我已经配置了我的 ADFS 在响应消息中发送签名。我已经这样设置了我的依赖方(见下文)。身份验证工作正常,我可以登录到我的sp。但是,响应消息不包含签名块。我尝试使用KeyClope,效果很好,我可以在响应消息中看到签名块。当我将sp设置为需要响应签名时,显然会出现错误,因为我在响应消息中没有该块。
要在响应消息中发送签名块,正确的adfs配置是什么?
谢谢你的帮助,我快疯了。
PS C:\Users\user01> Get-AdfsRelyingPartyTrust -name "XXXX"
AllowedAuthenticationClassReferences : {}
EncryptionCertificateRevocationCheck : None
PublishedThroughProxy : False
SigningCertificateRevocationCheck : None
WSFedEndpoint :
AdditionalWSFedEndpoint : {}
ClaimsProviderName : {}
ClaimsAccepted : {}
EncryptClaims : True
Enabled : True
EncryptionCertificate :
Identifier : {https://YYYY:8081/platform-5.3.x}
NotBeforeSkew : 0
EnableJWT : False
AlwaysRequireAuthentication : False
Notes :
OrganizationInfo :
ObjectIdentifier : 731cfe19-5fe3-eb11-9afb-0050568f44bf
ProxyEndpointMappings : {}
ProxyTrustedEndpoints : {}
ProtocolProfile : WsFed-SAML
RequestSigningCertificate : {[Subject]
CN=ZZZZ, OU=adfsClient, O=TTTT, L=Paris, S=France, C=FR
[Issuer]
CN=ZZZZ, OU=adfsClient, O=TTTT, L=Paris, S=France, C=FR
[Serial Number]
44ECB0E72927002223D1E196D1019C7A6A4650C6
[Not Before]
20/07/2021 16:13:13
[Not After]
20/07/2022 16:13:13
[Thumbprint]
C52F394C2415805A889E767398165BB087125805
}
EncryptedNameIdRequired : False
SignedSamlRequestsRequired : False
SamlEndpoints : {Microsoft.IdentityServer.Management.Resources.SamlEndpoint}
SamlResponseSignature : MessageOnly
SignatureAlgorithm : http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
TokenLifetime : 0
AllowedClientTypes : Public, Confidential
IssueOAuthRefreshTokensTo : AllDevices
RefreshTokenProtectionEnabled : True
RequestMFAFromClaimsProviders : False
ScopeGroupId :
ScopeGroupIdentifier :
DeviceAuthenticationMethod :
Name : XXXX
AutoUpdateEnabled : False
MonitoringEnabled : False
MetadataUrl :
ConflictWithPublishedPolicy : False
IssuanceAuthorizationRules :
IssuanceTransformRules : @RuleName = "Transform Domain User to User"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = regexreplace(c.Value,
"(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] =
"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
DelegationAuthorizationRules :
LastPublishedPolicyCheckSuccessful :
LastUpdateTime : 01/01/1900 00:00:00
LastMonitoredTime : 01/01/1900 00:00:00
ImpersonationAuthorizationRules :
AdditionalAuthenticationRules :
AccessControlPolicyName : Permit everyone
AccessControlPolicyParameters :
ResultantPolicy : RequireFreshAuthentication:False
IssuanceAuthorizationRules:
{
Permit everyone
}
PS C:\Users\user01>这个 saml:response 总是缺少签名块。
看起来是这样的:
<samlp:Response ID="_b553abf5-da78-43a5-a8fc-d62adcb64ba8"
Version="2.0"
IssueInstant="2021-07-20T17:55:30.434Z"
Destination="https://YYYY:8081/platform-5.3.x/saml/sp/SSO/alias/continuity"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
InResponseTo="ARQ3ef9427-e008-4b91-b023-3957c3737414"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://RRRR/adfs/services/trust</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<Assertion ID="_c63056ec-28af-4d55-9732-567dfba0b1b8"
IssueInstant="2021-07-20T17:55:30.434Z"
Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
>
<Issuer>http://RRRR/adfs/services/trust</Issuer>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">user01</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="ARQ3ef9427-e008-4b91-b023-3957c3737414"
NotOnOrAfter="2021-07-20T18:00:30.434Z"
Recipient="https://YYYY:8081/platform-5.3.x/saml/sp/SSO/alias/continuity"
/>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2021-07-20T17:55:30.434Z"
NotOnOrAfter="2021-07-20T18:55:30.434Z"
>
<AudienceRestriction>
<Audience>https://YYYY:8081/platform-5.3.x</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2021-07-20T17:55:30.231Z"
SessionIndex="_c63056ec-28af-4d55-9732-567dfba0b1b8"
>
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>
暂无答案!
目前还没有任何答案,快来回答吧!