WSO2 Identity Server SAML2响应发布者验证失败

时间:2018-05-28 15:20:07

标签: wso2 office365 azure-active-directory saml-2.0 wso2is

我已经使用Office 365(AAD)身份提供程序设置了WSO2 Identity Server,sso示例应用程序travelocity.com并使用必要的权限配置了我的Azure Active Directory应用程序。我已禁用双方的用户同意,Azure AD& ;我的身份服务器。

使用示例应用程序,登录工作正常但我从travelocity.com收到以下错误

An error has occurred

SAML2 Response Issuer verification failed

我想验证工作正常,从启用调试日志记录开始(截断一些字符串以获得可读性):

    [2018-05-28 14:24:36,909] DEBUG {org.wso2.carbon.identity.sso.saml.builders.DefaultResponseBuilder} -  Building SAML Response for the consumer 'http://testsso.myapp.com/travelocity.com/home.jsp'
    authenticatedIdPs: eyJ0eXAiOiJKV1QiLCAiYWx[TRUNCATED]
    [2018-05-28 14:24:36,749] DEBUG {org.wso2.carbon.identity.data.publisher.application.authentication.AbstractAuthenticationDataPublisher} -  Retrieving current IDPw for user
    [2018-05-28 14:24:36,748] DEBUG {org.wso2.carbon.identity.application.common.processors.RandomPasswordProcessor} -  Cache Key not found for Random Password Container
    [2018-05-28 14:24:36,719] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} -  Removing post authentication sequnce tracker cookie for context : 09808b90-af77-49ad-b63c-54c01ea2c3d6
    [2018-05-28 14:24:36,718] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} -  ConsentMgtPostAuthenticationHandler is enabled. Hence executing for context : 09808b90-af77-49ad-b63c-54c01ea2c3d6
    [2018-05-28 14:24:36,717] DEBUG {org.wso2.carbon.identity.application.authz.xacml.handler.impl.XACMLBasedAuthorizationHandler} -  In policy authorization flow...
    [2018-05-28 14:24:36,716] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} -  Executing Post Authentication Management Service for context 09808b90-af77-49ad-b63c-54c01ea2c3d6
    [2018-05-28 14:24:36,715] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} -  Step processing is completed.
    [2018-05-28 14:24:36,715] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler} -  UNFILTERED_IDP_CLAIM_VALUES map property set to [@odata.id:https://outlook.office365[TRUNCATED] acf5e8c015e'),Alias:my.user,DisplayName:my USER,MailboxGuid:dxxxxxxxxxxxef1a,Id:[TRUNCATED]79639@[TRUNCATED]8c015e,@odata.context:https://outlook.office365.com/api/v2.0/$metadata#Me,EmailAddress:my.user@mycompany.com,]
    [2018-05-28 14:24:36,713] DEBUG {org.wso2.carbon.identity.claim.metadata.mgt.dao.CacheBackedExternalClaimDAO} -  Cache hit for external claim list for dialect: http://wso2.org/oidc/claim in tenant: -1234   [2018-05-28 14:24:36,712] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler} -  Executing claim handler. isFederatedClaims = true and remote claims = [@odata.id:https://outlook.office365.com/api/v2.0/Users('a[TRUNCATED]980a-82ba0f179639@[TRUNCATED]1-88e0-6acf5e8c015e'),Alias:my.user,DisplayName:my USER,MailboxGuid:[TRUNCATED]4bb9-b0f1-89b84064ef1a,Id:[TRUNCATED]-980a-82ba0f179639@[TRUNCATED]-88e0-6[TRUNCATED],@odata.context:https://outlook.office365.com/api/v2.0/$metadata#Me,EmailAddress:my.user@mycompany.com,]
    [2018-05-28 14:24:36,711] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultSequenceHandlerUtils} -  Service Provider Mapped Roles: null
    [2018-05-28 14:24:36,709] DEBUG {org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil} -  JWT Header :{"typ":"JWT", "alg":"none"}
    [2018-05-28 14:24:36,709] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} -  Handling Post Authentication tasks
    [2018-05-28 14:24:36,707] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} -  Authenticated IDP data for the IDP 'Azure Active Directory' couldn't be found in previous authenticate IDPs as well. Using a fresh AuthenticatedIdPData object
    [2018-05-28 14:24:36,514] DEBUG {org.wso2.carbon.identity.authenticator.office365.Office365Authenticator} -  Claim URL: https://outlook.office365.com/api/v2.0/me
    [2018-05-28 14:24:36,078] DEBUG {org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils} -  Authentication Context is null
    [2018-05-28 14:24:36,970] DEBUG {org.wso2.carbon.identity.sso.saml.builders.SignKeyDataHolder} -  Initializing Key Data for super tenant using system key store
    [2018-05-28 14:24:36,911] DEBUG {org.wso2.carbon.identity.application.common.processors.RandomPasswordProcessor} -  Cache Key not found for Random Password Container
    [2018-05-28 14:24:36,860] DEBUG {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} -  Query string : sessionDataKey=7d7081e3-b733-47e6-9d28-b9d169a4caf1
    [2018-05-28 14:24:36,749] DEBUG {org.wso2.carbon.identity.data.publisher.application.authentication.AbstractAuthenticationDataPublisher} -  Returning roles, Azure Active Directory
[2018-05-28 14:24:36,719] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} -  Post authentication handler ConsentMgtPostAuthenticationHandler returned with status : SUCCESS_COMPLETED for context identifier : [TRUNCATED]c-54c01ea2c3d6
    [2018-05-28 14:24:36,718] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} -  Post authentication handler MissingClaimPostAuthnHandler completed execution for session context : 09808b90-af77-49ad-b63c-54c01ea2c3d6
    [2018-05-28 14:24:36,718] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} -  Post authentication handler XACMLBasedAuthorizationHandler returned with status : SUCCESS_COMPLETED for context identifier : [TRUNCATED]01ea2c3d6
    [2018-05-28 14:24:36,716] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} -  PASTR cookie is not set to context : 09808b90-af77-49ad-b63c-54c01ea2c3d6. Hence setting the cookie
    [2018-05-28 14:24:36,716] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} -  No stored pastr cookie found in authentication context for : 09808b90-af77-49ad-b63c-54c01ea2c3d6 . Hence returning without validating
    [2018-05-28 14:24:36,707] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} -  Authenticated IDP data of the IDP 'Azure Active Directory' couldn't be found in current authenticate IDPs. Trying previous authenticated IDPs
    [2018-05-28 14:24:36,081] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} -  Office365Authenticator can handle the request.
    [2018-05-28 14:24:36,081] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} -  No previous authenticated IDPs found in the authentication context.
    [2018-05-28 14:24:36,071] DEBUG {org.wso2.carbon.identity.auth.service.handler.HandlerManager} -  Get first priority handler for the given handler list.
    [2018-05-28 14:24:36,070] DEBUG {org.wso2.carbon.identity.auth.service.handler.HandlerManager} -  Created singleton instance for org.wso2.carbon.identity.auth.service.handler.HandlerManager
    [2018-05-28 14:24:36,945] DEBUG {org.wso2.carbon.identity.application.common.processors.RandomPasswordProcessor} -  Cache Key not found for Random Password Container
    [2018-05-28 14:24:36,861] DEBUG {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} -  No SaaS SAML service providers found for the issuer : travelocity.com. Checking for SAML service providers registered in tenant domain : carbon.super
    [2018-05-28 14:24:36,860] DEBUG {org.wso2.carbon.identity.auth.service.handler.HandlerManager} -  Get first priority handler : DefaultAuthenticationManager(org.wso2.carbon.identity.auth.service.AuthenticationManager)
    [2018-05-28 14:24:36,858] DEBUG {org.wso2.carbon.identity.auth.service.handler.HandlerManager} -  Created singleton instance for org.wso2.carbon.identity.auth.service.handler.HandlerManager
    sessionDataKey: 7d7081e3-b733-47e6-9d28-b9d169a4caf1
    commonAuthAuthenticated: true
    [2018-05-28 14:24:36,079] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} -  Executing the Step Based Authentication...
    [2018-05-28 14:24:36,719] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler} -  Concluding the Authentication Flow
    [2018-05-28 14:24:36,718] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} -  MissingClaimPostAuthnHandler is enabled. Hence executing for context : [TRUNCATED]-49ad-b63c-54c01ea2c3d6
    [2018-05-28 14:24:36,717] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} -  XACMLBasedAuthorizationHandler is enabled. Hence executing for context : [TRUNCATED]-49ad-b63c-54c01ea2c3d6
    [2018-05-28 14:24:36,715] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler} -  Handling post authentication
    [2018-05-28 14:24:36,715] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler} -  Returning claims from claim handler = []
    [2018-05-28 14:24:36,709] DEBUG {org.wso2.carbon.identity.application.authentication.framework.config.ConfigurationFacade} -  Trying to find the IdP for name: Azure Active Directory
    [2018-05-28 14:24:36,707] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} -  Office365Authenticator returned: SUCCESS_COMPLETED
    [2018-05-28 14:24:36,661] DEBUG {org.wso2.carbon.identity.authenticator.office365.Office365Authenticator} -  Claim URL: https://outlook.office365.com/api/v2.0/me
    [2018-05-28 14:24:36,081] DEBUG {org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils} -  No authenticators found.
    [2018-05-28 14:24:36,079] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.GraphBasedSequenceHandler} -  Authentication Graph not defined for the application. Performing Step based authentication. Service Provider :sso_test
    [2018-05-28 14:24:36,079] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler} -  In authentication flow
    [2018-05-28 14:24:36,751] DEBUG {org.wso2.carbon.identity.data.publisher.application.authentication.AbstractAuthenticationDataPublisher} -  Publishing authentication success
    [2018-05-28 14:24:36,719] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} -  Post authentication handler ConsentMgtPostAuthenticationHandler completed execution for session context :[TRUNCATED]-49ad-b63c-54c01ea2c3d6
    [2018-05-28 14:24:36,718] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} -  Post authentication handler MissingClaimPostAuthnHandler returned with status : SUCCESS_COMPLETED for context identifier : [TRUNCATED]-49ad-b63c-54c01ea2c3d6
    [2018-05-28 14:24:36,715] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler} -  UNFILTERED_SP_CLAIM_VALUES map property set to []
    [2018-05-28 14:24:36,715] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler} -  UNFILTERED_LOCAL_CLAIM_VALUES map property set to []
    [2018-05-28 14:24:36,713] DEBUG {org.wso2.carbon.identity.claim.metadata.mgt.dao.CacheBackedLocalClaimDAO} -  Cache hit for local claim list for tenant: -1234
    [2018-05-28 14:24:36,710] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} -  No role attribute value has received from the external IDP: Azure Active Directory, in Domain: null.
    [2018-05-28 14:24:36,709] DEBUG {org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil} -  JWT Body :{"iss":"wso2","exp":15275174767093000,"iat":1527517476709,"idps":[{"idp":"Azure Active Directory","authenticator":"Office365Authenticator"}]}
    [2018-05-28 14:24:36,081] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} -  Receive a response from the external party
    [2018-05-28 14:24:36,081] DEBUG {org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils} -  Finding already authenticated IdPs of the step {order:1}
    [2018-05-28 14:24:36,080] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} -  No current authenticated IDPs in the authentication context. Continuing with the previous authenticated IDPs
    [2018-05-28 14:24:36,072] DEBUG {org.wso2.carbon.identity.auth.service.handler.HandlerManager} -  Get first priority handler : DefaultAuthenticationManager(org.wso2.carbon.identity.auth.service.AuthenticationManager)
    [2018-05-28 14:24:36,860] DEBUG {org.wso2.carbon.identity.auth.service.handler.HandlerManager} -  Get first priority handler for the given handler list.
    authenticatedUser: aff5b6e8-3ee4-470f-980a-82ba0f179639@7ab7bec6-e60d-43b1-88e0-6acf5e8c015e
    [2018-05-28 14:24:36,745] DEBUG {org.wso2.carbon.identity.data.publisher.application.authentication.AbstractAuthenticationDataPublisher} -  Publishing session creation
    [2018-05-28 14:24:36,719] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} -  Post authentication evaluation has completed for the flow with session data key : [TRUNCATED]-49ad-b63c-54c01ea2c3d6
    [2018-05-28 14:24:36,718] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.PostAuthnMissingClaimHandler} -  Post authentication handling for missing claims started
    [2018-05-28 14:24:36,718] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} -  Post authentication handler XACMLBasedAuthorizationHandler completed execution for session context : [TRUNCATED]-49ad-b63c-54c01ea2c3d6
    [2018-05-28 14:24:36,716] DEBUG {org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService} -  Starting from current post handler index 0 for context : [TRUNCATED]-49ad-b63c-54c01ea2c3d6
    [2018-05-28 14:24:36,711] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultSequenceHandlerUtils} -  Getting Service Provider mapped roles of application: sso_test of user: null
    [2018-05-28 14:24:36,710] DEBUG {org.wso2.carbon.identity.application.authentication.framework.config.ConfigurationFacade} -  A registered IdP was found
    [2018-05-28 14:24:36,709] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} -  Request is successfully authenticated.
    [2018-05-28 14:24:36,708] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} -  There are no more steps to execute.
    [2018-05-28 14:24:36,708] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} -  Step 1 is completed. Going to get the next one.
    [2018-05-28 14:24:36,080] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} -  Starting Step: 1
    [2018-05-28 14:24:36,079] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.GraphBasedSequenceHandler} -  Executing the Step Based Authentication...
    [2018-05-28 14:24:36,807] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler} -  Sending response back to: /samlsso...

    "               <script type='text/javascript'>"
                        <!--$additionalParams-->
    <input type='hidden' name='SAMLResponse' value='PD94bWwgdmVyc2lvbj0iMS4wIiB[TRUNCATED]NhbWwycDpSZXNwb25zZT4='/>
    "                   <p>"
    "           If the redirection fails, please click the post button.</p>"
    [2018-05-28 14:24:37,057] DEBUG {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} -  samlsso_response.html <!--
    [2018-05-28 14:24:37,032] DEBUG {org.wso2.carbon.identity.application.common.processors.RandomPasswordProcessor} -  Cache Key not found for Random Password Container
    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
    uij0SKVN2wbNcBFhUva/zdYZdLJFncZjbx6bDrpKkL9cXKQdzcNnoPTo7NqO3ENqCxzynYV60eEa
    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignedInfo>
    yzoB9khd18faM/pHPpy2XyU12G9XIf5Es9jAcQ==
    D1I1TBLWDDa03X2Juouoijh3I9+SujuWp724eFbt7UmUFsi6Xw2yiMA6D+t7sCeWQD315ddyt/zL
    V9MaQ4SUT+m2a17DjxTEQ0ErrQtqvnrv3+VtgT4/kV1HbkzF6UKyR7FLrV6y1SbMrwEXVrB8qfOg
    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <saml2p:Response Destination="http://testsso.myapp.com/travelocity.com/home.jsp" ID="_4ef05bebd4ab91eabd769cc4ee37d501" InResponseTo="niblbbpjdnlokandnpbbbmcpjdpajlonncldcnpi" IssueInstant="2018-05-28T14:24:36.921Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">localhost</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    "           </script>"
    "               document.forms[0].submit();"
    "                   </p>"

    <html>
    -->
    [TRUNCATED]
    CXaL/gdwMsqcCjwBsuxY0gprp1zSB6jaTPyhiso84uirKJ+VELaY32tYhuRB4GdAVBg+eB1pESNC
    </ds:Transforms>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    qfyXM7xEotWoxmm6HZx8oWQ8U5aiXjZ5RKDWCCq4ZuXl6wVsUz1iE61suO5yWi8=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:Assertion ID="_54459a8d0c72b06aaa9cbe446f9362f1" IssueInstant="2018-05-28T14:24:36.935Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    /mvTmWZLM7GM6sApmyLX6OXUp8z0pkY+vT/9+zRxxQs7GurC4/C1nK3rI/0ySUgGEafO1atNjYml
    </ds:SignatureValue>
    SOu0s4wPMg1mAnpz6suXzBXn3nq+u+zxszUBSmB6Ji3iw7vy2w/X8GJPb6YgCk0cW69mDMxr61zy
    <ds:SignatureValue>
    [2018-05-28 14:24:37,027] DEBUG {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor} -  <?xml version="1.0" encoding="UTF-8"?>
    [2018-05-28 14:24:37,017] DEBUG {org.wso2.carbon.identity.sso.saml.builders.SignKeyDataHolder} -  Initializing Key Data for super tenant using system key store
    "               </form>"
    "                   <button type='submit'>POST</button>"
    [2018-05-28 14:24:37,031] DEBUG {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor} -  PD94bWwgdmVy[TRUNCATED]SZXNwb25zZT4=
    </ds:SignatureValue>
    rlsAPDJe8WsU8n2kRf4n43gj+UiHOrCL1EeqcQ==
    <ds:Transforms>
    [TRUNCATED]
    CBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxDTALBgNVBAoTBFdTTzIxEjAQBgNVBAMTCWxv
    CUXBkoV2V4tJg2GozJJQL+iiWen3HhRW1bc93msuJ+BJOQMIs4MOb4bYS4XWyrjMw4aWlAsCw91g
    </ds:SignedInfo>
    <ds:DigestValue>zo728mSqUt83wg9P5p0xQWMqna0=</ds:DigestValue>
    <ds:Reference URI="#_4ef05bebd4ab91eabd769cc4ee37d501">
    <ds:SignedInfo>
            </body>
    "                   <!--$params-->"
    "           <form method='post' action='http://testsso.myapp.com/travelocity.com/home.jsp'>"
    "   <body>"
    [TRUNCATED]
    V8up9UQHeb58Eds6BJ5PJvMrCPTGy59Q03er7X1rzIMNVN0ijaFFQTOd2CCS21OHF+g5709TQun9
    </ds:SignedInfo>
    <ds:DigestValue>f+rrjvtlOhgKz8tVnHE+3nEzoZM=</ds:DigestValue>
    <ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCAjGgAwIBAgIEAoLQ/TANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJVUzELMAkGA1UE
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    </html>
    "           <p>You are now redirected back to http://testsso.myapp.com/travelocity.com/home.jsp"
    Variables http://testsso.myapp.com/travelocity.com/home.jsp, $response, $relayState and $additionalParams will be replaced by the corrosponding values
    qfyXM7xEotWoxmm6HZx8oWQ8U5aiXjZ5RKDWCCq4ZuXl6wVsUz1iE61suO5yWi8=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[TRUNCATED]-82ba0f179639@[TRUNCATED]-88e0-6acf5e8c015e</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="niblbbpjdnlokandnpbbbmcpjdpajlonncldcnpi" NotOnOrAfter="2018-05-28T14:29:36.921Z" Recipient="http://testsso.myapp.com/travelocity.com/home.jsp"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2018-05-28T14:24:36.935Z" NotOnOrAfter="2018-05-28T14:29:36.921Z"><saml2:AudienceRestriction>fefd4ede6"><saml2:AuthnContext><sa<saml2:Audience>travelocity.com</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2018-05-28T14:24:36.952Z" SessionIndex="4cd87270-9341-4a54-8d14-1c0ml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute Name="@odata.id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">https://outlook.office365.com/api/v2.0/Users('[TRUNCATED]980a-82ba0f179639@[TRUNCATED]-88e0-6acf5e8c015e')</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="Alias" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">my.user</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="DisplayName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">my USER</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="MailboxGuid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[TRUNCATED]-89b84064ef1a</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="Id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[TRUNCATED]-82ba0f179639@[TRUNCATED]-88e0-6acf5e8c015e</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="@odata.context" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">https://outlook.office365.com/api/v2.0/$metadata#Me</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="EmailAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">my.user@mycompany.com</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion></saml2p:Response>
    Pty9jqM1CgRPpqvZa2lPQBQqZrHkdDE06q4NG0DqMH8NT+tNkXBe9YTre3EJCSfsvswtLVDZ7GDv
    [TRUNCATED]
    C6xKegbRWxky+5P0p4ShYEOkHs30QI2VCuR6Qo4Bz5rTgLBrky03W1GAVrZxuvKRGj9V9+PmjdGt
    <ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDSTCCAjGgAwIBAgIEAoLQ/TANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJVUzELMAkGA1UE
    <ds:SignatureValue>
    </ds:Reference>
    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform>
    <ds:Reference URI="#_54459a8d0c72b06aaa9cbe446f9362f1">
    [TRUCATED]
    au4CTXu9pLLcqnruaczoSdvBYA3lS9a7zgFU0+s6kMl2EhB+rk7gXluEep7lIOenzfl2f6IoTKa2
    </ds:Reference>
    </ds:Transforms>
    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform>
    <ds:Transforms>
    THKojJjQvdVCzRj6XH5Truwefb4BJz9APtnlyJIvjHk1hdozqyOniVZd0QOxLAbcdt946chNdQvC

我可以认为我的配置按原样运行,还是存在真正的问题?

谢谢。

2 个答案:

答案 0 :(得分:1)

在您的SAML响应中,发布者是 localhost 。它与您使用的不匹配。那就是你使用 travelocity.com 作为发行人。如果要更改身份服务器中的颁发者,可以通过导航到身份服务器上的以下目录来执行此操作。 驻留身份提供商 - &gt; SAML2 Web SSO配置 - &gt;身份提供商实体ID:

答案 1 :(得分:0)

我遇到了相同的情况,并通过在所有位置对齐身份提供者实体ID来解决此问题。

WSO2验证收到的SAML响应以确保它是由预期的SAML身份提供者发出的。 WSO2在SAML响应的标签中包含其ID。

我用来对齐实体ID的步骤

  1. 修改了服务提供商的sso.properties文件中的IdPEntityId(我正在使用Java)
if(isset($_GET['result'])) {
    $value .= $_GET['result'];
}
  1. 在WSO2管理门户网站上,我在SAML2.IdPEntityId=localhost.com 下修改了常驻实体ID。我也将Main >> Identity >> Identity Providers >> Resident设置为Home Realm Identifier

  2. 然后我也将服务提供商的localhost.com修改为IdP Entity ID Alias

完成此操作后,XML中的标记现在带有预期的实体ID,并且已解决问题。