Question

我的应用程序SP和客户端IDP之间的SSO发生'Caused by: org.opensaml.xml.security.SecurityException: SAML message intended destination endpoint did not match recipient endpoint'异常。

服务器日志显示架构上的差异，请参见下文：

Checking SAML message intended destination endpoint against receiver endpoint
2019-03-05 15:02:44.599 DEBUG [204 default task-41][BaseSAMLMessageDecoder] Intended message destination endpoint: https://my.app.com/app-gateway/saml/SSO
2019-03-05 15:02:44.599 DEBUG [204 default task-41][BaseSAMLMessageDecoder] Actual message receiver endpoint: http://my.app.com/app-gateway/saml/SSO
2019-03-05 15:02:44.600 ERROR [204 default task-41][BaseSAMLMessageDecoder] SAML message intended destination endpoint 'https://my.app.com/app-gateway/saml/SSO' did not match the recipient endpoint 'http://my.app.com/app-gateway/saml/SSO'

我的应用程序在2个实例的STG上运行，并且LB位于前面，因此我使用SAMLContextProviderLB上下文提供程序而不是SAMLContextProviderImpl：

<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderLB">
        <property name="scheme" value="https"/>
        <property name="serverName" value="my.app.com"/>
        <property name="serverPort" value="443"/>
        <property name="includeServerPortInRequestURL" value="false"/>
        <property name="contextPath" value="/app-gateway"/>
    </bean>

<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
        <constructor-arg>
            <bean class="org.springframework.security.saml.metadata.MetadataGenerator">
                <property name="entityBaseURL" value="https://my.app.com/app-gateway1"/>
                <property name="entityId" value="${cas.sso.entityId}"/>
                <property name="includeDiscoveryExtension" value="false"/>
                <property name="extendedMetadata" ref="extendedMetadata"/>
                <property name="keyManager" ref="keyManager"/>
            </bean>
        </constructor-arg>
    </bean>

在getActualReceiverEndpointURI的源代码中，接收者端点URL从请求httpRequest obj中获取。 因此，我试图了解在哪一步设置了错误的URL http://my.app.com/app-gateway/saml/SSO。谁能解释给我听？

protected String getActualReceiverEndpointURI(SAMLMessageContext messageContext) throws MessageDecodingException {
        InTransport inTransport = messageContext.getInboundMessageTransport();
        if (! (inTransport instanceof HttpServletRequestAdapter)) {
            log.error("Message context InTransport instance was an unsupported type: {}", 
                    inTransport.getClass().getName());
            throw new MessageDecodingException("Message context InTransport instance was an unsupported type");
        }
        HttpServletRequest httpRequest = ((HttpServletRequestAdapter)inTransport).getWrappedRequest();

        StringBuffer urlBuilder = httpRequest.getRequestURL();

        return urlBuilder.toString();
    }

Answer 1

您可能要检查以下页面： https://developer.jboss.org/thread/240113

即使在LB上正确设置了X-Forwarded-Proto，我也遇到了类似的问题，该请求仍然仅使用http解释。后端必须知道标头。

在http侦听器上添加proxy-address-forwarding =“ true”和两个filter-ref

<http-listener name="default" socket-binding="http" proxy-address-forwarding="true"/>  
            <filter-ref name="server-header"/>  
            <filter-ref name="x-powered-by-header"/>

希望获得帮助，

Answer 2

对于在AWS Application Load Balancer后面运行的Apache Tomcat服务器，需要启用RemoteIPValue，以便基于 x-forwarded-proto 标头，Tomcat将覆盖方案（https）和端口（443）。

在 server.xml

中

<Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="X-Forwarded-Proto" internalProxies="10\.\d+\.\d+\.\d+|192\.168\.\d+\.\d+|169\.254\.\d+\.\d+|127\.\d+\.\d+\.\d+|172\.(1[6-9]|2[0-9]|3[0-1])\.\d+\.\d+" />

Spring SAML：SAML消息预期的目标端点与收件人端点不匹配

2 个答案: