我正在尝试实现SAML2 SSO,但出现错误saml2.sigver.SignatureError: Signature missing for response。我正在使用djangosaml2,依次使用pysaml2。寻找签名时似乎遇到了一个问题:https://github.com/IdentityPython/pysaml2/blob/master/src/saml2/sigver.py#L1648
看起来它正在尝试在Response属性中找到签名,但是我的IDP在响应属性中没有返回签名,但是可以在响应中找到签名作为其自己的元素ns2:Signature。
我应该让我的IDP给我一个不同的答案,还是我错过了配置选项?
Login process started
Trying binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST for IDP None
Redirecting user to the IdP via urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST binding.
Saving the session_id in the OutstandingQueries cache
Invalid or malformed SAML Assertion.
Traceback (most recent call last):
File "/usr/local/lib/python3.4/dist-packages/djangosaml2/views.py", line 271, in assertion_consumer_service
response = client.parse_authn_request_response(xmlstr, BINDING_HTTP_POST, outstanding_queries)
File "/usr/local/lib/python3.4/dist-packages/saml2/client_base.py", line 712, in parse_authn_request_response
binding, **kwargs)
File "/usr/local/lib/python3.4/dist-packages/saml2/entity.py", line 1150, in _parse_response
response = response.loads(xmlstr, False, origxml=xmlstr)
File "/usr/local/lib/python3.4/dist-packages/saml2/response.py", line 520, in loads
self._loads(xmldata, decode, origxml)
File "/usr/local/lib/python3.4/dist-packages/saml2/response.py", line 342, in _loads
**args)
File "/usr/local/lib/python3.4/dist-packages/saml2/sigver.py", line 1648, in correctly_signed_response
raise SignatureError('Signature missing for response')
saml2.sigver.SignatureError: Signature missing for response
SAML响应:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Destination="..." ID="..." InResponseTo="..." IssueInstant="2018-12-07T10:31:48Z" Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">...</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="..." IssueInstant="2018-12-07T10:31:48Z" Version="2.0">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">...</saml:Issuer>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<dsig:Reference URI="...">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<dsig:DigestValue>...</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>...</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:X509Data>
<dsig:X509Certificate>...</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</dsig:Signature>
...
...
</saml:Assertion>
</samlp:Response>
答案 0 :(得分:0)
在Bernhard发表评论之后,我需要设置"want_response_signed": False
SAML_CONFIG = {
'service': {
'sp': {
"want_response_signed": False
...