为什么这不是有效的 saml2 请求?
Why is this not a valid saml2 request?
我正在使用 Opensaml 为 azure 生成 saml2 身份验证请求
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest AssertionConsumerServiceURL="https://myserver.de/_saml/validate/azure"
ForceAuthn="false" ID="0" IsPassive="false" IssueInstant="2016-11-28T09:46:43.215Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:Issuer xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">issuerid</samlp:Issuer>
<saml2p:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
SPNameQualifier="Isser" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" />
<saml2p:RequestedAuthnContext Comparison="exact"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
</samlp:AuthnRequest>
XML 使用 org.opensaml.xml.io.Marshaller 和 java.util.zip.DeflaterOutputStream.DeflaterOutputStream 编码为 Base64,我使用一些在线 saml 解码器验证了它的正确性。
但是我从 azure 得到的错误是:
AADSTS75005: The request is not a valid Saml2 protocol message.
有人可以帮忙吗?
在元素 'AuthnRequest' 中,您将属性 'ID' 定义为“0”。这不是原子类型 'xs:ID' 的有效值。
我引用Oasis文档的技术规则:
The xs:ID simple type is used to declare SAML identifiers for
assertions, requests, and responses. Values declared to be of type
xs:ID in this specification MUST satisfy the following properties in
addition to those imposed by the definition of the xs:ID type itself:
- Any party that assigns an identifier MUST ensure that there is
negligible probability that that party or any other party will
accidentally assign the same identifier to a different data object.
- Where a data object declares that it has a particular identifier,
there MUST be exactly one such declaration.
The mechanism by which a
SAML system entity ensures that the identifier is unique is left to
the implementation. In the case that a random or pseudorandom
technique is employed, the probability of two randomly chosen
identifiers being identical MUST be less than or equal to 2-128 and
SHOULD be less than or equal to 2-160.
您应该使用现有的方法之一来生成 ID。
我正在使用 Opensaml 为 azure 生成 saml2 身份验证请求
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest AssertionConsumerServiceURL="https://myserver.de/_saml/validate/azure"
ForceAuthn="false" ID="0" IsPassive="false" IssueInstant="2016-11-28T09:46:43.215Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:Issuer xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">issuerid</samlp:Issuer>
<saml2p:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
SPNameQualifier="Isser" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" />
<saml2p:RequestedAuthnContext Comparison="exact"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
</samlp:AuthnRequest>
XML 使用 org.opensaml.xml.io.Marshaller 和 java.util.zip.DeflaterOutputStream.DeflaterOutputStream 编码为 Base64,我使用一些在线 saml 解码器验证了它的正确性。
但是我从 azure 得到的错误是:
AADSTS75005: The request is not a valid Saml2 protocol message.
有人可以帮忙吗?
在元素 'AuthnRequest' 中,您将属性 'ID' 定义为“0”。这不是原子类型 'xs:ID' 的有效值。
我引用Oasis文档的技术规则:
The xs:ID simple type is used to declare SAML identifiers for assertions, requests, and responses. Values declared to be of type xs:ID in this specification MUST satisfy the following properties in addition to those imposed by the definition of the xs:ID type itself:
- Any party that assigns an identifier MUST ensure that there is negligible probability that that party or any other party will accidentally assign the same identifier to a different data object.
- Where a data object declares that it has a particular identifier, there MUST be exactly one such declaration.
The mechanism by which a SAML system entity ensures that the identifier is unique is left to the implementation. In the case that a random or pseudorandom technique is employed, the probability of two randomly chosen identifiers being identical MUST be less than or equal to 2-128 and SHOULD be less than or equal to 2-160.
您应该使用现有的方法之一来生成 ID。