0
PingFederateサーバーは、SPLが開始したSSOに必要なエラー署名で応答しますが、SAML認証要求に署名値を送信しています。PingFederate:SP開始ログインにエラー署名が必要です
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:ds="http://www.w3.org/2000/09/xmldsig#" > > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > AssertionConsumerServiceURL="https://mycompany.com/saml2/acs/" Destination="https://idp.com/idp/SSO.saml2" ID="id-1305fe524135c3980b2446c10dec5f08" IssueInstant="2017-11-21T18:27:17Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="My Service" Version="2.0">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://mycompany.com/</saml:Issuer>
<ds:Signature Id="Signature1">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#id-1305fe524135c3980b2446c10dec5f08">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>PgekvX9t5tSi2t……..KMSXBPFMlhjcpk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>m0/……………….J5bmNQ==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MII………………o6jkYDUjhprKdQ+m4=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
</samlp:AuthnRequest>
私は読みやすくするために署名値と証明書を短縮している。以下は、私がPingのフェデレートに送りますリクエストです。 PingFederateののログは のPingFederateは
<samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" />
<samlp:StatusMessage>Signature required</samlp:StatusMessage></samlp:Status>
後SAML応答でこの要求を拒否している。
2017-11-21 13:27:17,222 tid:pSs3mUSSSSSSSSSSSSSSSXLK4 DEBUG [org.sourceid.websso.servlet.ProtocolControllerServlet] [qtp2106609649-286] ---REQUEST (GET)/idp/SSO.saml2 from 123.123.123.3:
---PARAMETERS---
SAMLRequest:
3VZJl6LYEt7nr/BYi1p4U……<shortened request for readability>…….zdsjP10u10KWIGwjw6it3/9v4/+l78B
RelayState:
/myAppDashboard/index.html?sso_user=user1%40myidp.com&tenant_domain=xyz.com#/
2017-11-21 13:27:17,222 tid:pSs3mUSSSSSSSSSSSSSSSXLK4 DEBUG [org.sourceid.saml20.bindings.BindingFactory] [qtp2106609649-286] GET
with Params: [SAMLRequest, RelayState]
assume binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
from: 123.123.123.3
Referer: https://mycompany.com/saml2/login/?email=user1%40myidp.com&tenantIdentifier=undefined(https://mycompany.com/saml2/login/?email=user1%40myidp.com&tenantIdentifier=undefined)
AuthType: null
Content-Type: null
2017-11-21 13:27:17,225 tid:pSs3mUSSSSSSSSSSSSSSSXLK4 DEBUG [org.sourceid.saml20.bindings.LoggingInterceptor] [qtp2106609649-286] Received InMessageContext:
InMessageContext
XML: https://mycompany.com/saml2/acs/" Destination="https://idp.com/idp/SSO.saml2" ID="id-1305fe524135c3980b2446c10dec5f08" IssueInstant="2017-11-21T18:27:17Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="My Service" Version="2.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig# (http://www.w3.org/2000/09/xmldsig) " xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
https://mycompany.com/ (https://mycompany.com/%3c/saml:Issuer) >
http://www.w3.org/2001/10/xml-exc-c14n#"/>
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
http://www.w3.org/2001/10/xml-exc-c14n#"/>
http://www.w3.org/2001/04/xmlenc#sha256"/>
PgekvX9t5tSi2t/………………J5bmNQ==
MIIDpjCC……………………Q+m4=
entityId: https://mycompany.com/ (https://mycompany.com/) (SP)
virtualServerId: XYZSSO2.0
Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
relayState: /myAppDashboard/index.html?sso_user=user1%40myidp.com&tenant_domain=xyz.com#/
SignatureStatus: NOT_PRESENT
Binding says to sign: true
2017-11-21 13:27:17,226 tid:pSs3mUSSSSSSSSSSSSSSSXLK4 DEBUG [org.sourceid.util.log.internal.TrackingIdSupport] [qtp2106609649-286] [cross-reference-message] entityid:null subject:null
2017-11-21 13:27:17,226 tid:pSs3mUSSSSSSSSSSSSSSSXLK4 ERROR [org.sourceid.saml20.profiles.idp.HandleAuthnRequest] [qtp2106609649-286] Exception occurred during request processing
org.sourceid.saml20.profiles.StatusResponseException: Signature required
……..
…….
2017-11-21 13:27:17,251 tid:pSs3mUSSSSSSSSSSSSSSSXLK4 DEBUG [org.sourceid.servlet.HttpServletRespProxy] [qtp2106609649-286] flush cookies: adding Cookie{PF=hashedValue:pSs3mUSSSSSSSSSSSSSSSXLK4; path=/; maxAge=-1; domain=null}
2017-11-21 13:27:17,252 tid:pSs3mUSSSSSSSSSSSSSSSXLK4 DEBUG [org.sourceid.saml20.bindings.LoggingInterceptor] [qtp2106609649-286] Transported Response. OutMessageContext:
OutMessageContext
XML: https://mycompany.com/saml2/acs/" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
XYZSSO2.0
http://www.w3.org/2000/09/xmldsig#">
http://www.w3.org/2001/10/xml-exc-c14n#"/>
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
http://www.w3.org/2001/10/xml-exc-c14n#"/>
http://www.w3.org/2001/04/xmlenc#sha256"/>
vRc7z0pcj5wzfn/………….UV3nYqUjgsnwHx9tziUqFwmAI=
Signature required
entityId: https://mycompany.com/ (https://mycompany.com/) (SP)
virtualServerId: XYZSSO2.0
Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
relayState: /myAppDashboard/index.html?sso_user=user1%40myidp.com&tenant_domain=xyz.com#/
Endpoint: https://mycompany.com/saml2/acs/ (https://mycompany.com/saml2/acs/)
SignaturePolicy: BINDING_DEFAULT
2017-11-21 13:27:18,348 DEBUG [org.sourceid.servlet.HttpServletRespProxy] [qtp2106609649-101] adding lazy cookie Cookie{PF=hashedValue:E0oc11111111111111VkfIwa0I; path=/; maxAge=-1; domain=null} replacing null
2017-11-21 13:27:18,348 tid:E0oc11111111111111VkfIwa0I DEBUG [org.sourceid.websso.servlet.IntegrationControllerServlet] [qtp2106609649-101] GET: https://idp.com/idp/startSSO.ping
我々はこの問題へのPingのフェデレートに設定することができます任意のノブ/フラグを修正することができる方法についてのヘルプが必要ですそれを機能させる。