我正在开发一个项目,重新使用https://github.com/vdenotaris/spring-boot-security-saml-sample与Azure AD集成为IDP。
整合进展顺利。我唯一无法修复的是元数据信任检查。
根据https://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x/reference/html/chapter-idp-guide.html 建议将metadataTrustCheck设置为false以跳过签名验证
但是,我想问一下是否可以使用Azure进行元数据信任检查。
要重新创建,请将IDP元数据网址设置为 https://login.microsoftonline.com/sample.onmicrosoft.com/FederationMetadata/2007-06/FederationMetadata.xml
将WebSecurityConfig#extendedMetadataProvider
并将login.microsoftonline.com SSL证书导入samlKeystore.jks
2018-01-23 09:58:05.450 DEBUG 9924 --- [localhost-startStop-1] o.o.xml.signature.SignatureValidator : Signature validated with key from supplied credential
2018-01-23 09:58:05.451 DEBUG 9924 --- [localhost-startStop-1] o.o.x.s.impl.BaseSignatureTrustEngine : Signature validation using candidate credential was successful
2018-01-23 09:58:05.451 DEBUG 9924 --- [localhost-startStop-1] o.o.x.s.impl.BaseSignatureTrustEngine : Successfully verified signature using KeyInfo-derived credential
2018-01-23 09:58:05.452 DEBUG 9924 --- [localhost-startStop-1] o.o.x.s.impl.BaseSignatureTrustEngine : Attempting to establish trust of KeyInfo-derived credential
2018-01-23 09:58:05.452 DEBUG 9924 --- [localhost-startStop-1] o.x.s.x.BasicX509CredentialNameEvaluator : Supplied trusted names are null or empty, skipping name evaluation
2018-01-23 09:58:05.452 DEBUG 9924 --- [localhost-startStop-1] o.s.s.s.t.MetadataCredentialResolver : Attempting PKIX path validation on untrusted credential: [subjectName='CN=accounts.accesscontrol.windows.net']
2018-01-23 09:58:05.458 TRACE 9924 --- [localhost-startStop-1] o.s.s.s.t.MetadataCredentialResolver : Building certificate path using default security provider
2018-01-23 09:58:05.466 TRACE 9924 --- [localhost-startStop-1] o.s.s.s.t.MetadataCredentialResolver : PKIX path construction failed for untrusted credential: [subjectName='CN=accounts.accesscontrol.windows.net']
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source) ~[na:1.8.0_161]
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source) ~[na:1.8.0_161]
at java.security.cert.CertPathBuilder.build(Unknown Source) ~[na:1.8.0_161]
at org.springframework.security.saml.trust.CertPathPKIXTrustEvaluator.validate(CertPathPKIXTrustEvaluator.java:85) ~[spring-security-saml2-core-1.0.3.RELEASE.jar!/:1.0.3.RELEASE]
ssocircle metadata https://idp.ssocircle.com/idp-meta.xml
不会发生此问题答案 0 :(得分:0)
用于签署元数据的证书似乎与您导入的login.microsoftonline.com上的证书不同。
请参阅Signature trust establishment failed for SAML metadata entry