2017-11-24 18 views
0

PingFederateサーバーは、SPLが開始したSSOに必要なエラー署名で応答しますが、SAML認証要求に署名値を送信しています。PingFederate:SP開始ログインにエラー署名が必要です

<?xml version="1.0" encoding="UTF-8"?> 
<samlp:AuthnRequest xmlns:ds="http://www.w3.org/2000/09/xmldsig#" > > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > AssertionConsumerServiceURL="https://mycompany.com/saml2/acs/" Destination="https://idp.com/idp/SSO.saml2" ID="id-1305fe524135c3980b2446c10dec5f08" IssueInstant="2017-11-21T18:27:17Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="My Service" Version="2.0"> 
    <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://mycompany.com/</saml:Issuer> 
    <ds:Signature Id="Signature1"> 
    <ds:SignedInfo> 
     <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
     <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> 
     <ds:Reference URI="#id-1305fe524135c3980b2446c10dec5f08"> 
     <ds:Transforms> 
      <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> 
      <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
     </ds:Transforms> 
     <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> 
     <ds:DigestValue>PgekvX9t5tSi2t……..KMSXBPFMlhjcpk=</ds:DigestValue> 
     </ds:Reference> 
    </ds:SignedInfo> 
    <ds:SignatureValue>m0/……………….J5bmNQ==</ds:SignatureValue> 
    <ds:KeyInfo> 
     <ds:X509Data> 
     <ds:X509Certificate>MII………………o6jkYDUjhprKdQ+m4=</ds:X509Certificate> 
     </ds:X509Data> 
    </ds:KeyInfo> 
    </ds:Signature> 
    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/> 
</samlp:AuthnRequest> 

私は読みやすくするために署名値と証明書を短縮している。以下は、私がPingのフェデレートに送りますリクエストです。 PingFederateののログは のPingFederateは

<samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> 
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" /> 
<samlp:StatusMessage>Signature required</samlp:StatusMessage></samlp:Status> 

後SAML応答でこの要求を拒否している。

2017-11-21 13:27:17,222 tid:pSs3mUSSSSSSSSSSSSSSSXLK4 DEBUG [org.sourceid.websso.servlet.ProtocolControllerServlet] [qtp2106609649-286] ---REQUEST (GET)/idp/SSO.saml2 from 123.123.123.3: 
---PARAMETERS--- 
SAMLRequest: 
3VZJl6LYEt7nr/BYi1p4U……<shortened request for readability>…….zdsjP10u10KWIGwjw6it3/9v4/+l78B 
RelayState: 
/myAppDashboard/index.html?sso_user=user1%40myidp.com&tenant_domain=xyz.com#/ 
2017-11-21 13:27:17,222 tid:pSs3mUSSSSSSSSSSSSSSSXLK4 DEBUG [org.sourceid.saml20.bindings.BindingFactory] [qtp2106609649-286] GET 
with Params: [SAMLRequest, RelayState] 
assume binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect 
from: 123.123.123.3 
Referer: https://mycompany.com/saml2/login/?email=user1%40myidp.com&tenantIdentifier=undefined(https://mycompany.com/saml2/login/?email=user1%40myidp.com&tenantIdentifier=undefined) 
AuthType: null 
Content-Type: null 
2017-11-21 13:27:17,225 tid:pSs3mUSSSSSSSSSSSSSSSXLK4 DEBUG [org.sourceid.saml20.bindings.LoggingInterceptor] [qtp2106609649-286] Received InMessageContext: 
InMessageContext 
XML: https://mycompany.com/saml2/acs/" Destination="https://idp.com/idp/SSO.saml2" ID="id-1305fe524135c3980b2446c10dec5f08" IssueInstant="2017-11-21T18:27:17Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="My Service" Version="2.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig# (http://www.w3.org/2000/09/xmldsig) " xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> 
https://mycompany.com/ (https://mycompany.com/%3c/saml:Issuer) > 
http://www.w3.org/2001/10/xml-exc-c14n#"/> 
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> 
http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> 
http://www.w3.org/2001/10/xml-exc-c14n#"/> 
http://www.w3.org/2001/04/xmlenc#sha256"/> 
PgekvX9t5tSi2t/………………J5bmNQ== 
MIIDpjCC……………………Q+m4= 
entityId: https://mycompany.com/ (https://mycompany.com/) (SP) 
virtualServerId: XYZSSO2.0 
Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect 
relayState: /myAppDashboard/index.html?sso_user=user1%40myidp.com&tenant_domain=xyz.com#/ 
SignatureStatus: NOT_PRESENT 
Binding says to sign: true 
2017-11-21 13:27:17,226 tid:pSs3mUSSSSSSSSSSSSSSSXLK4 DEBUG [org.sourceid.util.log.internal.TrackingIdSupport] [qtp2106609649-286] [cross-reference-message] entityid:null subject:null 
2017-11-21 13:27:17,226 tid:pSs3mUSSSSSSSSSSSSSSSXLK4 ERROR [org.sourceid.saml20.profiles.idp.HandleAuthnRequest] [qtp2106609649-286] Exception occurred during request processing 
org.sourceid.saml20.profiles.StatusResponseException: Signature required 
…….. 
……. 
2017-11-21 13:27:17,251 tid:pSs3mUSSSSSSSSSSSSSSSXLK4 DEBUG [org.sourceid.servlet.HttpServletRespProxy] [qtp2106609649-286] flush cookies: adding Cookie{PF=hashedValue:pSs3mUSSSSSSSSSSSSSSSXLK4; path=/; maxAge=-1; domain=null} 
2017-11-21 13:27:17,252 tid:pSs3mUSSSSSSSSSSSSSSSXLK4 DEBUG [org.sourceid.saml20.bindings.LoggingInterceptor] [qtp2106609649-286] Transported Response. OutMessageContext: 
OutMessageContext 
XML: https://mycompany.com/saml2/acs/" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> 
XYZSSO2.0 
http://www.w3.org/2000/09/xmldsig#"> 
http://www.w3.org/2001/10/xml-exc-c14n#"/> 
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> 
http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> 
http://www.w3.org/2001/10/xml-exc-c14n#"/> 
http://www.w3.org/2001/04/xmlenc#sha256"/> 
vRc7z0pcj5wzfn/………….UV3nYqUjgsnwHx9tziUqFwmAI= 
Signature required 
entityId: https://mycompany.com/ (https://mycompany.com/) (SP) 
virtualServerId: XYZSSO2.0 
Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST 
relayState: /myAppDashboard/index.html?sso_user=user1%40myidp.com&tenant_domain=xyz.com#/ 
Endpoint: https://mycompany.com/saml2/acs/ (https://mycompany.com/saml2/acs/) 
SignaturePolicy: BINDING_DEFAULT 
2017-11-21 13:27:18,348 DEBUG [org.sourceid.servlet.HttpServletRespProxy] [qtp2106609649-101] adding lazy cookie Cookie{PF=hashedValue:E0oc11111111111111VkfIwa0I; path=/; maxAge=-1; domain=null} replacing null 
2017-11-21 13:27:18,348 tid:E0oc11111111111111VkfIwa0I DEBUG [org.sourceid.websso.servlet.IntegrationControllerServlet] [qtp2106609649-101] GET: https://idp.com/idp/startSSO.ping 

我々はこの問題へのPingのフェデレートに設定することができます任意のノブ/フラグを修正することができる方法についてのヘルプが必要ですそれを機能させる。

答えて

0

PingFedはRedirect Binding(あなたはGETリクエストを行っています)を経由してあなたのメッセージを期待しているようですが、署名にはPostバインディングのような署名を含めています。