我正在实现单一登录解决方案的服务提供商端。我们使用的是PHP和Onelogin提供的samlphp库。一切都很顺利。用户可以尝试访问我们的服务,并被重定向到IDP登录。一旦他们登录到那里,他们就会被重定向回我们的网站。
这就是问题发生的地方。一旦回到我们的网站,我们就会收到一个错误。。。
<Entry reference="REF_56dea40aa6419" TimeStamp="2016/03/08 12:06:02" Category="Exception" Type="Error"><![CDATA[
Description Failure decrypting Data
File Library/SSO/OneLogin/extlib/xmlseclibs/xmlseclibs.php
Line 357
Class Exception
Stack
UI Business console
User -
Code 0
When 2016/03/08 12:06:02
URL called https://stage.icky-yuk.co.za/?acs
Referred by https://signon.blarg.co.za/adfs/ls/?SAMLRequest=hVNdrxIxEH038T%2BQfWc%2FgYsNYBD8IEEggD74YsZ2gCbddu10vVx%2Fvd2l5KJR7MsmM3NOzzmdHRGUqmLT2p30Fr%2FXSO7li44%2F51JpYm13HNVWMwMkiWkokZjjbDf9uGR5nLLKGme4UdGfuPswIELrpNEBt5iPo%2FXq7XL9frH6iv2ByDjvwzDvYZr3Hl7lw%2F6gKHp9gCLvpUWRP4iC5wH7GS15pnHkiX0pEBLVuNDkQDvfSbNBNy266XCfpSwdsDT7EtBz71lqcC3DybmKWJKQPGqjY6NEWbsaVMxN%2FBMSEAdKFCUBugne30gtpD7ed%2FztMkTsw36%2F6W7Wu31gmV6jmBlNdYl2h%2FaH5Phpu7wR5OCIsbHyKDU9kcOSgqbXwCmaXKhGTfCstW4n%2F4eW6ECAg7g6VaPkFntDV7GV97KYb4yS%2FOnSaM47Y0tw%2F%2FacxVlbkaJ7aEcZliDVVAiLRNEz0VQp8zizCA7HkbM1Rp3kdwFhM1G0e%2Bpjcnh2nZkpK7CSmnfDM3B3TeE5idv5mfI7t8XD5O5acsabOV%2Fe%2BM%2BjsaJ5ZOT%2B8r0FTZWxLkT1V%2FKgO7kj3M9c%2B7f%2F3eQX&RelayState=https%3A%2F%2Fstage.icky-yuk.co.za%2F
]]></Entry>
我们在SAML工具包中使用的元数据如下。它是数组形式的,但我把它吐出来是json编码的,这样更容易阅读。
{
"sp": {
"entityId": "https:'/'/stage.icky-yuk.co.za'/metadata.php",
"assertionConsumerService": {
"url": "https:'/'/stage.icky-yuk.co.za'/?acs"
},
"singleLogoutService": {
"url": "https:'/'/stage.icky-yuk.co.za'/?slo"
},
"NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
},
"idp": {
"entityId": "http:'/'/signon.blarg.co.za'/adfs'/services'/trust",
"singleSignOnService": {
"url": "https:'/'/signon.blarg.co.za'/adfs'/ls'/",
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
},
"singleLogoutService": {
"url": "https:'/'/signon.blarg.co.za'/adfs'/ls'/",
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
},
"x509cert": "MIIC6DCCAdCgAwIBAgIQWs7JU0DcbYBHCIni'/zAt'/jANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDEyVBREZTIFNpZ25pbmcgLSBzaWdub24ub2xkbXV0dWFsLmNvLnphMB4XDTE1MDkyMzEzMTIzNloXDTE2MDkyMjEzMTIzNlowMDEuMCwGA1UEAxMlQURGUyBTaWduaW5nIC0gc2lnbm9uLm9sZG11dHVhbC5jby56YTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALlEeD4FX2CxAjacT+EJKbOFcAy604yvSPjy2NjKhjqGBeiJ4NLP4YKU28cEVa11IjqN18GE7bsk8wmA6yXEcAXgJs869fj1ZIXXil06DMSB4eUD0CaERpUSt7o6JR15kdmOEHq9tQp'/rAYoux3rSKBjmdZQlYeUTe13jfabrov3ftvWX6lTOUpZuJ2t61yCyxNNMN9pp0RlfYP8M03kq2boAoUxbYSxf'/Kpli0HrkRxtBaBiwy9TyVNjyY39ItHgAr'/gUA4vnAZj0kmSZwAc7gS6IXVbqo0A50yARzz'/6yrvMhkiFaJxFhwqck2hvoBWKwVBSSjozmDYw++gNUstj0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEArSA6CrhdDvJXX120n0RJesumZAGHWBdb9NpE8p6hBq5gE0BcJm8lp'/PvgAyY+ZkZVpQEXv05q4po4FkkV2NcsyLHWzZ3S'/7OrleblqUIGm83a9o9mko6RuPrxdVpiwnatDAdV8gzebcr2OvedXGvkNJryblxkW7Gepoh8iPo9pFQ78NMoTGia+eLb+PtkuSV5yqtSSi9ggk8mdO+L9rZxrc9Uvkod+FLbtFg0DClsN5b3qvzd00UDmmbQfvSVGB40UGC5KqmJGSXrXSk6jUokm+h2VOUNSDyArMuiRtyFNrfY8GrWCc5Kz'/3ACuzEEhhTwD+67+qJH5jDD7KTDPQ'/w=="
}
}
我已经仔细检查了x509认证,它很好。我承认,无论如何,我都不是SAML或单点登录专家。我显然在这里忽略了什么。除了证书之外,加密还有其他组件吗?我不知道该往哪里看了。
如果IdP正在发送加密的SAML响应,为什么在提供的设置的"sp"部分没有公钥证书私钥?:"x509cert"answers"privateKey"
或者您将它们定义为cert文件夹中的文件?
SP x509cert必须与IdP共享以加密断言(SP将使用SP私钥解密)。
p.S我无法解码SAMLRequest,但它似乎是LogoutRequest。。与接收到的假定SAMLR响应无关。