我正在做一个项目,基本上已经到了不知道该怎么做才能走得更远的地步。
尝试与供应商合作,使用SAML设置SSO进程。目前,我们正在手工完成这一过程,因为我们没有像SimpleSAMLPHP那样实现的解决方案。
为了测试此过程,我们将SimpleSAMLPHP设置为服务提供商。这对我们的测试阶段有很大帮助,但我们目前遇到了这个错误:
SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 /portal/server/htdocs/saml/www/module.php:180 (N/A)
Caused by: SimpleSAML_Error_Exception: Neither the assertion nor the response was signed.
Backtrace:
3 /portal/server/htdocs/saml/modules/saml/lib/Message.php:554 (sspmod_saml_Message::processAssertion)
2 /portal/server/htdocs/saml/modules/saml/lib/Message.php:518 (sspmod_saml_Message::processResponse)
1 /portal/server/htdocs/saml/modules/saml/www/sp/saml2-acs.php:96 (require)
0 /portal/server/htdocs/saml/www/module.php:135 (N/A)
这是我们发送给SP的SAML请求,看看我们是否可以进行身份验证。
<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="efmlkhlddlofoifkbikjkbemicpndhjingeioamb" Version="2.0" IssueInstant="2014-04-14T15:09:50Z" Destination="https://mytest.mediumuniversity.edu/saml/www/module.php/saml/sp/saml2-acs.php/default-sp" InResponseTo="_bf9dc3aa65b9899c565fdc153cefe40c06c1209229">
<saml:Issuer>https://mydevl.mediumuniversity.edu/portal/services/academicworks/process_response.php</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="llgkdlffdpoobdkjfkgjcabphgifgfgbammdibjm" Version="2.0" IssueInstant="2014-04-14T15:09:50Z">
<saml:Issuer>https://mydevl.mediumuniversity.edu/portal/services/academicworks/process_response.php</saml:Issuer>
<saml:Subject>
<saml:NameID SPNameQualifier="https://mytest.mediumuniversity.edu/saml/www/module.php/saml/sp/metadata.php/default-sp" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">123456789</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2014-04-14T15:19:50Z" Recipient="https://mytest.mediumuniversity.edu/saml/www/module.php/saml/sp/saml2-acs.php/default-sp" InResponseTo="_bf9dc3aa65b9899c565fdc153cefe40c06c1209229"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2014-04-14T15:04:50Z" NotOnOrAfter="2014-04-14T15:19:50Z">
<saml:AudienceRestriction>
<saml:Audience>https://mytest.mediumuniversity.edu/saml/www/module.php/saml/sp/metadata.php/default-sp</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2014-04-14T15:09:50Z" SessionNotOnOrAfter="2014-04-14T16:09:50Z" SessionIndex="hkckflaackcdmckckpipgjpdgdlhmiieclpigaij">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="eagleID" NameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
<saml:AttributeValue xsi:type="xs:string">123456789</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="emailAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
<saml:AttributeValue xsi:type="xs:string">cwsterling@mediumuniversity.edu</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#llgkdlffdpoobdkjfkgjcabphgifgfgbammdibjm"><ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> </ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>p/aLBlix/UI0oNiHgg4t5fgkwJg=</ds:DigestValue></ds:Reference> </ds:SignedInfo> <ds:SignatureValue>AsVSwH8mVNHhOak3z2A9j8F/1Q67Yuw472K9BI649EUePdT8QOCW/+BTS+OG+CM++Yn1J7ceT+pwYvOLMr5HFcUcdr8VMZNfPuk2oefs4afK8BpP2ndskPlGhfFx7UlkdXdu41dzWMJeaULo1KfcHtKF0e1ZgObucN3GCNDs97s=</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data> <ds:X509Certificate>MIIC2DCCAkGgAwIBAgIJAMCu9vwLblc3MA0GCSqGSIb3DQEBBQUAMIGEMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHR2VvcmdpYTETMBEGA1UEBwwKU3RhdGVzYm9ybzEkMCIGA1UECgwbR2VvcmdpYSBTb3V0aGVybiBVbml2ZXJzaXR5MSgwJgYDVQQLDB9FbnRlcnByaXNlIEFwcGxpY2F0aW9uIFNlcnZpY2VzMB4XDTE0MDMyNTEyMjg1NVoXDTE0MDQyNDEyMjg1NVowgYQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdHZW9yZ2lhMRMwEQYDVQQHDApTdGF0ZXNib3JvMSQwIgYDVQQKDBtHZW9yZ2lhIFNvdXRoZXJuIFVuaXZlcnNpdHkxKDAmBgNVBAsMH0VudGVycHJpc2UgQXBwbGljYXRpb24gU2VydmljZXMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANN71CK2aSfTTd63cEkhG/DlpIOMtkUTLQLRfUFZ1U5RX8TA0NcmVMwJcIKVHllsJiwNZBl2RT/GUb+1PwLUkiUxFNZ6eT1qQ6t8SaPosv40ofnD4AXEGwG5Rzx3BvBSuz+viCc8/yjNY4RqSQ/wS34tMd0Eu9Z+Q6MZsmVmBWefAgMBAAGjUDBOMB0GA1UdDgQWBBS46JUAvJGsu79wMjdba7q3iOQ3xTAfBgNVHSMEGDAWgBS46JUAvJGsu79wMjdba7q3iOQ3xTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAL+iVErbdU6lCISWWE7Dr3efaDAhyAxQVU/nLIi8aHvniQCQ6uACQhkQbfZpRdB6cbBDKzzsZD2pqIwY+N/yeomyRhpGqw0Y+q3Wa5tOoyY/AheCfqfRgVSfWkNFLv8Ri4G5Gz+2PJeMuZq4aJ5II/m0OUCn+84OOXDBiPs8+K</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature></samlp:Response>
现在,在为代码格式化时,我错误地在其中添加了几个额外的空格。
我正在用这个PHP库对SAML文件进行签名:https://code.google.com/p/xmlseclibs/并使用以下代码:
$doc = new DOMDocument();
$doc->load($tempFileName);
$objDSig = new XMLSecurityDSig();
$objDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N);
$objDSig->addReference($doc, XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature'), array('force_uri' => true,'uri_context'=>$encHash1));
$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type'=>'private'));
/* load private key */
$objKey->loadKey( $privKey, TRUE);
$objDSig->sign($objKey);
/* Add associated public key */
$objDSig->add509Cert(file_get_contents('gsukeys/academicworks_pub.pem'));
$objDSig->appendSignature($doc->documentElement);
$doc->save($tempFileName.'.out');
我会说,如果我没有这条线的最后一部分
$objDSig->addReference($doc, XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature'), array('force_uri' => true,'uri_context'=>$encHash1));
特别是, array('force_uri' => true,'uri_context'=>$encHash1)
,服务提供商看到该文件并成功地验证了我的请求。
关于如何创建要发送的文件,有什么建议吗?我们不想将SimpleSAMLPHP作为我们的登录,因为这需要更改我们的整个登录过程,我们已经在夏天更改了整个登录过程以与CAS集成。
编辑以澄清我所做的更改是如何使其发挥作用的。
当我告诉它去掉引用URI部分时,它就去掉了这个:URI="#llgkdlffdpoobdkjfkgjcabphgifgfgbammdibjm"
,不再指向文档中已签名的特定部分。所以我觉得要么整个文档都被签名了,要么签名只是被添加到文档中,SimpleSAMLPHP只是忽略了签名。
编辑2:我忘了更新这个,我最终找到了这个代码:http://michaelseiler.net/2013/08/23/cas-and-google-sso-integration/这真的帮助了我,在两次尝试后我能够做我想做的事。
您可以考虑使用lightsaml库。使用断言进行签名响应看起来类似于以下
$response = new Response();
$response->setID(Helper::generateID());
$response->setInResponseTo($request->getID());
$response->setIssueInstant(time());
$response->setDestination($destination);
$assertion = new Assertion();
$response->addAssertion($assertion);
$subject = new Subject();
$assertion->setSubject($subject);
$assertion->setNameID(NameID($username, NameIDPolicy::PERSISTENT));
$subjectConfirmation = new SubjectConfirmation();
$subject->addSubjectConfirmation($subjectConfirmation);
$subjectConfirmation->setMethod(Protocol::CM_BEARER);
$data = new SubjectConfirmationData();
$subjectConfirmation->setData($data);
$data->setInResponseTo($request->getID());
$data->setNotOnOrAfter(time()+$this->expirationTime);
$data->setRecipient($recipient);
$assertion->setNotBefore(time());
$assertion->setNotOnOrAfter(time()+$this->expirationTime);
$assertion->setValidAudience(array($request->getIssuer()));
$authnStatement = new AuthnStatement();
$authnStatement->setAuthnContext($this->authnContextClassRef);
$assertion->setAuthnStatement($authnStatement);
$assertion->addAttribute(new Attribute(ClaimTypes::COMMON_NAME, array('username'), 'Common Name'));
$signatureCreator = new SignatureCreator();
$signatureCreator->setXmlSecurityKey($xmlSecKey);
$signatureCreator->setCertificate($certificate);
$response->setSignature($signatureCreator);
$bindingManager = new BindingManager();
$r = $bindingManager->send($response);
$r->render();