我正在实施SAML2单一登出协议。
My Identity Provider使用HTTP-Redirect绑定向我发送注销请求。此请求的内容如下所示:
?SAMLRequest=7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ%2fff%2fz9cZmQBbPbOStrJniGAqsgfP358Hz8iHjfZolw9el5dVOv2Vf6L1nnTpmdPP%2fvo99%2bd3t%2b5f3BwsJ3t759v7x8c7G5nn%2b5Mth%2fe26f%2f7WXnDyaffpT%2bZF43RbX87KO98c5H6VnTrPOzZdNmy5Y%2b2tnd3cb%2f7r%2fZffBoZ%2ffR3sH44acHP%2fVR%2bpR6KZZZy2%2fO23bVPLp7dzUt2lne7O6Np3m9HE%2fnd4Hb3t3XL1%2bX1at8VtT5tL27yNvsuCyy5m6z%2big9qZZNjr7W9fJRlTVF82iZLfLmUTt99Pr4i%2bePCK1HU2n0aL1sVvm0OC%2fy2Ufpi6r9cvllfXze5nUP1U8F1V1C9d2iXDaPmEqbe1nVVVtNq%2fKjo8dMhlpe3fxS1jR5DTJ8dGTIYAZfVhfF8vFdgXX0%2bAW9e%2fY0fVbVi2zDeHfHu%2fxJMds%2b56aP8kVWlMezWZ03jQ7n1jiV66IZ19WsLi7W%2bQ%2fG54RatpzlP%2fg9FcnHdwWtI2Wj19QHvXhGbd4d%2ff47n%2b4d7O7dP99%2bcP7w%2fvb%2b3nS6nc0O8u3zWX7waZY%2f3JlM8sd3I2%2baDwOuPPp%2fAA%3d%3d&Signature=i1JxpKbaInBXsqTzPwG3E3NIPqCmK4mgLaYgUy%2fraNgscBBLLrQGObKm%2bLIu6Skh7iOb4r39HX6tCsq6p5CO97U7WfCwOnkJpgzAFjA0T9ByAzomh6LIC%2bpXGaINzhw2DPcv4cZYrUoSuEQl0OCaAAtYaarm%2f53qR0DMF5OhZkU%3d&SigAlg=http%3a%2f%2fwww.w3.org%2f2001%2f04%2fxmldsig-more%23rsa-sha256
遵循OASIS安全断言标记语言(SAML)V2.0的绑定,我正在使用?SAMLRequest = value& SigAlg = value 字符串并尝试验证使用签名=值字符串。我正在使用的代码(JAVA)是:
// Retrieve the public key sent by the IdP
FileInputStream inputStream = new FileInputStream("/path/to/the/idp/sent/public/key");
CertificateFactory cf = CertificateFactory.getInstance("X.509");
Certificate certificate = cf.generateCertificate(inputStream);
PublicKey publicKey = certificate.getPublicKey();
// Create the signature
Signature signature = Signature.getInstance("SHA256withRSA");
signature.initVerify(publicKey);
signature.update("SAMLRequest=7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ%2fff%2fz9cZmQBbPbOStrJniGAqsgfP358Hz8iHjfZolw9el5dVOv2Vf6L1nnTpmdPP%2fvo99%2bd3t%2b5f3BwsJ3t759v7x8c7G5nn%2b5Mth%2fe26f%2f7WXnDyaffpT%2bZF43RbX87KO98c5H6VnTrPOzZdNmy5Y%2b2tnd3cb%2f7r%2fZffBoZ%2ffR3sH44acHP%2fVR%2bpR6KZZZy2%2fO23bVPLp7dzUt2lne7O6Np3m9HE%2fnd4Hb3t3XL1%2bX1at8VtT5tL27yNvsuCyy5m6z%2big9qZZNjr7W9fJRlTVF82iZLfLmUTt99Pr4i%2bePCK1HU2n0aL1sVvm0OC%2fy2Ufpi6r9cvllfXze5nUP1U8F1V1C9d2iXDaPmEqbe1nVVVtNq%2fKjo8dMhlpe3fxS1jR5DTJ8dGTIYAZfVhfF8vFdgXX0%2bAW9e%2fY0fVbVi2zDeHfHu%2fxJMds%2b56aP8kVWlMezWZ03jQ7n1jiV66IZ19WsLi7W%2bQ%2fG54RatpzlP%2fg9FcnHdwWtI2Wj19QHvXhGbd4d%2ff47n%2b4d7O7dP99%2bcP7w%2fvb%2b3nS6nc0O8u3zWX7waZY%2f3JlM8sd3I2%2baDwOuPPp%2fAA%3d%3d&SigAlg=http%3a%2f%2fwww.w3.org%2f2001%2f04%2fxmldsig-more%23rsa-sha256".getBytes());
// Verify
if (signature.verify((new BASE64Decoder()).decodeBuffer("i1JxpKbaInBXsqTzPwG3E3NIPqCmK4mgLaYgUy%2fraNgscBBLLrQGObKm%2bLIu6Skh7iOb4r39HX6tCsq6p5CO97U7WfCwOnkJpgzAFjA0T9ByAzomh6LIC%2bpXGaINzhw2DPcv4cZYrUoSuEQl0OCaAAtYaarm%2f53qR0DMF5OhZkU%3d"))) {
System.out.println("Signature OK!!!");
} else {
System.out.println("Bad Signature!!!");
}
// Create the signature
Signature signature = Signature.getInstance("SHA256withRSA");
signature.initVerify(publicKey);
signature.update("SAMLRequest=7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ%2fff%2fz9cZmQBbPbOStrJniGAqsgfP358Hz8iHjfZolw9el5dVOv2Vf6L1nnTpmdPP%2fvo99%2bd3t%2b5f3BwsJ3t759v7x8c7G5nn%2b5Mth%2fe26f%2f7WXnDyaffpT%2bZF43RbX87KO98c5H6VnTrPOzZdNmy5Y%2b2tnd3cb%2f7r%2fZffBoZ%2ffR3sH44acHP%2fVR%2bpR6KZZZy2%2fO23bVPLp7dzUt2lne7O6Np3m9HE%2fnd4Hb3t3XL1%2bX1at8VtT5tL27yNvsuCyy5m6z%2big9qZZNjr7W9fJRlTVF82iZLfLmUTt99Pr4i%2bePCK1HU2n0aL1sVvm0OC%2fy2Ufpi6r9cvllfXze5nUP1U8F1V1C9d2iXDaPmEqbe1nVVVtNq%2fKjo8dMhlpe3fxS1jR5DTJ8dGTIYAZfVhfF8vFdgXX0%2bAW9e%2fY0fVbVi2zDeHfHu%2fxJMds%2b56aP8kVWlMezWZ03jQ7n1jiV66IZ19WsLi7W%2bQ%2fG54RatpzlP%2fg9FcnHdwWtI2Wj19QHvXhGbd4d%2ff47n%2b4d7O7dP99%2bcP7w%2fvb%2b3nS6nc0O8u3zWX7waZY%2f3JlM8sd3I2%2baDwOuPPp%2fAA%3d%3d&SigAlg=http%3a%2f%2fwww.w3.org%2f2001%2f04%2fxmldsig-more%23rsa-sha256".getBytes());
// Verify
if (signature.verify((new BASE64Decoder()).decodeBuffer("i1JxpKbaInBXsqTzPwG3E3NIPqCmK4mgLaYgUy%2fraNgscBBLLrQGObKm%2bLIu6Skh7iOb4r39HX6tCsq6p5CO97U7WfCwOnkJpgzAFjA0T9ByAzomh6LIC%2bpXGaINzhw2DPcv4cZYrUoSuEQl0OCaAAtYaarm%2f53qR0DMF5OhZkU%3d"))) {
System.out.println("Signature OK!!!");
} else {
System.out.println("Bad Signature!!!");
}
我总是收到消息 Bad Signature !!!
有什么想法吗?
答案 0 :(得分:1)
我没有对Signature值进行URL解码!!!
http://www.w3schools.com/tags/ref_urlencode.asp
还要注意URL编码的大写/小写:.net UrlEncode - lowercase problem
希望它有所帮助,
路易斯