OpenSaml encryptedID 验证失败
OpenSaml encryptedID Validation Failed
我的需求是将nameId加密后在AuthnRequest中发送。
我遇到了 openSaml (v 2.6.1) Validator SubjectShemaValidator 的问题。请求验证失败并出现错误 "ID or SubjectConfirmation required",因为没有 BaseID、BaseID 或 SubjectConfirmations。
这是我的身份验证请求:
<saml2p:AuthnRequest AssertionConsumerServiceURL="https:..." ForceAuthn="false" ID="4ed1e8875b99" IssueInstant="2016-01-27T15:39:26.195Z" ProtocolBinding="POST" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">APPLICATION</saml2:Issuer><saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:EncryptedID><xenc:EncryptedData Id="_b8b7761b84db0c4c5254b4f4c3ef9d1d" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey Id="_922bd10322d761ca1a5450213da896ea" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/></xenc:EncryptionMethod><xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:CipherValue>ABCD</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></ds:KeyInfo><xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:CipherValue>EFGH</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></saml2:EncryptedID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></saml2:Subject></saml2p:AuthnRequest>
这是 OpenSAML 验证器上的错误,因为它不检查 EncryptedID 吗?或者我错过了什么??
你可以直接这样输入而不是 nameId 的加密
AuthnRequest request = buildSAMLObject(AuthnRequest.class);
NameIDPolicy nameIdPolicy = buildSAMLObject(NameIDPolicy.class);
nameIdPolicy.setAllowCreate(true);
nameIdPolicy.setFormat(NameIDType.EMAIL);
request.setNameIDPolicy(nameIdPolicy);
public static <T> T buildSAMLObject(final Class<T> clazz) {
T object = null;
try {
XMLObjectBuilderFactory builderFactory = Configuration
.getBuilderFactory();
QName defaultElementName = (QName) clazz.getDeclaredField(
"DEFAULT_ELEMENT_NAME").get(null);
object = (T) builderFactory.getBuilder(defaultElementName)
.buildObject(defaultElementName);
} catch (IllegalAccessException e) {
throw new IllegalArgumentException("Could not create SAML object");
} catch (NoSuchFieldException e) {
throw new IllegalArgumentException("Could not create SAML object");
}
return object;
}
为了解决这个问题,我必须注销默认主题验证器并注册自定义验证器(包括 EncryptedID)。
validatorSuite = Configuration.getValidatorSuite(SAML_VALIDATOR_SUITE_ID);
// deregister default subject validator and register customized validator (including EncryptedID).
List<Validator> validators = validatorSuite.getValidators(Subject.DEFAULT_ELEMENT_NAME);
if (validators != null && validators.size() > 0) {
validatorSuite.deregisterValidator(Subject.DEFAULT_ELEMENT_NAME, validators.get(0));
}
validatorSuite.registerValidator(Subject.DEFAULT_ELEMENT_NAME, new SubjectSchemaValidator());
希望对您有所帮助。
我的需求是将nameId加密后在AuthnRequest中发送。 我遇到了 openSaml (v 2.6.1) Validator SubjectShemaValidator 的问题。请求验证失败并出现错误 "ID or SubjectConfirmation required",因为没有 BaseID、BaseID 或 SubjectConfirmations。
这是我的身份验证请求:
<saml2p:AuthnRequest AssertionConsumerServiceURL="https:..." ForceAuthn="false" ID="4ed1e8875b99" IssueInstant="2016-01-27T15:39:26.195Z" ProtocolBinding="POST" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">APPLICATION</saml2:Issuer><saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:EncryptedID><xenc:EncryptedData Id="_b8b7761b84db0c4c5254b4f4c3ef9d1d" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey Id="_922bd10322d761ca1a5450213da896ea" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/></xenc:EncryptionMethod><xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:CipherValue>ABCD</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></ds:KeyInfo><xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:CipherValue>EFGH</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></saml2:EncryptedID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></saml2:Subject></saml2p:AuthnRequest>
这是 OpenSAML 验证器上的错误,因为它不检查 EncryptedID 吗?或者我错过了什么??
你可以直接这样输入而不是 nameId 的加密
AuthnRequest request = buildSAMLObject(AuthnRequest.class);
NameIDPolicy nameIdPolicy = buildSAMLObject(NameIDPolicy.class);
nameIdPolicy.setAllowCreate(true);
nameIdPolicy.setFormat(NameIDType.EMAIL);
request.setNameIDPolicy(nameIdPolicy);
public static <T> T buildSAMLObject(final Class<T> clazz) {
T object = null;
try {
XMLObjectBuilderFactory builderFactory = Configuration
.getBuilderFactory();
QName defaultElementName = (QName) clazz.getDeclaredField(
"DEFAULT_ELEMENT_NAME").get(null);
object = (T) builderFactory.getBuilder(defaultElementName)
.buildObject(defaultElementName);
} catch (IllegalAccessException e) {
throw new IllegalArgumentException("Could not create SAML object");
} catch (NoSuchFieldException e) {
throw new IllegalArgumentException("Could not create SAML object");
}
return object;
}
为了解决这个问题,我必须注销默认主题验证器并注册自定义验证器(包括 EncryptedID)。
validatorSuite = Configuration.getValidatorSuite(SAML_VALIDATOR_SUITE_ID);
// deregister default subject validator and register customized validator (including EncryptedID).
List<Validator> validators = validatorSuite.getValidators(Subject.DEFAULT_ELEMENT_NAME);
if (validators != null && validators.size() > 0) {
validatorSuite.deregisterValidator(Subject.DEFAULT_ELEMENT_NAME, validators.get(0));
}
validatorSuite.registerValidator(Subject.DEFAULT_ELEMENT_NAME, new SubjectSchemaValidator());
希望对您有所帮助。