经过1周的Spring Security SAML Sample App到Ping(PingIdentity)集成工作,我差不多完成了......现在我有一个“响应的InResponseToField对应发送消息”错误(如下)。以下是请求和响应,因为您可以看到ID和响应匹配,不是吗?
Request ***
2017-09-20 11:02:07 DEBUG PROTOCOL_MESSAGE:74 -
<?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://hostwithapp:8443/app1/saml/SSO" Destination="https://hostwithping:9031/idp/SSO.saml2" ForceAuthn="false" ID="a1je2ba47j27cdid2h74507gii19bgj" IsPassive="false" IssueInstant="2017-09-20T09:02:07.956Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">app1</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#a1je2ba47j27cdid2h74507gii19bgj">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>rnJ2+WxLofXdY71JMpCyzvxjeI8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>EHlnvY+rGsrq/KjFo7nhAjkirmy+HXpfPLSBr+FuCCm85fr3Z+yJupvYJlMXtwl/PM6NN3kXEecGA1oanUjnshb5o85QNY1v/PucZccGUr+kxWRc2F3YnDOazAjt8WXV5R1QJIPlf8Hank/7nqgylt35cftWitmcFuth0SSaT9N/gWXj7FvhwvEyO38Hh5W9OEQrZlPBimI6g2LdhM8IjuzXQYdmP5rADu0WQbIx48oRnVMKpaiG/7D7GxVDtT+5F/0Jr/cDo/slhAv3LjhGbuqoX0tUIngdUM+egODW6KnHHj9GAYdTM7XGBlLuIgGPeOQUpbPrf0WtzswzHVqXpw==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDQDCCAiigAwIBAgIGAVzUOBXsMA0GCSqGSIb3DQEBCwUAMGExCzAJBgNVBAYTAkFUMSgwJgYD
VQQKEx9ldzd1aXB3bTA3LmludGVncmF0aW9uLnVuaXFhLmF0MSgwJgYDVQQDEx9ldzd1aXB3bTA3
LmludGVncmF0aW9uLnVuaXFhLmF0MB4XDTE3MDYyMzA5MTEwNFoXDTE4MDYyMzA5MTEwNFowYTEL
MAkGA1UEBhMCQVQxKDAmBgNVBAoTH2V3N3VpcHdtMDcuaW50ZWdyYXRpb24udW5pcWEuYXQxKDAm
BgNVBAMTH2V3N3VpcHdtMDcuaW50ZWdyYXRpb24udW5pcWEuYXQwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCdJmnFfxRHfQvhT1nHRnR2E9k6BUOCChFh0LbtCqOW4DNgpCJMA61RhoAp
4Ao5uWBkOUkf15NCM2sYmrEZtV4AM5X4XBmwkvukwdoTDXPrL7HHpJi96L8+NUeKtw3Hq36x8mF/
jUvzuCzDOmwz0EhUgkSGy8GeKHY74NuhivXnPNo+EiD15oH+m/BotSQnTd6yUd++ZstNqjcyH0kV
VECm0HmxMDQ1P+lGJnGRmzgu0uvYPriv5weP2zF3QxFbR+vs/CtJQtPNbcvOxtFVR+x8qKR/Bc2L
KszFpGJM7rv6LeMusZAVk3m4W5ONrKeplCvPtuhp0iBd0snz6hVzH0/7AgMBAAEwDQYJKoZIhvcN
AQELBQADggEBAHOZdhv8DybvI14C0cwyxH2Eq9z+aeoa7LzZF/wclh5jgZUuWIcCMTEuEMzPc1rD
Ga10Ex3Z8t8qrhAcs7u8OytiLpvZi1+csQFb7O7fRP8xmrkGAytRNNppYtAzue9hnR1W8UkJLzFT
d+iYZ6rE6MwoF6ASR83T8Mk9/EeWh/llDZOJPIH8qR391PaEphDiLCMxPenMce8IKTkFx+ytSbx/
6T2Gjyx9NStV66dgs/h7v0qPr5EKdE+vBMrpnqdi1+4B5HYzk9eT5WI1aZZOd5BRi2clLi8l/d5z
S0elU8bWfMjpk01XbgAFYIizYRpjMZ01X40zGpBNW6rEwq9kMuY=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</saml2p:AuthnRequest>
Response ***
2017-09-20 11:02:09 DEBUG BaseSAML2MessageDecoder:115 - Extracting ID, issuer and issue instant from status response
2017-09-20 11:02:09 INFO stdout:71 - 2017-09-20 11:02:09 DEBUG PROTOCOL_MESSAGE:113 -
2017-09-20 11:02:09 INFO stdout:71 - <?xml version="1.0" encoding="UTF-8"?><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="vr.9BGHJqgMjrb_LZuq261qE9M8" InResponseTo="a1je2ba47j27cdid2h74507gii19bgj" IssueInstant="2017-09-20T09:02:01.717Z" Version="2.0">
2017-09-20 11:02:09 INFO stdout:71 - <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">app1</saml:Issuer>
2017-09-20 11:02:09 INFO stdout:71 - <samlp:Status>
2017-09-20 11:02:09 INFO stdout:71 - <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
2017-09-20 11:02:09 INFO stdout:71 - </samlp:Status>
2017-09-20 11:02:09 INFO stdout:71 - <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="mbPkcKjMO1j2AuxzPEbK-5DY73T" IssueInstant="2017-09-20T09:02:01.748Z" Version="2.0">
2017-09-20 11:02:09 INFO stdout:71 - <saml:Issuer>app1</saml:Issuer>
2017-09-20 11:02:09 INFO stdout:71 - <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
2017-09-20 11:02:09 INFO stdout:71 - <ds:SignedInfo>
2017-09-20 11:02:09 INFO stdout:71 - <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
2017-09-20 11:02:09 INFO stdout:71 - <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
2017-09-20 11:02:09 INFO stdout:71 - <ds:Reference URI="#mbPkcKjMO1j2AuxzPEbK-5DY73T">
2017-09-20 11:02:09 INFO stdout:71 - <ds:Transforms>
2017-09-20 11:02:09 INFO stdout:71 - <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
2017-09-20 11:02:09 INFO stdout:71 - <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
2017-09-20 11:02:09 INFO stdout:71 - </ds:Transforms>
2017-09-20 11:02:09 INFO stdout:71 - <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
2017-09-20 11:02:09 INFO stdout:71 - <ds:DigestValue>EBqN6ZmIBFy69PsA3vxAMhvKPdSLiwUykRPlMnsxrnU=</ds:DigestValue>
2017-09-20 11:02:09 INFO stdout:71 - </ds:Reference>
2017-09-20 11:02:09 INFO stdout:71 - </ds:SignedInfo>
2017-09-20 11:02:09 INFO stdout:71 - <ds:SignatureValue>
2017-09-20 11:02:09 INFO stdout:71 - lEDbj7QYOpoAF6Zf6g7mD1J1i01iGHJZiSeZ5EmAvH+yyylrtZDzwvpikrXTiBrTjoJzYm0a6qSC
2017-09-20 11:02:09 INFO stdout:71 - SupHKG5gviH3HA2Ghcmz/pneF6lqtcIW1WpznyBPYzNsRZreDT4ZCkJBNmh1vRS8VNkgPtXHYIp6
2017-09-20 11:02:09 INFO stdout:71 - SaDvvUOnIjBRaDcbsaIzsCetek+0uDI456I3z+FfT9lIXMEqbfkeUxXSdwqK3BPA4a1GkUCYNG7K
2017-09-20 11:02:09 INFO stdout:71 - ens068ul0GxbXNFYgdLN/NOG3m+rCIJaVzhgbBNGHtMxVTxnyPyvz6exAUYHJAGv5aYCDVYfFber
2017-09-20 11:02:09 INFO stdout:71 - YXKG5dZldhUO2yoxOVCaPgCd7MZjAwA0uN3U3g==
2017-09-20 11:02:09 INFO stdout:71 - </ds:SignatureValue>
2017-09-20 11:02:09 INFO stdout:71 - </ds:Signature>
2017-09-20 11:02:09 INFO stdout:71 - <saml:Subject>
2017-09-20 11:02:09 INFO stdout:71 - <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">userid</saml:NameID>
2017-09-20 11:02:09 INFO stdout:71 - <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
2017-09-20 11:02:09 INFO stdout:71 - <saml:SubjectConfirmationData InResponseTo="a1je2ba47j27cdid2h74507gii19bgj" NotOnOrAfter="2017-09-20T09:52:01.748Z" Recipient="https://hostwithapp:8443/app1/saml/SSO"/>
2017-09-20 11:02:09 INFO stdout:71 - </saml:SubjectConfirmation>
2017-09-20 11:02:09 INFO stdout:71 - </saml:Subject>
2017-09-20 11:02:09 INFO stdout:71 - <saml:Conditions NotBefore="2017-09-20T08:12:01.748Z" NotOnOrAfter="2017-09-20T09:52:01.748Z">
2017-09-20 11:02:09 INFO stdout:71 - <saml:AudienceRestriction>
2017-09-20 11:02:09 INFO stdout:71 - <saml:Audience>app1</saml:Audience>
2017-09-20 11:02:09 INFO stdout:71 - </saml:AudienceRestriction>
2017-09-20 11:02:09 INFO stdout:71 - </saml:Conditions>
2017-09-20 11:02:09 INFO stdout:71 - <saml:AuthnStatement AuthnInstant="2017-09-20T09:02:01.748Z" SessionIndex="mbPkcKjMO1j2AuxzPEbK-5DY73T">
2017-09-20 11:02:09 INFO stdout:71 - <saml:AuthnContext>
2017-09-20 11:02:09 INFO stdout:71 - <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
2017-09-20 11:02:09 INFO stdout:71 - </saml:AuthnContext>
2017-09-20 11:02:09 INFO stdout:71 - </saml:AuthnStatement>
2017-09-20 11:02:09 INFO stdout:71 - <saml:AttributeStatement>
2017-09-20 11:02:09 INFO stdout:71 - <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
2017-09-20 11:02:09 INFO stdout:71 - <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">APP-ESB-UIP-ADMIN</saml:AttributeValue>
..
2017-09-20 11:02:09 INFO stdout:71 - <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">CN=APP-BM,C</saml:AttributeValue>
2017-09-20 11:02:09 INFO stdout:71 - <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">all-authenticated</saml:AttributeValue>
2017-09-20 11:02:09 INFO stdout:71 - </saml:Attribute>
2017-09-20 11:02:09 INFO stdout:71 - </saml:AttributeStatement>
2017-09-20 11:02:09 INFO stdout:71 - </saml:Assertion>
2017-09-20 11:02:09 INFO stdout:71 - </samlp:Response>
根据Vladimirs的建议,我尝试将ping和app1放在单独的主机上。我尝试了Spring Cookie重命名注入。但这似乎不会改变我的HAR文件中的任何cookie名称。我是这样做的,对吗?不知道应该如何初始化sessionRepository ....
<bean id="sessionRepository"
class="org.springframework.session.MapSessionRepository">
</bean>
<!-- avoid spring ping cookie conflict to run poc spring app and ping on same host -->
<bean id="sessionRepositoryFilter"
class="org.springframework.session.web.http.SessionRepositoryFilter">
<constructor-arg ref="sessionRepository"/>
<property name="httpSessionStrategy">
<bean class="org.springframework.session.web.http.CookieHttpSessionStrategy">
<property name="cookieName" value="myCookieName" />
</bean>
</property>
</bean>
HAR文件在这里:http://jmp.sh/nmJhefs
Cookies I see are ping1
"name": "PF",
"value": "8dq7R8jflRT2lMbeOkYK34tHdGUwOS50Ncl4r74qH4QM"
ping2:
"name": "PF",
"value": "8dq7R8jflRT2lMbeOkYK34"
Wildfly Web Session
"name": "JSESSIONID",
"value": "Z9HSNymqBc6SXLnn68CZcdT2",
答案 0 :(得分:1)
当生成请求时存储的JSESSIONID cookie与接收响应期间发现的JSESSIONID不同时,通常会导致此问题。原因是使用不同的主机名来发送请求并收到响应。
Ping Identity和您的应用程序是否都可以在localhost上部署?如果没有,请确保您打开以初始化请求的主机名(例如http://localhost:8080/saml/login)与PingIdentity发送响应的位置相同。
过去出现同样错误的问题: