SAML 消息签名错误
SAML Message has wrong signature
我在 windows 服务器 2012 r2 上有一个流星应用程序 运行,iis 8.5 作为我的应用程序的反向代理(也尝试在 ubuntu 上使用 nginx),我正在尝试使用 SAML 通过 ADFS 2.0 进行身份验证。
我不断收到以下错误:
Event 303, AD FS 2.0
The Federation Service encountered an error while processing the SAML authentication request.
Additional Data
Exception details:
MicrosoftidentityModel.Protocols.XmISignature.SignatureVerificationFailedException: M5I50038: SAML Message has wrong signature. Issuer:
at MicrosoftldentityServer.Protocols.Saml.Contract.SamIContractUtility,CreateSamIMessage(MSISSamlBindingMessage message)
at Microsoft.IdentityServer.Service.Sam1Protocol.Sam1ProtocolService.CreateErrorMessage(CreateErrorMe.ssageRequest
createErrorMessageRequest)r
at Microsoft.IdentityServer.Service.Sam1Protocol.SarnIProtocolService.ProcessRequest(Message requestMessage)
Log Name:
AD FS 2.0/Admin
Source:
AD FS 2.0
Logged:
10/04/2016 09:0S:1
Event ID:
303
Task Category:
None
Level:
Error
Keywords:
AD F
User:
NETWORK SERVICE
Computer:
安装kb2896713
不幸的是,到目前为止运气不好。
有人知道吗?问题的根源是什么?
编辑
这是我使用的开源软件:Rocket.Chat
https://github.com/RocketChat/Rocket.Chat/tree/develop/packages/meteor-accounts-saml
- 我建议使用此工具生成证书、密钥 https://www.samltool.com/self_signed_certs.php
- 您可以在此处使用签名验证您的请求https://www.samltool.com/validate_logout_req.php
- 工具 encode/decode url http://meyerweb.com/eric/tools/dencoder/
- 安装 SAML 跟踪器以在 Firefox request/response 上查看 SAML https://addons.mozilla.org/ru/firefox/addon/saml-tracer/
- 用于 decode/encode SAML 消息的工具 https://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php
SAML.prototype.requestToUrl =函数(请求、操作、回调){
console.log("requestToUrl:");
request = request.replace(/(\r\n|\n|\r)/gm,"");
console.log("Logout request:" + request);
var self = this;
var result;
zlib.deflateRaw(request, function (err, buffer) {
if (err) {
return callback(err);
}
var base64 = buffer.toString('base64');
var target = self.options.entryPoint;
if (operation === 'logout') {
if (self.options.idpSLORedirectURL) {
target = self.options.idpSLORedirectURL;
}
}
if (target.indexOf('?') > 0)
target += '&';
else
target += '?';
var samlRequest = {
SAMLRequest: base64
};
var relayState;
// TBD. We should really include a proper RelayState here
if (operation === 'logout') {
relayState = self.options.issuer;
} else {
relayState = self.options.provider;
}
// URL Encode the bytes
var encodedRequest = encodeURIComponent(base64);
console.log("encodedRequest:"+encodedRequest);
var encodedRelayState = encodeURIComponent(relayState);
var finalSignatureValue = "";
var encodedSigAlg = encodeURIComponent("http://www.w3.org/2000/09/xmldsig#rsa-sha1");
var strSignature = "SAMLRequest=" + encodedRequest.replace(/(\r\n|\n|\r)/gm,"");
strSignature += "&RelayState=" + encodedRelayState;
strSignature += "&SigAlg=" + encodedSigAlg;
var signer = crypto.createSign('RSA-SHA1');
signer.update(strSignature);
var signature = signer.sign(self.options.privateKey, 'base64');
console.log("signature:" + signature);
var b = new Buffer(signature);
var s = b.toString('base64');
var encodedSignature = encodeURIComponent(signature);
console.log("encodedSignature:" + encodedSignature);
var finalSignatureValue = "&SigAlg=" + encodedSigAlg + "&Signature=" + encodedSignature;
target += "SAMLRequest=" + encodedRequest.replace(/(\r\n|\n|\r)/gm,"");
target +="&RelayState=" + encodedRelayState;
target += finalSignatureValue;
if (Meteor.settings.debug) {
console.log("requestToUrl: " + target);
}
if (operation === 'logout') {
// in case of logout we want to be redirected back to the Meteor app.
result = target;
return callback(null, target);
} else {
callback(null, target);
}
});
}
我在 windows 服务器 2012 r2 上有一个流星应用程序 运行,iis 8.5 作为我的应用程序的反向代理(也尝试在 ubuntu 上使用 nginx),我正在尝试使用 SAML 通过 ADFS 2.0 进行身份验证。
我不断收到以下错误:
Event 303, AD FS 2.0
The Federation Service encountered an error while processing the SAML authentication request.
Additional Data
Exception details:
MicrosoftidentityModel.Protocols.XmISignature.SignatureVerificationFailedException: M5I50038: SAML Message has wrong signature. Issuer:
at MicrosoftldentityServer.Protocols.Saml.Contract.SamIContractUtility,CreateSamIMessage(MSISSamlBindingMessage message)
at Microsoft.IdentityServer.Service.Sam1Protocol.Sam1ProtocolService.CreateErrorMessage(CreateErrorMe.ssageRequest
createErrorMessageRequest)r
at Microsoft.IdentityServer.Service.Sam1Protocol.SarnIProtocolService.ProcessRequest(Message requestMessage)
Log Name:
AD FS 2.0/Admin
Source:
AD FS 2.0
Logged:
10/04/2016 09:0S:1
Event ID:
303
Task Category:
None
Level:
Error
Keywords:
AD F
User:
NETWORK SERVICE
Computer:
不幸的是,到目前为止运气不好。
有人知道吗?问题的根源是什么?
编辑
这是我使用的开源软件:Rocket.Chat https://github.com/RocketChat/Rocket.Chat/tree/develop/packages/meteor-accounts-saml
- 我建议使用此工具生成证书、密钥 https://www.samltool.com/self_signed_certs.php
- 您可以在此处使用签名验证您的请求https://www.samltool.com/validate_logout_req.php
- 工具 encode/decode url http://meyerweb.com/eric/tools/dencoder/
- 安装 SAML 跟踪器以在 Firefox request/response 上查看 SAML https://addons.mozilla.org/ru/firefox/addon/saml-tracer/
- 用于 decode/encode SAML 消息的工具 https://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php
SAML.prototype.requestToUrl =函数(请求、操作、回调){
console.log("requestToUrl:");
request = request.replace(/(\r\n|\n|\r)/gm,"");
console.log("Logout request:" + request);
var self = this;
var result;
zlib.deflateRaw(request, function (err, buffer) {
if (err) {
return callback(err);
}
var base64 = buffer.toString('base64');
var target = self.options.entryPoint;
if (operation === 'logout') {
if (self.options.idpSLORedirectURL) {
target = self.options.idpSLORedirectURL;
}
}
if (target.indexOf('?') > 0)
target += '&';
else
target += '?';
var samlRequest = {
SAMLRequest: base64
};
var relayState;
// TBD. We should really include a proper RelayState here
if (operation === 'logout') {
relayState = self.options.issuer;
} else {
relayState = self.options.provider;
}
// URL Encode the bytes
var encodedRequest = encodeURIComponent(base64);
console.log("encodedRequest:"+encodedRequest);
var encodedRelayState = encodeURIComponent(relayState);
var finalSignatureValue = "";
var encodedSigAlg = encodeURIComponent("http://www.w3.org/2000/09/xmldsig#rsa-sha1");
var strSignature = "SAMLRequest=" + encodedRequest.replace(/(\r\n|\n|\r)/gm,"");
strSignature += "&RelayState=" + encodedRelayState;
strSignature += "&SigAlg=" + encodedSigAlg;
var signer = crypto.createSign('RSA-SHA1');
signer.update(strSignature);
var signature = signer.sign(self.options.privateKey, 'base64');
console.log("signature:" + signature);
var b = new Buffer(signature);
var s = b.toString('base64');
var encodedSignature = encodeURIComponent(signature);
console.log("encodedSignature:" + encodedSignature);
var finalSignatureValue = "&SigAlg=" + encodedSigAlg + "&Signature=" + encodedSignature;
target += "SAMLRequest=" + encodedRequest.replace(/(\r\n|\n|\r)/gm,"");
target +="&RelayState=" + encodedRelayState;
target += finalSignatureValue;
if (Meteor.settings.debug) {
console.log("requestToUrl: " + target);
}
if (operation === 'logout') {
// in case of logout we want to be redirected back to the Meteor app.
result = target;
return callback(null, target);
} else {
callback(null, target);
}
});
}