使用签名中包含的密钥正确验证了签名,但该密钥不受信任
The signature verified correctly with the key contained in the signature, but that key is not trusted
我正在尝试将 SAML2 IdP Salesforce 配置为 IdentityServer3 中的外部提供商。我正在使用 SustainSys/Saml2 library. So for testing purpose I have downloaded SampleIdentityServer3。并像下面这样配置 SAML2 IdP
private void ConfigureSaml2(IAppBuilder app, string signInAsType)
{
ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12 | SecurityProtocolType.Ssl3;
var options = new Saml2AuthenticationOptions(false)
{
SPOptions = new SPOptions
{
EntityId = new EntityId("http://localhost:4589/IdSrv3/Saml2"),
MinIncomingSigningAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
},
SignInAsAuthenticationType = signInAsType,
Caption = "SAML2p",
};
UseIdSrv3LogoutOnFederatedLogout(app, options);
options.SPOptions.ServiceCertificates.Add(new X509Certificate2(
AppDomain.CurrentDomain.SetupInformation.ApplicationBase + "/App_Data/Sustainsys.Saml2.Tests.pfx"));
var idp = new IdentityProvider(
new EntityId("https://XXXXXX-dev-ed.my.salesforce.com"),
options.SPOptions)
{
MetadataLocation = "https://XXXXXX-dev-ed.my.salesforce.com/.well-known/samlidp.xml",
LoadMetadata = true,
};
options.IdentityProviders.Add(idp);
app.UseSaml2Authentication(options);
}
请注意,如果我不将 MinIncomingSigningAlgorithm 设置为 sh1,则 SustainSys 库会抛出错误。
Sustainsys.Saml2.Exceptions.InvalidSignatureException: The signing
algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1 is weaker than
the minimum accepted
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256. If you want to
allow this signing algorithm, use the minIncomingSigningAlgorithm
configuration attribute.
所以我将 MinIncomingSigningAlgorithm 设置为 "http://www.w3.org/2000/09/xmldsig#rsa-sha1" 以消除错误。
但是我得到了不同的错误
Sustainsys.Saml2.Exceptions.InvalidSignatureException: The signature
verified correctly with the key contained in the signature, but that
key is not trusted.
基于问题#493 #735,元数据中的证书必须与 SAML2 响应中的证书匹配。
在元数据中,证书是(注意开始和结束值)
<ds:X509Data>
<ds:X509Certificate>
MIIGk... removed from brevity....tmv6J1g==
</ds:X509Certificate>
</ds:X509Data>
但在 SAML2 响应中(由 SustainSys 库记录的响应)
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://localhost:4589/IdSrv3/Saml2/Acs" ID="_19fd2d8d9aab0401f56fXXXXXXXXX" InResponseTo="id473a52c49f194bXXXXXXXXX" IssueInstant="2018-08-27T20:10:04.296Z" Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://XXXXXXX-dev-ed.my.salesforce.com</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_19fd2d8d9aab0401f56f642dXXXXXXXXXXXXX">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml samlp" /></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>fQiiyd0T57Ztr5BAfMFe9MTrhY0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
B6hndlsBgY45J+hm8My2gPVo....removed for brevity....YT88ajt7jQ==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIENz... remove for brevity....y2Ul24Jyc4V/jJN
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed" />
</samlp:Status>
</samlp:Response>
查看元数据和 SAML2 响应中的 X509Certificate 值,它们不匹配。
问题
SAML2 响应中的 X509Certificate 值是否应该与元数据中的 X509Certificate 值匹配?如果是,为什么 SustainSys 库不能始终使用来自 SAML2 响应的 X509Certificate 值?
更新
只是为了查看匹配值是否有效,我将 SAML2 响应中的证书值保存到单独的 .cer 文件中。然后在 KeyInfoSerializer.cs 文件中我更新了 ReadX509Certificate 方法(这是从元数据加载证书的方法)
private static SecurityKeyIdentifierClause ReadX509Certificate(XmlReader reader)
{
reader.ReadStartElement("X509Certificate", SignedXml.XmlDsigNamespaceUrl);
((XmlDictionaryReader)reader).ReadContentAsString();
var cer = new X509Certificate2(AppDomain.CurrentDomain.SetupInformation.ApplicationBase + "/App_Data/salesforcepublickey.cer");
var clause = new X509RawDataKeyIdentifierClause(cer);
reader.ReadEndElement();
return clause;
}
然而,它仍然抛出错误The signature verified correctly with the key contained in the signature, but that key is not trusted.
找到了。
这是 Salesforce 方面的问题。在 Saleforce 中,当我检查日志 Identity->Identity Provider Event Log 时,我看到错误 Error: User does not have access to this service provider
为此,用户未获得许可。即使用户是系统管理员,默认情况下也不会授予对已连接应用程序的访问权限。要授予权限,请转到 'Manage Users -> Users' 并单击您是 testing.Click 个人资料名称 link 的用户的编辑。例如系统管理员。这需要个人资料页面。您可以向下滚动到 'Connected App Access',您会看到未授予访问权限。通过单击页面顶部的编辑个人资料来授予访问权限。
与这个问题无关,但是当我们 google 出现错误时,这个问题首先出现,因此在此处发布解决方案。我们在 ASP.net 应用程序中与来自第三方提供商的 kentor auth 服务库进行了集成,但由于上述错误而失败。
问题是 IIS 无法到达证书存储区。
我们在 Application Pool 上为我们的网站启用了 loadUserProfile 设置,它能够完美地 运行。我们在 Windows Server 2016 上应用了它。
我正在尝试将 SAML2 IdP Salesforce 配置为 IdentityServer3 中的外部提供商。我正在使用 SustainSys/Saml2 library. So for testing purpose I have downloaded SampleIdentityServer3。并像下面这样配置 SAML2 IdP
private void ConfigureSaml2(IAppBuilder app, string signInAsType)
{
ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12 | SecurityProtocolType.Ssl3;
var options = new Saml2AuthenticationOptions(false)
{
SPOptions = new SPOptions
{
EntityId = new EntityId("http://localhost:4589/IdSrv3/Saml2"),
MinIncomingSigningAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
},
SignInAsAuthenticationType = signInAsType,
Caption = "SAML2p",
};
UseIdSrv3LogoutOnFederatedLogout(app, options);
options.SPOptions.ServiceCertificates.Add(new X509Certificate2(
AppDomain.CurrentDomain.SetupInformation.ApplicationBase + "/App_Data/Sustainsys.Saml2.Tests.pfx"));
var idp = new IdentityProvider(
new EntityId("https://XXXXXX-dev-ed.my.salesforce.com"),
options.SPOptions)
{
MetadataLocation = "https://XXXXXX-dev-ed.my.salesforce.com/.well-known/samlidp.xml",
LoadMetadata = true,
};
options.IdentityProviders.Add(idp);
app.UseSaml2Authentication(options);
}
请注意,如果我不将 MinIncomingSigningAlgorithm 设置为 sh1,则 SustainSys 库会抛出错误。
Sustainsys.Saml2.Exceptions.InvalidSignatureException: The signing algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1 is weaker than the minimum accepted http://www.w3.org/2001/04/xmldsig-more#rsa-sha256. If you want to allow this signing algorithm, use the minIncomingSigningAlgorithm configuration attribute.
所以我将 MinIncomingSigningAlgorithm 设置为 "http://www.w3.org/2000/09/xmldsig#rsa-sha1" 以消除错误。
但是我得到了不同的错误
Sustainsys.Saml2.Exceptions.InvalidSignatureException: The signature verified correctly with the key contained in the signature, but that key is not trusted.
基于问题#493 #735,元数据中的证书必须与 SAML2 响应中的证书匹配。
在元数据中,证书是(注意开始和结束值)
<ds:X509Data>
<ds:X509Certificate>
MIIGk... removed from brevity....tmv6J1g==
</ds:X509Certificate>
</ds:X509Data>
但在 SAML2 响应中(由 SustainSys 库记录的响应)
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://localhost:4589/IdSrv3/Saml2/Acs" ID="_19fd2d8d9aab0401f56fXXXXXXXXX" InResponseTo="id473a52c49f194bXXXXXXXXX" IssueInstant="2018-08-27T20:10:04.296Z" Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://XXXXXXX-dev-ed.my.salesforce.com</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_19fd2d8d9aab0401f56f642dXXXXXXXXXXXXX">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml samlp" /></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>fQiiyd0T57Ztr5BAfMFe9MTrhY0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
B6hndlsBgY45J+hm8My2gPVo....removed for brevity....YT88ajt7jQ==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIENz... remove for brevity....y2Ul24Jyc4V/jJN
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed" />
</samlp:Status>
</samlp:Response>
查看元数据和 SAML2 响应中的 X509Certificate 值,它们不匹配。
问题
SAML2 响应中的 X509Certificate 值是否应该与元数据中的 X509Certificate 值匹配?如果是,为什么 SustainSys 库不能始终使用来自 SAML2 响应的 X509Certificate 值?
更新
只是为了查看匹配值是否有效,我将 SAML2 响应中的证书值保存到单独的 .cer 文件中。然后在 KeyInfoSerializer.cs 文件中我更新了 ReadX509Certificate 方法(这是从元数据加载证书的方法)
private static SecurityKeyIdentifierClause ReadX509Certificate(XmlReader reader)
{
reader.ReadStartElement("X509Certificate", SignedXml.XmlDsigNamespaceUrl);
((XmlDictionaryReader)reader).ReadContentAsString();
var cer = new X509Certificate2(AppDomain.CurrentDomain.SetupInformation.ApplicationBase + "/App_Data/salesforcepublickey.cer");
var clause = new X509RawDataKeyIdentifierClause(cer);
reader.ReadEndElement();
return clause;
}
然而,它仍然抛出错误The signature verified correctly with the key contained in the signature, but that key is not trusted.
找到了。
这是 Salesforce 方面的问题。在 Saleforce 中,当我检查日志 Identity->Identity Provider Event Log 时,我看到错误 Error: User does not have access to this service provider
为此,用户未获得许可。即使用户是系统管理员,默认情况下也不会授予对已连接应用程序的访问权限。要授予权限,请转到 'Manage Users -> Users' 并单击您是 testing.Click 个人资料名称 link 的用户的编辑。例如系统管理员。这需要个人资料页面。您可以向下滚动到 'Connected App Access',您会看到未授予访问权限。通过单击页面顶部的编辑个人资料来授予访问权限。
与这个问题无关,但是当我们 google 出现错误时,这个问题首先出现,因此在此处发布解决方案。我们在 ASP.net 应用程序中与来自第三方提供商的 kentor auth 服务库进行了集成,但由于上述错误而失败。
问题是 IIS 无法到达证书存储区。
我们在 Application Pool 上为我们的网站启用了 loadUserProfile 设置,它能够完美地 运行。我们在 Windows Server 2016 上应用了它。