我正在集成OneLogin进行SAML2身份验证。我在质量检查服务器中工作得很好,但是我的生产环境抛出错误。
Warning: DOMDocument::schemaValidate(): Invalid Schema in
\Classes\OneLogin\src\Saml2\Utils.php on line 133
invalid_response
OneLogin\Saml2\Auth Object
(
[_settings:OneLogin\Saml2\Auth:private] => OneLogin\Saml2\Settings Object
(
[_paths:OneLogin\Saml2\Settings:private] => Array
(
[base] => \\Classes\OneLogin/
[config] => \\Classes\OneLogin/
[cert] => \\Classes\OneLogin/certs/
[lib] => \\Classes\OneLogin/src/
)
[_baseurl:OneLogin\Saml2\Settings:private] =>
[_strict:OneLogin\Saml2\Settings:private] => 1
[_debug:OneLogin\Saml2\Settings:private] =>
[_sp:OneLogin\Saml2\Settings:private] => Array
(
[entityId] => tools
[assertionConsumerService] => Array
(
[url] => https://example.com/login/saml2.php
[binding] => urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
)
[NameIDFormat] => urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
[x509cert] => -----BEGIN CERTIFICATE-----
从表面上看,无效的架构是由于响应返回了吗?它一定不能采用与.xsd匹配的预期格式吗?
如果是这样,这通常表明证书无效吗?
$settingsInfo = array(
'strict' => true,
'sp' => array(
'entityId' => 'tools',
'assertionConsumerService' => array(
'url' => "https://" . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'],
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
),
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
'x509cert' => file_get_contents('lb-sso.pem', FILE_USE_INCLUDE_PATH),
'privateKey' => file_get_contents('lb-sso.key', FILE_USE_INCLUDE_PATH),
),
'idp' => array(
'entityId' => 'https://sso.example.com',
'singleSignOnService' => array(
'url' => 'https://sso.example.com/idp/SSO.saml2',
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
),
'singleLogoutService' => array(
'url' => 'https://sso.example.com/idp/SSO.saml2',
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
),
'x509cert' => file_get_contents('sso.pem', FILE_USE_INCLUDE_PATH)
),
'compress' => array(
'requests' => true,
'responses' => true
),
'security' => array(
'authnRequestsSigned' => true,
'signatureAlgorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
)
);
$auth = new OneLogin\Saml2\Auth($settingsInfo);
更新:
我能够为此打印出一些其他错误。
Warning: DOMDocument::schemaValidate(): Invalid Schema in \\Classes\OneLogin\src\Saml2\Utils.php on line 134
failed to load external entity "/Classes/OneLogin/src/Saml2/schemas/xmldsig-core-schema.xsd"
Element '{http://www.w3.org/2001/XMLSchema}import': Failed to locate a schema at location '/Classes/OneLogin/src/Saml2/schemas/xmldsig-core-schema.xsd'. Skipping the import.
failed to load external entity "/Classes/OneLogin/src/Saml2/schemas/xenc-schema.xsd"
Element '{http://www.w3.org/2001/XMLSchema}import': Failed to locate a schema at location '/Classes/OneLogin/src/Saml2/schemas/xenc-schema.xsd'. Skipping the import.
Element '{http://www.w3.org/2001/XMLSchema}element', attribute 'ref': The QName value '{http://www.w3.org/2001/04/xmlenc#}EncryptedData' does not resolve to a(n) element declaration.
Element '{http://www.w3.org/2001/XMLSchema}element', attribute 'ref': The QName value '{http://www.w3.org/2001/04/xmlenc#}EncryptedKey' does not resolve to a(n) element declaration.
xsd文件确实存在,但是该路径似乎可能缺少其前面的另一个/。 //Classes/OneLogin/...
更新2:
看来,idp将响应发送回生产服务器与质量检查服务器的方式可能有所不同。
两个站点上的OneLogin文件都相同,但是我不得不在安全性wantXMLValidation = false上切换一项设置。
这使我相信他们为响应发送回的XML格式与预期的xsd格式不匹配。
它表明身份验证和证书都有效,并且正在建立连接,只是不再验证XML的格式。
如果要进行保管检查以确保它包括所有预期的节点,这可能带来什么安全隐患?
答案 0 :(得分:1)
由php-saml工具包处理的SAMLResponse不遵循xsd架构,这就是您看到该错误的原因。
您可以尝试使用SAMLTracer记录SAMLResponse,然后使用https://www.samltool.com/validate_xml.php来获取XML无效的原因