Azure IDP元数据加载失败

时间:2018-01-23 17:05:49

标签: spring spring-security spring-saml

我正在开发一个项目,重新使用https://github.com/vdenotaris/spring-boot-security-saml-sample与Azure AD集成为IDP。

整合进展顺利。我唯一无法修复的是元数据信任检查。

根据https://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x/reference/html/chapter-idp-guide.html 建议将metadataTrustCheck设置为false以跳过签名验证

但是,我想问一下是否可以使用Azure进行元数据信任检查。

要重新创建,请将IDP元数据网址设置为 https://login.microsoftonline.com/sample.onmicrosoft.com/FederationMetadata/2007-06/FederationMetadata.xml

WebSecurityConfig#extendedMetadataProvider

的metadataTrustCheck设置为true

并将login.microsoftonline.com SSL证书导入samlKeystore.jks

2018-01-23 09:58:05.450 DEBUG 9924 --- [localhost-startStop-1] o.o.xml.signature.SignatureValidator     : Signature validated with key from supplied credential
2018-01-23 09:58:05.451 DEBUG 9924 --- [localhost-startStop-1] o.o.x.s.impl.BaseSignatureTrustEngine    : Signature validation using candidate credential was successful
2018-01-23 09:58:05.451 DEBUG 9924 --- [localhost-startStop-1] o.o.x.s.impl.BaseSignatureTrustEngine    : Successfully verified signature using KeyInfo-derived credential
2018-01-23 09:58:05.452 DEBUG 9924 --- [localhost-startStop-1] o.o.x.s.impl.BaseSignatureTrustEngine    : Attempting to establish trust of KeyInfo-derived credential
2018-01-23 09:58:05.452 DEBUG 9924 --- [localhost-startStop-1] o.x.s.x.BasicX509CredentialNameEvaluator : Supplied trusted names are null or empty, skipping name evaluation
2018-01-23 09:58:05.452 DEBUG 9924 --- [localhost-startStop-1] o.s.s.s.t.MetadataCredentialResolver     : Attempting PKIX path validation on untrusted credential: [subjectName='CN=accounts.accesscontrol.windows.net']
2018-01-23 09:58:05.458 TRACE 9924 --- [localhost-startStop-1] o.s.s.s.t.MetadataCredentialResolver     : Building certificate path using default security provider
2018-01-23 09:58:05.466 TRACE 9924 --- [localhost-startStop-1] o.s.s.s.t.MetadataCredentialResolver     : PKIX path construction failed for untrusted credential: [subjectName='CN=accounts.accesscontrol.windows.net']

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source) ~[na:1.8.0_161]
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source) ~[na:1.8.0_161]
    at java.security.cert.CertPathBuilder.build(Unknown Source) ~[na:1.8.0_161]
    at org.springframework.security.saml.trust.CertPathPKIXTrustEvaluator.validate(CertPathPKIXTrustEvaluator.java:85) ~[spring-security-saml2-core-1.0.3.RELEASE.jar!/:1.0.3.RELEASE]

ssocircle metadata https://idp.ssocircle.com/idp-meta.xml

不会发生此问题

1 个答案:

答案 0 :(得分:0)

用于签署元数据的证书似乎与您导入的login.microsoftonline.com上的证书不同。

请参阅Signature trust establishment failed for SAML metadata entry