WSO2 身份服务器 5.0.0 Sharepoint 2013 SSO 被动 STS 失败
WSO2 Identity Server 5.0.0 Sharepoint 2013 SSO Passive STS failing
我遵循了 SSO for Microsoft Sharepoint Web Applications with WSO2 Identity Server tutorial,但我在 POST 回 SharePoint 的表单结果中收到 SOAP 错误。
soapenv:Reason 包含以下文本:
Error in creating a SAMLToken using Opensaml library
我在 WSO2 Identity Server 中全局启用了 DEBUG 日志记录,我可以看到错误响应,但我不明白为什么会这样:
TID: [0] [IS] [2015-10-29 15:39:18,921] DEBUG {org.wso2.carbon.identity.sts.passive.PassiveSTSService} - Retrieving wreply url for : Portal in tenant : carbon.super {org.wso2.carbon.identity.sts.passive.PassiveSTSService}
TID: [0] [IS] [2015-10-29 15:39:18,921] DEBUG {org.wso2.carbon.identity.sts.passive.PassiveSTSService} - Setting ReplyTo URL : hxxp://portal.domain/_trust for Realm : Portal {org.wso2.carbon.identity.sts.passive.PassiveSTSService}
TID: [0] [IS] [2015-10-29 15:39:18,937] DEBUG {org.apache.rahas.client.STSClient} - Creating request with request type: hxxp://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue and applies to: Portal {org.apache.rahas.client.STSClient}
TID: [0] [IS] [2015-10-29 15:39:18,937] DEBUG {org.apache.rahas.client.STSClient} - Using RSTTemplate: <sp:RequestSecurityTokenTemplate xmlns:sp="hxxp://schemas.xmlsoap.org/ws/2005/07/securitypolicy"><wst:TokenType xmlns:wst="hxxp://docs.oasis-open.org/ws-sx/ws-trust/200512">hxxp://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</wst:TokenType><wst:KeyType xmlns:wst="hxxp://docs.oasis-open.org/ws-sx/ws-trust/200512">hxxp://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</wst:KeyType><wst:KeySize xmlns:wst="hxxp://docs.oasis-open.org/ws-sx/ws-trust/200512">256</wst:KeySize><wst:Claims xmlns:wst="hxxp://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:wsp="hxxp://docs.oasis-open.org/ws-sx/ws-trust/200512" wsp:Dialect="hxxp://wso2.org/claims"><wsid:ClaimType xmlns:wsid="hxxp://schemas.xmlsoap.org/ws/2005/05/identity" Uri="{WindowsAccountName|123456789}"></wsid:ClaimType></wst:Claims></sp:RequestSecurityTokenTemplate> {org.apache.rahas.client.STSClient}
TID: [0] [IS] [2015-10-29 15:39:18,937] DEBUG {org.apache.rahas.client.STSClient} - Extracting key size from the RSTTemplate: {org.apache.rahas.client.STSClient}
TID: [0] [IS] [2015-10-29 15:39:18,937] DEBUG {org.apache.rahas.client.STSClient} - Key size from RSTTemplate: 256 {org.apache.rahas.client.STSClient}
TID: [0] [IS] [2015-10-29 15:39:18,952] DEBUG {org.wso2.carbon.identity.sts.passive.processors.RequestProcessor} - STSTimeToLive read from carbon.xml in passive STS 1800000 {org.wso2.carbon.identity.sts.passive.processors.RequestProcessor}
TID: [0] [IS] [2015-10-29 15:39:18,999] DEBUG {org.apache.ws.security.components.crypto.CryptoFactory} - Using Crypto Engine [org.wso2.carbon.security.util.ServerCrypto] {org.apache.ws.security.components.crypto.CryptoFactory}
TID: [0] [IS] [2015-10-29 15:39:19,046] DEBUG {org.apache.xml.security.Init} - Registering default algorithms {org.apache.xml.security.Init}
TID: [0] [IS] [2015-10-29 15:39:19,140] DEBUG {org.wso2.carbon.identity.provider.AttributeCallbackHandler} - Loading claims {org.wso2.carbon.identity.provider.AttributeCallbackHandler}
TID: [0] [IS] [2015-10-29 15:39:19,140] DEBUG {org.wso2.carbon.identity.core.IdentityClaimManager} - IdentityClaimManager singleton instance created successfully {org.wso2.carbon.identity.core.IdentityClaimManager}
TID: [0] [IS] [2015-10-29 15:39:19,140] DEBUG {org.wso2.carbon.user.core.claim.ClaimInvalidationCache} - My Hash code of Claim cache is : 1 {org.wso2.carbon.user.core.claim.ClaimInvalidationCache}
TID: [0] [IS] [2015-10-29 15:39:19,156] DEBUG {org.wso2.carbon.user.core.claim.ClaimInvalidationCache} - Shared Hash code of Claim cache is : 1 {org.wso2.carbon.user.core.claim.ClaimInvalidationCache}
TID: [0] [IS] [2015-10-29 15:39:19,156] DEBUG {org.wso2.carbon.identity.provider.AttributeCallbackHandler} - Processing claim data {org.wso2.carbon.identity.provider.AttributeCallbackHandler}
TID: [0] [IS] [2015-10-29 15:39:19,156] DEBUG {org.wso2.carbon.identity.provider.AttributeCallbackHandler} - Populating claim values {org.wso2.carbon.identity.provider.AttributeCallbackHandler}
TID: [0] [IS] [2015-10-29 15:39:19,187] DEBUG {org.apache.axiom.om.impl.builder.StAXOMBuilder} - WARNING: The current state of the parser is not equal to the state just received from the parser. The current state in the paser is END_ELEMENT the state just received is END_DOCUMENT {org.apache.axiom.om.impl.builder.StAXOMBuilder}
TID: [0] [IS] [2015-10-29 15:39:19,187] DEBUG {org.apache.axis2.handlers.addressing.AddressingOutHandler} - includeOptionalHeaders=false {org.apache.axis2.handlers.addressing.AddressingOutHandler}
TID: [0] [IS] [2015-10-29 15:39:19,187] DEBUG {org.apache.axis2.handlers.addressing.AddressingOutHandler} - WSAHeaderWriter: isFinal=true addMU=false replace=false includeOptional=false role=null {org.apache.axis2.handlers.addressing.AddressingOutHandler}
TID: [0] [IS] [2015-10-29 15:39:19,187] DEBUG {org.apache.axis2.client.Options} - getAction (urn:getResponseResponse) from org.apache.axis2.client.Options@4cdb77b9 {org.apache.axis2.client.Options}
TID: [0] [IS] [2015-10-29 15:39:19,187] DEBUG {org.apache.axis2.transport.local.LocalResponder} - Response - <?xml version="1.0" encoding="utf-8"?><soapenv:Envelope xmlns:soapenv="hxxp://www.w3.org/2003/05/soap-envelope"><soapenv:Header xmlns:wsa="hxxp://www.w3.org/2005/08/addressing"><wsa:Action>urn:getResponseResponse</wsa:Action><wsa:RelatesTo>urn:uuid:83ee0d80-39ff-428f-92b9-bad675cdb820</wsa:RelatesTo></soapenv:Header><soapenv:Body><ns:getResponseResponse xmlns:ns="hxxp://org.apache.axis2/xsd"><ns:return xmlns:xsi="hxxp://www.w3.org/2001/XMLSchema-instance" xmlns:ax2364="hxxp://passive.sts.identity.carbon.wso2.org/xsd" xsi:type="ax2364:ResponseToken"><ax2364:authenticated>true</ax2364:authenticated><ax2364:context>hxxp://portal.domain/_layouts/15/Authenticate.aspx?Source=%2F</ax2364:context><ax2364:replyTo>hxxp://portal.domain/_trust</ax2364:replyTo><ax2364:responsePointer xsi:nil="true"></ax2364:responsePointer><ax2364:results><soapenv:Fault xmlns:soapenv="hxxp://www.w3.org/2003/05/soap-envelope"><soapenv:Code><soapenv:Value>Sender</soapenv:Value><soapenv:Subcode><soapenv:Value xmlns:sts="hxxp://wso2.org/passivests">sts:InvalidRequest</soapenv:Value></soapenv:Subcode></soapenv:Code><soapenv:Reason><soapenv:Text>Error in creating a SAMLToken using Opensaml library</soapenv:Text></soapenv:Reason><soapenv:Detail>none</soapenv:Detail></soapenv:Fault></ax2364:results></ns:return></ns:getResponseResponse></soapenv:Body></soapenv:Envelope> {org.apache.axis2.transport.local.LocalResponder}
http URI 更改为 hxxp 以便我可以提交此问题。
我想通了。 catalina 配置被设置为在密钥库中使用错误的别名来加密私人通信。在我的例子中,指定的别名根本不存在。将其更改为有效的别名,现在它按预期工作。
我遵循了 SSO for Microsoft Sharepoint Web Applications with WSO2 Identity Server tutorial,但我在 POST 回 SharePoint 的表单结果中收到 SOAP 错误。
soapenv:Reason 包含以下文本:
Error in creating a SAMLToken using Opensaml library
我在 WSO2 Identity Server 中全局启用了 DEBUG 日志记录,我可以看到错误响应,但我不明白为什么会这样:
TID: [0] [IS] [2015-10-29 15:39:18,921] DEBUG {org.wso2.carbon.identity.sts.passive.PassiveSTSService} - Retrieving wreply url for : Portal in tenant : carbon.super {org.wso2.carbon.identity.sts.passive.PassiveSTSService}
TID: [0] [IS] [2015-10-29 15:39:18,921] DEBUG {org.wso2.carbon.identity.sts.passive.PassiveSTSService} - Setting ReplyTo URL : hxxp://portal.domain/_trust for Realm : Portal {org.wso2.carbon.identity.sts.passive.PassiveSTSService}
TID: [0] [IS] [2015-10-29 15:39:18,937] DEBUG {org.apache.rahas.client.STSClient} - Creating request with request type: hxxp://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue and applies to: Portal {org.apache.rahas.client.STSClient}
TID: [0] [IS] [2015-10-29 15:39:18,937] DEBUG {org.apache.rahas.client.STSClient} - Using RSTTemplate: <sp:RequestSecurityTokenTemplate xmlns:sp="hxxp://schemas.xmlsoap.org/ws/2005/07/securitypolicy"><wst:TokenType xmlns:wst="hxxp://docs.oasis-open.org/ws-sx/ws-trust/200512">hxxp://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</wst:TokenType><wst:KeyType xmlns:wst="hxxp://docs.oasis-open.org/ws-sx/ws-trust/200512">hxxp://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</wst:KeyType><wst:KeySize xmlns:wst="hxxp://docs.oasis-open.org/ws-sx/ws-trust/200512">256</wst:KeySize><wst:Claims xmlns:wst="hxxp://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:wsp="hxxp://docs.oasis-open.org/ws-sx/ws-trust/200512" wsp:Dialect="hxxp://wso2.org/claims"><wsid:ClaimType xmlns:wsid="hxxp://schemas.xmlsoap.org/ws/2005/05/identity" Uri="{WindowsAccountName|123456789}"></wsid:ClaimType></wst:Claims></sp:RequestSecurityTokenTemplate> {org.apache.rahas.client.STSClient}
TID: [0] [IS] [2015-10-29 15:39:18,937] DEBUG {org.apache.rahas.client.STSClient} - Extracting key size from the RSTTemplate: {org.apache.rahas.client.STSClient}
TID: [0] [IS] [2015-10-29 15:39:18,937] DEBUG {org.apache.rahas.client.STSClient} - Key size from RSTTemplate: 256 {org.apache.rahas.client.STSClient}
TID: [0] [IS] [2015-10-29 15:39:18,952] DEBUG {org.wso2.carbon.identity.sts.passive.processors.RequestProcessor} - STSTimeToLive read from carbon.xml in passive STS 1800000 {org.wso2.carbon.identity.sts.passive.processors.RequestProcessor}
TID: [0] [IS] [2015-10-29 15:39:18,999] DEBUG {org.apache.ws.security.components.crypto.CryptoFactory} - Using Crypto Engine [org.wso2.carbon.security.util.ServerCrypto] {org.apache.ws.security.components.crypto.CryptoFactory}
TID: [0] [IS] [2015-10-29 15:39:19,046] DEBUG {org.apache.xml.security.Init} - Registering default algorithms {org.apache.xml.security.Init}
TID: [0] [IS] [2015-10-29 15:39:19,140] DEBUG {org.wso2.carbon.identity.provider.AttributeCallbackHandler} - Loading claims {org.wso2.carbon.identity.provider.AttributeCallbackHandler}
TID: [0] [IS] [2015-10-29 15:39:19,140] DEBUG {org.wso2.carbon.identity.core.IdentityClaimManager} - IdentityClaimManager singleton instance created successfully {org.wso2.carbon.identity.core.IdentityClaimManager}
TID: [0] [IS] [2015-10-29 15:39:19,140] DEBUG {org.wso2.carbon.user.core.claim.ClaimInvalidationCache} - My Hash code of Claim cache is : 1 {org.wso2.carbon.user.core.claim.ClaimInvalidationCache}
TID: [0] [IS] [2015-10-29 15:39:19,156] DEBUG {org.wso2.carbon.user.core.claim.ClaimInvalidationCache} - Shared Hash code of Claim cache is : 1 {org.wso2.carbon.user.core.claim.ClaimInvalidationCache}
TID: [0] [IS] [2015-10-29 15:39:19,156] DEBUG {org.wso2.carbon.identity.provider.AttributeCallbackHandler} - Processing claim data {org.wso2.carbon.identity.provider.AttributeCallbackHandler}
TID: [0] [IS] [2015-10-29 15:39:19,156] DEBUG {org.wso2.carbon.identity.provider.AttributeCallbackHandler} - Populating claim values {org.wso2.carbon.identity.provider.AttributeCallbackHandler}
TID: [0] [IS] [2015-10-29 15:39:19,187] DEBUG {org.apache.axiom.om.impl.builder.StAXOMBuilder} - WARNING: The current state of the parser is not equal to the state just received from the parser. The current state in the paser is END_ELEMENT the state just received is END_DOCUMENT {org.apache.axiom.om.impl.builder.StAXOMBuilder}
TID: [0] [IS] [2015-10-29 15:39:19,187] DEBUG {org.apache.axis2.handlers.addressing.AddressingOutHandler} - includeOptionalHeaders=false {org.apache.axis2.handlers.addressing.AddressingOutHandler}
TID: [0] [IS] [2015-10-29 15:39:19,187] DEBUG {org.apache.axis2.handlers.addressing.AddressingOutHandler} - WSAHeaderWriter: isFinal=true addMU=false replace=false includeOptional=false role=null {org.apache.axis2.handlers.addressing.AddressingOutHandler}
TID: [0] [IS] [2015-10-29 15:39:19,187] DEBUG {org.apache.axis2.client.Options} - getAction (urn:getResponseResponse) from org.apache.axis2.client.Options@4cdb77b9 {org.apache.axis2.client.Options}
TID: [0] [IS] [2015-10-29 15:39:19,187] DEBUG {org.apache.axis2.transport.local.LocalResponder} - Response - <?xml version="1.0" encoding="utf-8"?><soapenv:Envelope xmlns:soapenv="hxxp://www.w3.org/2003/05/soap-envelope"><soapenv:Header xmlns:wsa="hxxp://www.w3.org/2005/08/addressing"><wsa:Action>urn:getResponseResponse</wsa:Action><wsa:RelatesTo>urn:uuid:83ee0d80-39ff-428f-92b9-bad675cdb820</wsa:RelatesTo></soapenv:Header><soapenv:Body><ns:getResponseResponse xmlns:ns="hxxp://org.apache.axis2/xsd"><ns:return xmlns:xsi="hxxp://www.w3.org/2001/XMLSchema-instance" xmlns:ax2364="hxxp://passive.sts.identity.carbon.wso2.org/xsd" xsi:type="ax2364:ResponseToken"><ax2364:authenticated>true</ax2364:authenticated><ax2364:context>hxxp://portal.domain/_layouts/15/Authenticate.aspx?Source=%2F</ax2364:context><ax2364:replyTo>hxxp://portal.domain/_trust</ax2364:replyTo><ax2364:responsePointer xsi:nil="true"></ax2364:responsePointer><ax2364:results><soapenv:Fault xmlns:soapenv="hxxp://www.w3.org/2003/05/soap-envelope"><soapenv:Code><soapenv:Value>Sender</soapenv:Value><soapenv:Subcode><soapenv:Value xmlns:sts="hxxp://wso2.org/passivests">sts:InvalidRequest</soapenv:Value></soapenv:Subcode></soapenv:Code><soapenv:Reason><soapenv:Text>Error in creating a SAMLToken using Opensaml library</soapenv:Text></soapenv:Reason><soapenv:Detail>none</soapenv:Detail></soapenv:Fault></ax2364:results></ns:return></ns:getResponseResponse></soapenv:Body></soapenv:Envelope> {org.apache.axis2.transport.local.LocalResponder}
http URI 更改为 hxxp 以便我可以提交此问题。
我想通了。 catalina 配置被设置为在密钥库中使用错误的别名来加密私人通信。在我的例子中,指定的别名根本不存在。将其更改为有效的别名,现在它按预期工作。