Ping Federate throws error: cvc-complex-type.2.4c: while validating a SAML response
Ping Federate throws error: cvc-complex-type.2.4c: while validating a SAML response
我正在向 Ping Federate 发送 SAML 响应。如果 SAML 响应包含 SAML 属性,则它可以正常工作,而如果 SAML 响应不包含 SAML 属性,则会抛出以下错误:
Response XML is invalid. Errors: [error: cvc-complex-type.2.4c:
Expected elements 'Attribute@urn:oasis:names:tc:SAML:2.0:assertion
EncryptedAttribute@urn:oasis:names:tc:SAML:2.0:assertion' before the
end of the content in element
AttributeStatement@urn:oasis:names:tc:SAML:2.0:assertion].
下面是引发此错误的 SAML 响应(没有 SAML 属性):
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://test/sp/ACS.saml2" ID="frtgckggfpwphf_vxeatxzlvgrq" IssueInstant="2018-08-30T11:50:38.183Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">Test</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_4947dc191f01c1e98d448c2fadd5c289" IssueInstant="2018-08-30T11:50:38.183Z" Version="2.0">
<saml2:Issuer>Test</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">testUser</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2018-08-30T11:52:38.183Z" Recipient="https://test/sp/ACS.saml2"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2018-08-30T11:50:38.183Z" NotOnOrAfter="2018-08-30T11:52:38.183Z">
<saml2:AudienceRestriction>
<saml2:Audience>TestAudience</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2018-08-30T11:50:38.184Z" SessionIndex="_4947dc191f01c1e98d448c2fadd5c289">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement/>
</saml2:Assertion>
</saml2p:Response>
我认为这可能是因为
<saml2:AttributeStatement/>
但是在线工具说上面的XML是有效的。
Ping Federate 是否需要特定格式的 SAML 响应(即,如果没有 SAML 属性,则没有 'saml2:AttributeStatement '),或者这是一个完全不同的问题?
谢谢
SAML 核心规范 (https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) 说:
2.7.3 Element <AttributeStatement>
The <AttributeStatement> element describes a statement by the SAML authority asserting that the
assertion subject is associated with the specified attributes.
Assertions containing <AttributeStatement> elements MUST contain a
<Subject> element. It is of type AttributeStatementType, which extends
StatementAbstractType with the addition of the following elements:
<Attribute> or <EncryptedAttribute> [One or More] The <Attribute>
element specifies an attribute of the assertion subject. An encrypted
SAML attribute may be included with the <EncryptedAttribute> element.
The following schema fragment defines the <AttributeStatement> element
and its AttributeStatementType complex type:
<element name="AttributeStatement" type="saml:AttributeStatementType"/>
<complexType name="AttributeStatementType">
<complexContent>
<extension base="saml:StatementAbstractType">
<choice maxOccurs="unbounded">
<element ref="saml:Attribute"/>
<element ref="saml:EncryptedAttribute"/>
</choice>
</extension>
</complexContent>
</complexType>
您使用的在线工具不正确(它们可能只是验证 XML 而不是针对 SAML 架构进行验证):您必须包括 <Subject> 和 "One or More" [= AttributeStatement.
中的 24=](s) 或 EncryptedAttribute(s)
FWIW:如果您不打算发送任何属性,则可以将 AttributeStatement 全部省略,只是发送空属性违反了规范。
我正在向 Ping Federate 发送 SAML 响应。如果 SAML 响应包含 SAML 属性,则它可以正常工作,而如果 SAML 响应不包含 SAML 属性,则会抛出以下错误:
Response XML is invalid. Errors: [error: cvc-complex-type.2.4c: Expected elements 'Attribute@urn:oasis:names:tc:SAML:2.0:assertion EncryptedAttribute@urn:oasis:names:tc:SAML:2.0:assertion' before the end of the content in element AttributeStatement@urn:oasis:names:tc:SAML:2.0:assertion].
下面是引发此错误的 SAML 响应(没有 SAML 属性):
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://test/sp/ACS.saml2" ID="frtgckggfpwphf_vxeatxzlvgrq" IssueInstant="2018-08-30T11:50:38.183Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">Test</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_4947dc191f01c1e98d448c2fadd5c289" IssueInstant="2018-08-30T11:50:38.183Z" Version="2.0">
<saml2:Issuer>Test</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">testUser</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2018-08-30T11:52:38.183Z" Recipient="https://test/sp/ACS.saml2"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2018-08-30T11:50:38.183Z" NotOnOrAfter="2018-08-30T11:52:38.183Z">
<saml2:AudienceRestriction>
<saml2:Audience>TestAudience</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2018-08-30T11:50:38.184Z" SessionIndex="_4947dc191f01c1e98d448c2fadd5c289">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement/>
</saml2:Assertion>
</saml2p:Response>
我认为这可能是因为
<saml2:AttributeStatement/>
但是在线工具说上面的XML是有效的。
Ping Federate 是否需要特定格式的 SAML 响应(即,如果没有 SAML 属性,则没有 'saml2:AttributeStatement '),或者这是一个完全不同的问题?
谢谢
SAML 核心规范 (https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) 说:
2.7.3 Element
<AttributeStatement>The
<AttributeStatement>element describes a statement by the SAML authority asserting that the assertion subject is associated with the specified attributes. Assertions containing<AttributeStatement>elements MUST contain a<Subject>element. It is of typeAttributeStatementType, which extendsStatementAbstractTypewith the addition of the following elements:<Attribute>or<EncryptedAttribute>[One or More] The<Attribute>element specifies an attribute of the assertion subject. An encrypted SAML attribute may be included with the<EncryptedAttribute>element. The following schema fragment defines the<AttributeStatement>element and itsAttributeStatementTypecomplex type:<element name="AttributeStatement" type="saml:AttributeStatementType"/> <complexType name="AttributeStatementType"> <complexContent> <extension base="saml:StatementAbstractType"> <choice maxOccurs="unbounded"> <element ref="saml:Attribute"/> <element ref="saml:EncryptedAttribute"/> </choice> </extension> </complexContent> </complexType>
您使用的在线工具不正确(它们可能只是验证 XML 而不是针对 SAML 架构进行验证):您必须包括 <Subject> 和 "One or More" [= AttributeStatement.
EncryptedAttribute(s)
FWIW:如果您不打算发送任何属性,则可以将 AttributeStatement 全部省略,只是发送空属性违反了规范。