无法根据架构验证 SAML 2.0 断言
unable to validate SAML 2.0 assertion against schema
我正在与 Spring SAML and I have problem consuming SAML assertion (sample assertion from Wikipedia article
合作
<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
ID="b07b804c-7c29-ea16-7300-4f3d6f7928ac"
Version="2.0"
IssueInstant="2004-12-05T09:22:05">
<saml:Issuer>https://idp.example.org/SAML2</saml:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
<saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">
3f7b3dcf-1674-4ecd-92c8-1544f346baf8
</saml:NameID>
<saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData
InResponseTo="aaf23196-1773-2113-474a-fe114412ab72"
Recipient="https://sp.example.com/SAML2/SSO/POST"
NotOnOrAfter="2004-12-05T09:27:05"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions
NotBefore="2004-12-05T09:17:05"
NotOnOrAfter="2004-12-05T09:27:05">
<saml:AudienceRestriction>
<saml:Audience>https://sp.example.com/SAML2</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement
AuthnInstant="2004-12-05T09:22:00"
SessionIndex="b07b804c-7c29-ea16-7300-4f3d6f7928ac">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute
xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
x500:Encoding="LDAP"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
FriendlyName="eduPersonAffiliation">
<saml:AttributeValue
xsi:type="xs:string">member</saml:AttributeValue>
<saml:AttributeValue
xsi:type="xs:string">staff</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
我从 XML 验证中收到错误。即使我从 IDE (Intelij IDEA tools->XML Actions->Validate)
执行模式验证,也会出现错误
xenc-schema.xsd 中的 xml 模式似乎无效(应该包含而不是导入)。此代码来自 xmltooling-1.4.4.jar 库(最新版本)。
这个错误是在 Spring SAML 或 xml 工具架构文件中,还是我做错了什么?
我的业务案例是身份提供商发起的 SSO。
如https://en.wikipedia.org/wiki/SAML_2.0#HTTP_POST_Binding所述,点
5.在SP请求Assertion Consumer Service
我在 POST 请求中使用 SAML 断言(正文包含 SAMLResponse=
报错所有错误
<...>\xmltooling-1.4.4.jar!\schema\xmldsig-core-schema.xsd Error:(2, 360) src-import.3.1: The namespace attribute,
'http://www.w3.org/2000/09/xmldsig#', of an element
information item must be identical to the targetNamespace attribute,
'urn:oasis:names:tc:SAML:2.0:assertion', of the imported document.
<...>\xmltooling-1.4.4.jar!\schema\xenc-schema.xsd Error:(2, 360) src-import.3.1: The namespace attribute,
'http://www.w3.org/2001/04/xmlenc#', of an element
information item must be identical to the targetNamespace attribute,
'urn:oasis:names:tc:SAML:2.0:assertion', of the imported document.
<...>\opensaml-2.6.4.jar!\schema\saml-schema-assertion-2.0.xsd Error:(34, 48) src-resolve: Cannot resolve the name
'xenc:EncryptedData' to a(n) 'element declaration' component.
Error:(46, 56) src-resolve: Cannot resolve the name 'ds:Signature' to
a(n) 'element declaration' component.
<...>\wikipediaExample.xml Error:(11, 59) cvc-complex-type.2.4.a: Invalid content was found starting with element 'ds:Signature'. One of
'{"urn:oasis:names:tc:SAML:2.0:assertion":Subject,
"urn:oasis:names:tc:SAML:2.0:assertion":Conditions,
"urn:oasis:names:tc:SAML:2.0:assertion":Advice,
"urn:oasis:names:tc:SAML:2.0:assertion":Statement,
"urn:oasis:names:tc:SAML:2.0:assertion":AuthnStatement,
"urn:oasis:names:tc:SAML:2.0:assertion":AuthzDecisionStatement,
"urn:oasis:names:tc:SAML:2.0:assertion":AttributeStatement}' is
expected. Error:(11, 77) cvc-complex-type.2.3: Element 'ds:Signature'
cannot have character [children], because the type's content type is
element-only. Error:(11, 77) cvc-complex-type.2.4.b: The content of
element 'ds:Signature' is not complete. One of
'{"http://www.w3.org/2000/09/xmldsig#":SignedInfo}' is expected.
正如您在 XML 中所见,签名内容被三点省略:
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
XML 验证正确地告诉您这个问题。
我正在与 Spring SAML and I have problem consuming SAML assertion (sample assertion from Wikipedia article
合作<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
ID="b07b804c-7c29-ea16-7300-4f3d6f7928ac"
Version="2.0"
IssueInstant="2004-12-05T09:22:05">
<saml:Issuer>https://idp.example.org/SAML2</saml:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
<saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">
3f7b3dcf-1674-4ecd-92c8-1544f346baf8
</saml:NameID>
<saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData
InResponseTo="aaf23196-1773-2113-474a-fe114412ab72"
Recipient="https://sp.example.com/SAML2/SSO/POST"
NotOnOrAfter="2004-12-05T09:27:05"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions
NotBefore="2004-12-05T09:17:05"
NotOnOrAfter="2004-12-05T09:27:05">
<saml:AudienceRestriction>
<saml:Audience>https://sp.example.com/SAML2</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement
AuthnInstant="2004-12-05T09:22:00"
SessionIndex="b07b804c-7c29-ea16-7300-4f3d6f7928ac">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute
xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
x500:Encoding="LDAP"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
FriendlyName="eduPersonAffiliation">
<saml:AttributeValue
xsi:type="xs:string">member</saml:AttributeValue>
<saml:AttributeValue
xsi:type="xs:string">staff</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
我从 XML 验证中收到错误。即使我从 IDE (Intelij IDEA tools->XML Actions->Validate)
执行模式验证,也会出现错误xenc-schema.xsd 中的 xml 模式似乎无效(应该包含而不是导入)。此代码来自 xmltooling-1.4.4.jar 库(最新版本)。
这个错误是在 Spring SAML 或 xml 工具架构文件中,还是我做错了什么?
我的业务案例是身份提供商发起的 SSO。 如https://en.wikipedia.org/wiki/SAML_2.0#HTTP_POST_Binding所述,点 5.在SP请求Assertion Consumer Service 我在 POST 请求中使用 SAML 断言(正文包含 SAMLResponse=
报错所有错误
<...>\xmltooling-1.4.4.jar!\schema\xmldsig-core-schema.xsd Error:(2, 360) src-import.3.1: The namespace attribute, 'http://www.w3.org/2000/09/xmldsig#', of an element information item must be identical to the targetNamespace attribute, 'urn:oasis:names:tc:SAML:2.0:assertion', of the imported document.
<...>\xmltooling-1.4.4.jar!\schema\xenc-schema.xsd Error:(2, 360) src-import.3.1: The namespace attribute, 'http://www.w3.org/2001/04/xmlenc#', of an element information item must be identical to the targetNamespace attribute, 'urn:oasis:names:tc:SAML:2.0:assertion', of the imported document.
<...>\opensaml-2.6.4.jar!\schema\saml-schema-assertion-2.0.xsd Error:(34, 48) src-resolve: Cannot resolve the name 'xenc:EncryptedData' to a(n) 'element declaration' component. Error:(46, 56) src-resolve: Cannot resolve the name 'ds:Signature' to a(n) 'element declaration' component.
<...>\wikipediaExample.xml Error:(11, 59) cvc-complex-type.2.4.a: Invalid content was found starting with element 'ds:Signature'. One of '{"urn:oasis:names:tc:SAML:2.0:assertion":Subject, "urn:oasis:names:tc:SAML:2.0:assertion":Conditions, "urn:oasis:names:tc:SAML:2.0:assertion":Advice, "urn:oasis:names:tc:SAML:2.0:assertion":Statement, "urn:oasis:names:tc:SAML:2.0:assertion":AuthnStatement, "urn:oasis:names:tc:SAML:2.0:assertion":AuthzDecisionStatement, "urn:oasis:names:tc:SAML:2.0:assertion":AttributeStatement}' is expected. Error:(11, 77) cvc-complex-type.2.3: Element 'ds:Signature' cannot have character [children], because the type's content type is element-only. Error:(11, 77) cvc-complex-type.2.4.b: The content of element 'ds:Signature' is not complete. One of '{"http://www.w3.org/2000/09/xmldsig#":SignedInfo}' is expected.
正如您在 XML 中所见,签名内容被三点省略:
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
XML 验证正确地告诉您这个问题。