我正在使用spring-boot-security-saml-sample应用程序,并用我的IDP对其进行了配置。 IDP元数据是XML文件,我已使用FilesystemMetadataProvider实例对其进行了配置。如果我的extendedMetadataDelegate.setMetadataTrustCheck(false);中有ExtendedMetadataDelegate,则SAML流工作正常,但是一旦将其更改为true,我就会在stacktrace中看到以下错误:
2019-06-29 20:02:18.726 ERROR 1032 --- [Metadata-reload] o.s.s.s.t.MetadataCredentialResolver : PKIX path construction failed for untrusted credential: [subjectName='CN=1.idp.host.com,O=Org,L=City,ST=State,C=Country']: unable to find valid certification path to requested target
2019-06-29 20:02:18.736 ERROR 1032 --- [Metadata-reload] o.o.s.m.p.SignatureValidationFilter : Signature trust establishment failed for metadata entry IDP.Entry.Point
2019-06-29 20:02:18.740 ERROR 1032 --- [Metadata-reload] .s.m.p.AbstractReloadingMetadataProvider : Error filtering metadata from ...\java\demo-saml\src\main\resources\saml\metadata.xml
org.opensaml.saml2.metadata.provider.FilterException: Signature trust establishment failed for metadata entry
at org.opensaml.saml2.metadata.provider.SignatureValidationFilter.verifySignature(SignatureValidationFilter.java:327) ~[opensaml-2.6.1.jar!/:?]
at org.opensaml.saml2.metadata.provider.SignatureValidationFilter.processEntityDescriptor(SignatureValidationFilter.java:178) ~[opensaml-2.6.1.jar!/:?]
at org.opensaml.saml2.metadata.provider.SignatureValidationFilter.doFilter(SignatureValidationFilter.java:156) ~[opensaml-2.6.1.jar!/:?]
at org.opensaml.saml2.metadata.provider.AbstractMetadataProvider.filterMetadata(AbstractMetadataProvider.java:493) ~[opensaml-2.6.1.jar!/:?]
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.processNonExpiredMetadata(AbstractReloadingMetadataProvider.java:395) [opensaml-2.6.1.jar!/:?]
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.processNewMetadata(AbstractReloadingMetadataProvider.java:355) [opensaml-2.6.1.jar!/:?]
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:261) [opensaml-2.6.1.jar!/:?]
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.doInitialization(AbstractReloadingMetadataProvider.java:236) [opensaml-2.6.1.jar!/:?]
at org.opensaml.saml2.metadata.provider.AbstractMetadataProvider.initialize(AbstractMetadataProvider.java:407) [opensaml-2.6.1.jar!/:?]
从spring-security-saml docs,我可以看到:
数字签名元数据的导入需要验证签名的有效性和信任度。默认情况下,不需要对元数据进行签名。如果存在,签名将通过PKIX算法进行验证,并将配置的keyManager中存在的所有公共密钥用作信任锚。确保在密钥库中包括签名的根CA证书和中间CA证书。
如何导入证书以使验证通过?有人告诉我IDP用cacerts签署了元数据。它不应该自动通过信任验证吗?如果没有,为什么?我认为使用cacerts进行签名的要点就是信任因素。