=PRODUCTION