使用spring security saml 2,即使我得到一个saml响应,我也会得到一个验证错误:Assert[_6d 73441 e-b 906 - 4c 63 - 95 be-57 cb 2f 50 b 030]缺少一个主题但是通过阅读saml响应(来自浏览器的saml跟踪程序),我看到该主题存在。
我在我的项目中使用spring security通过依赖方信任(saml)将我的应用程序配置为具有本地adfs的服务提供商。我在配置adfs时注册了auto spring元数据url,一切似乎都很好。我打开一个页面,被重定向到adfs登录页面,成功登录,得到一个似乎有效的回复。我希望响应被解析并允许访问。
我的WebSecurityConfig:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig {
private static final Logger log = LoggerFactory.getLogger(WebSecurityConfig.class);
@Autowired
private RelyingPartyRegistrationRepository relyingPartyRegistrationRepository;
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
OpenSaml4AuthenticationProvider samlProvider = new OpenSaml4AuthenticationProvider();
samlProvider.setAssertionValidator(OpenSaml4AuthenticationProvider.createDefaultAssertionValidator());
samlProvider.setResponseValidator(OpenSaml4AuthenticationProvider.createDefaultResponseValidator());
ProviderManager providerManager = new ProviderManager(
samlProvider);
http
.authorizeRequests(authorize -> authorize
.antMatchers("/actuator/**",
"/",
"/favicon.ico",
"/saml/**",
"/saml2/**",
"/login/**").permitAll()
.anyRequest().authenticated())
.saml2Login(//Customizer.withDefaults())
saml2 -> saml2
.authenticationManager(providerManager))
.exceptionHandling().and().csrf().disable();
return http.build();
}
@Bean
public Saml2MetadataFilter saml2MetadataFilter(){
DefaultRelyingPartyRegistrationResolver relyingPartyRegistrationResolver
= new DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository);
Saml2MetadataFilter filter =
new Saml2MetadataFilter((RelyingPartyRegistrationResolver) relyingPartyRegistrationResolver,
new OpenSamlMetadataResolver());
return filter;
}
}Spring特性:
security:
saml2:
relyingparty:
registration:
adfs:
signing:
credentials:
- private-key-location: classpath:local_uat.key
certificate-location: classpath:local_uat.crt
singlelogout:
binding: POST
response-url: "{baseUrl}/logout/saml2/slo"
assertingparty:
metadata-uri: "classpath:metadata/metadata-idp.xml"metadata-idp.xml从adfs url加载:federationmetadata/2007-06/federationmetadata.xml
local_uat crt和key由openssl生成(时长仅30天)进行测试。
所以我发送一个SAML请求:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://uat.mysite.gr/login/saml2/sso/adfs" Destination="https://adfs.uat.gr/adfs/ls/" ID="ARQ64a82b5-c9ca-469f-8454-f104b6a64203" IssueInstant="2023-05-02T08:36:39.462Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://uat.mysite.gr/saml2/service-provider-metadata/adfs</saml2:Issuer>
</saml2p:AuthnRequest>并返回响应:
<samlp:Response ID="_1b7a62c5-f685-44d9-95e6-0ae56668a5ad" Version="2.0" IssueInstant="2023-05-02T08:36:42.664Z" Destination="https://uat.mysite.gr/login/saml2/sso/adfs" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="ARQ64a82b5-c9ca-469f-8454-f104b6a64203" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.uat.gr/adfs/services/trust</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<Assertion ID="_8373485d-0032-4a85-86a9-321ebc8aa930" IssueInstant="2023-05-02T08:36:42.664Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>http://adfs.uat.gr/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_8373485d-0032-4a85-86a9-321ebc8aa930">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>d29FavJeo786EfUj9HfZieHj6cx2kuB0JTM9gfKzvqc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>jPyA/+Sy7ibHmk4wexBZ07VPjbI/4AVu/+fmlDVDF8AF6eRz2+cOi2uNWKAqeRmVQX6hR8fEcMnJ4Zt6rCYnRVGESjla8zS2lvXnqEQ4+ewnx6j0ozgiRL1IGUsLzwM9e5xhe63ujencz/qrm6ikV/RNddLbDMNtSAP7jkaGXe7QKxjf51Inmv+VbsHu2VB3wfF0BGuK2BWDKxFyMz5/6cu2W6fqxsURa3nen7CA9j7WA7pnS+cqp0/dBO8rsbf23yygXRi3w0SQmUnfj9TKEXSCbI4Sg/V/BK120RhoRxTXB/lRsU87jKM2aIm9d/HTdH5ZUu3kBdE0mhwt+RhBog==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC2DCCAcCgAwIBAgIQZYNcVyIKPopPizXZ54YprDANBgkqhkiG9w0BAQsFADAoMSYwJAYDVQQDEx1BREZTIFNpZ25pbmcgLSBhZGZzLnVhdG90ZS5ncjAeFw0yMzA0MDUyMTUwMTRaFw0yNDA0MDQyMTUwMTRaMCgxJjAkBgNVBAMTHUFERlMgU2lnbmluZyAtIGFkZnMudWF0b3RlLmdyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwK2x33WajCQ72Yr7EGsBUNPeNsFhRHCDMVr5ShuAEfgN0VYepfxyYSUuNEPf3LI+lyRJ8jIvrizlN2gksXPh5TkJRp4q+XzKyOyQrBFDAleiW0T+FJifw2nlI3RoWGGl/4OHD8B5JLueoW7HxI88xLeT55i5O1DxCvRALOr5Raci/gnVC6FEDiMwYmxWNJ7PB78Mb5jTXnNQfBM5xWTmhQze5TrFpehOfOEA0tLwclSrPi7Qevko1Mr4eHmtUmGt+fkEbo8hdsQnd/ELHr8oSlH71gFhEogcfNrNMvMzxu1BCqXiEiZYPmWgcQW79OtZJwus7YJewbIqdzLnEr8GhQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAQam01Iha0thgVa4iFwZLVA7H2ZR2eO1jVLyu4k125YRXMgKZSNVic1yHhT8Lq5ghW9CX4Ofag6o00cQXLc4nv9A1NpRo2glm0wE+6HJKmKfx/GMhLm+jGGZUDWHcdiIx9zOfIGUSx8X96KP9B2w8/bkQrc5OArK4rLO/polSgv5UB5Tpam/wzy/5yTc1L8DiRm3GdslEkYrfRoOotkaM4YWYVsJdQgtQsx66M4NhsWmQmC6ZTPl06ikCKmGPgoE7P+hUH3i5aUSo8/NDMPs6JL2LtedZdklkhvDnbggLvfgRcV3fQOOlrLtMQmNVXUkZcAvAVf2nDQivjyBEe6N/2</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="ARQ64a82b5-c9ca-469f-8454-f104b6a64203" NotOnOrAfter="2023-05-02T08:41:42.664Z" Recipient="https://uat.mysite.gr/login/saml2/sso/adfs" />
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2023-05-02T08:36:42.664Z" NotOnOrAfter="2023-05-02T09:36:42.664Z">
<AudienceRestriction>
<Audience>https://uat.mysite.gr/saml2/service-provider-metadata/adfs</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/implicitupn">
<AttributeValue>userkerbtest@uat.gr</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/ws/2017/04/identity/claims/riskscore" a:OriginalIssuer="CLIENT CONTEXT" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
<AttributeValue>notevaluated</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/ws/2017/04/identity/claims/accountthrottled" a:OriginalIssuer="CLIENT CONTEXT" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
<AttributeValue b:type="tn:boolean" xmlns:tn="http://www.w3.org/2001/XMLSchema" xmlns:b="http://www.w3.org/2001/XMLSchema-instance">false</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/claims/authnmethodsproviders">
<AttributeValue>FormsAuthentication</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/ws/2014/01/identity/claims/anchorclaimtype">
<AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn">
<AttributeValue>userkerbtest@uat.gr</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid">
<AttributeValue>S-1-5-21-573170609-2490837561-1058330354-513</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid">
<AttributeValue>S-1-5-21-573170609-2490837561-1058330354-3707</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
<AttributeValue>UAT\userkerbtest</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname">
<AttributeValue>UAT\userkerbtest</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
<AttributeValue>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid">
<AttributeValue>S-1-5-21-573170609-2490837561-1058330354-513</AttributeValue>
<AttributeValue>S-1-1-0</AttributeValue>
<AttributeValue>S-1-5-32-545</AttributeValue>
<AttributeValue>S-1-5-2</AttributeValue>
<AttributeValue>S-1-5-11</AttributeValue>
<AttributeValue>S-1-5-15</AttributeValue>
<AttributeValue>S-1-5-21-573170609-2490837561-1058330354-2052</AttributeValue>
<AttributeValue>S-1-5-21-573170609-2490837561-1058330354-1614</AttributeValue>
<AttributeValue>S-1-5-21-0-0-0-497</AttributeValue>
<AttributeValue>S-1-18-2</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent" a:OriginalIssuer="CLIENT CONTEXT" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
<AttributeValue>Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36 Edg/112.0.1722.58</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path" a:OriginalIssuer="CLIENT CONTEXT" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
<AttributeValue>/adfs/ls/</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork" a:OriginalIssuer="CLIENT CONTEXT" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
<AttributeValue b:type="tn:boolean" xmlns:tn="http://www.w3.org/2001/XMLSchema" xmlns:b="http://www.w3.org/2001/XMLSchema-instance">true</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/2012/01/requestcontext/claims/client-request-id" a:OriginalIssuer="CLIENT CONTEXT" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
<AttributeValue>3778d7f8-cb2f-4308-8103-0080000000d1</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip" a:OriginalIssuer="CLIENT CONTEXT" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
<AttributeValue>10.136.113.23</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/2014/09/requestcontext/claims/userip" a:OriginalIssuer="CLIENT CONTEXT" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
<AttributeValue>10.136.113.23</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2023-05-02T08:36:42.430Z">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>然而,正如所描述的Spring我看到:
Assertion [_8373485d-0032-4a85-86a9-321ebc8aa930] is missing a subject和依赖关系:
<properties>
<xmlsectool.version>3.0.0</xmlsectool.version>
<opensaml.version>4.2.0</opensaml.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
<version>2.7.11</version>
</dependency>
<dependency>
<groupId>org.springframework.security.kerberos</groupId>
<artifactId>spring-security-kerberos-web</artifactId>
<version>1.0.1.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security.kerberos</groupId>
<artifactId>spring-security-kerberos-client</artifactId>
<version>1.0.1.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-saml2-service-provider</artifactId>
<version>5.8.3</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
<version>5.8.3</version>
</dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-core</artifactId>
<version>${opensaml.version}</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-saml-api</artifactId>
<version>${opensaml.version}</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-saml-impl</artifactId>
<version>${opensaml.version}</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-soap-api</artifactId>
<version>${opensaml.version}</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-xmlsec-api</artifactId>
<version>${opensaml.version}</version>
</dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-security-api</artifactId>
<version>${opensaml.version}</version>
</dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-security-impl</artifactId>
<version>${opensaml.version}</version>
</dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-profile-api</artifactId>
<version>${opensaml.version}</version>
</dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-profile-impl</artifactId>
<version>${opensaml.version}</version>
</dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-messaging-api</artifactId>
<version>${opensaml.version}</version>
</dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-messaging-impl</artifactId>
<version>${opensaml.version}</version>
</dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-storage-impl</artifactId>
<version>${opensaml.version}</version>
</dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-xmlsec-impl</artifactId>
<version>${opensaml.version}</version>
</dependency>
<!--dependency>
<groupId>net.shibboleth.tool</groupId>
<artifactId>xmlsectool</artifactId>
<version>${xmlsectool.version}</version>
</dependency-->
<dependency>
<groupId>org.springframework.ldap</groupId>
<artifactId>spring-ldap-core</artifactId>
<version>2.4.1</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
<version>2.7.10</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
</dependencies>
1条答案
按热度按时间gojuced71#
所以在搜索了spring安全类之后,我发现Spring Security 与saml规范不一致,saml规范将subject的nameid元素作为可选元素。因此,当我们的adfs管理员更改返回的声明并在subject元素中添加一个nameid时,一切都正常。