javax.xml.crypto.dsig.XMLSignatureException: keyselector 没有找到验证密钥
javax.xml.crypto.dsig.XMLSignatureException: the keyselector did not find a validation key
我正在使用 SAML 身份验证机制来验证我的应用程序。我将 IDP 服务器用作 ADFS,将 SP 用作 JBoss EAP 7.1.4。我已经添加了与 IDP 和 sp 服务器相关的所有配置,但是在验证 saml 响应时给出下面提到的异常。
它在另一个 ADFS 服务器上运行良好,但 ADFS 服务器已更改,因此在添加所有添加的配置后,
- 已验证证书是否正确。唯一的区别是新的 ADFS 使用通配符证书 *.dev.adfs.com link that.
- 已验证 SP 服务器端证书,使用 windows 相关证书。
- 已接受的声明已验证。
突出显示的日志:
2019-01-09 14:11:35,435 TRACE [org.keycloak.saml.common] (default task-9) [] Assertion: _67562aca-0e81-4df1-a8db-3579e3b786e3 ::Now=2019-01-09T08:41:35.435Z ::notBefore=2019-01-09T10:25:48.084Z
2019-01-09 14:11:35,435 TRACE [org.keycloak.saml.common] (default task-9) [] Assertion: _67562aca-0e81-4df1-a8db-3579e3b786e3 ::Now=2019-01-09T08:41:35.435Z ::notOnOrAfter=2019-01-09T11:25:48.084Z
2019-01-09 14:11:35,435 INFO [org.keycloak.saml.common] (default task-9) [] Assertion has expired with id=_67562aca-0e81-4df1-a8db-3579e3b786e3
请求和响应相关:
2019-01-09 14:11:35,435 TRACE [org.keycloak.saml.common] (default task-9) [] Document to be signed=<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceURL="https://cslk-cl-ix-1.myapp.co:8443/auth/login/saml" Destination="https://adfs.devops.myapp.co/adfs/ls/" ForceAuthn="false" ID="ID_9ec9cec9-725c-485a-9d1e-e8204ae5caaf" IsPassive="false" IssueInstant="2019-01-09T08:41:35.435Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:cslk-cl-ix-1.myapp.co:adfs.devops.myapp.co</saml:Issuer><samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/></samlp:AuthnRequest>
2019-01-09 14:11:35,685 DEBUG [org.keycloak.adapters.saml.SamlAuthenticator] (default task-23) [] SamlAuthenticator is using handler [org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint@6dfd19e]
2019-01-09 14:11:35,685 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-23) [] <samlp:Response ID="_3c8ba3f7-240d-4de5-9f81-a1ee1ba9b9ad" Version="2.0" IssueInstant="2019-01-09T10:25:48.352Z" Destination="https://cslk-cl-ix-1.myapp.co:8443/auth/login/saml" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="ID_9ec9cec9-725c-485a-9d1e-e8204ae5caaf" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.devops.myapp.co/adfs/services/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_3c8ba3f7-240d-4de5-9f81-a1ee1ba9b9ad"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>ZGooIpoucxJm2hHqZ8ENYCHV1aUQ+rjnCJZb3aYi794=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>UQvi9POISqTJriLE4Cnp/oS8qiEzbSCstRQ2Yk2Cz1NW2ZJa5rSLk/+Vrn/2oaj+dm/GB/5ymHGbj8vLh8mR6KpEJUwpZGSVt2fQqG8t4+b0/YiB4OXHoxBdLlTs4/1yJ3gBw6CWfAK+0oOBMbMt/RDQ85YHqIAjra8knQkJDZW0RDRkzZD7fIQnMBAEAGlqGRXmZ/Y2XoVWijAr088DKFDMPLkxAJlFsDgvuZ55JLUmRo2DK3XrAS9ilg43hym8PxvGascdc33d5oicpvOIG/8ymzDDZEQzIYhIHO5E+NT1bU+1k+AuCBj48L7/oIvGSN5nBuOHFJ6AGlr0Z0+dvw==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIGQzCCBSugAwIBAgIQCoRLTdpfWPYhb+4+0jJ8nzANBgkqhkiG9w0BAQsFADBNMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5EaWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTgwMTMwMDAwMDAwWhcNMTkwMjA0MTIwMDAwWjB2MQswCQYDVQQGEwJTRTESMBAGA1UEBxMJTGlua29waW5nMSUwIwYDVQQKExxDYW1iaW8gSGVhbHRoY2FyZSBTeXN0ZW1zIEFCMQ8wDQYDVQQLEwZEZXZPcHMxGzAZBgNVBAMMEiouZGV2b3BzLmNhbWJpby5zZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMhVmc1fY7uIoJRptyErVxZIylGFS7YTSM7hXbu/jLoNdybSPaSEuIaBeZM8CF3YPYOw4HjPUPSwm0mS+nHVcHLWq0L+YvlRDQPEfvLtbNp9qPlBWy+lQUde2mUEAclazGvv9JcUBWQZ2adw/tX8aUreR1WwsXCE06/kmlwWuaHT9f6uyiARLN9yjxCBJpv2H9qvMOYL3ddtZVigu+5BpD0b6jBceWtJf2vtfhMx7W/3csH7bmPD5/Zk8o/iDt86clhRCpvC6HG/Rp1wiPVxTfBnsdNGbZ/rL3NpNIFISOzMlFyrTRrYOd0IoV7h+N87LPv2V4ehF1Gojsp3PRbsCGECAwEAAaOCAvQwggLwMB8GA1UdIwQYMBaAFA+AYRyCMWHVLyjnjUY4tCzhxtniMB0GA1UdDgQWBBQa16XymyMUbzBg50nZEnKYoyDXgzAvBgNVHREEKDAmghIqLmRldm9wcy5jYW1iaW8uc2WCEGRldm9wcy5jYW1iaW8uc2UwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBrBgNVHR8EZDBiMC+gLaArhilodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc3NjYS1zaGEyLWc2LmNybDAvoC2gK4YpaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NzY2Etc2hhMi1nNi5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBAgIwfAYIKwYBBQUHAQEEcDBuMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRgYIKwYBBQUHMAKGOmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJTZWN1cmVTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABYUhNaOYAAAQDAEcwRQIhAJfqhCeN/+ctydVvdHDA+ob+Oi8BdddU/JR/MXULemKrAiASdWjbsZgjdZnOP0D6X6lcFCpW04tEcFUlVxOur4Y45gB3AId1v+dZfPiMQ5lfvfNu/1aNR1Y2/0q1YMG06v9eoIMPAAABYUhNaYUAAAQDAEgwRgIhAMntoPH1spXuNV33QLzmNlrWY8+jFJoF13roGaFP41QvAiEA5uwsRrp+LZ9enPjoP9Va1xjrqUHvgnO5DnoA/fsY7q0wDQYJKoZIhvcNAQELBQADggEBADPG0CvUPA4mLSnTWVrKmDnfAUTnf1XOwKxlEq/EFmzp+oZ+IzYke/JlhJsgKP9QAUUkgwErpXdfbQThAF7c8NqzKPwu4b0U5jsnsp+Ay1KtEz/iXM40T7QWDQmb3fN/U1a8t+Z2MViORR2SDesY5hE56VbKBBKeojJ6ek21Iri6D39lwoMZcaZ/o6ZlAKJF/hslhyHaOmhW0z0yZhnGllJ2rqn+kPeTgDx75ddiPJumX1Pwo48q3q8QtZH98HbxZk1wa5H3IFLRI8PwVXvzlcDrzP1guHBhwpO1jp7UDTyyP0CmIZgCc1Ye1QQIiSXXNGJay6/uV0GKMyvyKfGZnlU=</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" /></samlp:Status></samlp:Response>
整个异常抛出是:
2019-01-09 14:11:35,435 TRACE [org.keycloak.saml.common] (default task-9) [] Could not validate signature using ds:KeyInfo/ds:KeyName hint.
2019-01-09 14:11:35,435 TRACE [org.keycloak.saml.common] (default task-9) [] Trying hard to validate XML signature using all available keys.
2019-01-09 14:11:35,435 TRACE [org.keycloak.saml.common] (default task-9) [] Assertion: _67562aca-0e81-4df1-a8db-3579e3b786e3 ::Now=2019-01-09T08:41:35.435Z ::notBefore=2019-01-09T10:25:48.084Z
2019-01-09 14:11:35,435 TRACE [org.keycloak.saml.common] (default task-9) [] Assertion: _67562aca-0e81-4df1-a8db-3579e3b786e3 ::Now=2019-01-09T08:41:35.435Z ::notOnOrAfter=2019-01-09T11:25:48.084Z
2019-01-09 14:11:35,435 INFO [org.keycloak.saml.common] (default task-9) [] Assertion has expired with id=_67562aca-0e81-4df1-a8db-3579e3b786e3
2019-01-09 14:11:35,435 TRACE [org.keycloak.saml.common] (default task-9) [] Document to be signed=<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceURL="https://cslk-cl-ix-1.myapp.co:8443/auth/login/saml" Destination="https://adfs.devops.myapp.co/adfs/ls/" ForceAuthn="false" ID="ID_9ec9cec9-725c-485a-9d1e-e8204ae5caaf" IsPassive="false" IssueInstant="2019-01-09T08:41:35.435Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:cslk-cl-ix-1.myapp.co:adfs.devops.myapp.co</saml:Issuer><samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/></samlp:AuthnRequest>
2019-01-09 14:11:35,685 DEBUG [org.keycloak.adapters.saml.SamlAuthenticator] (default task-23) [] SamlAuthenticator is using handler [org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint@6dfd19e]
2019-01-09 14:11:35,685 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-23) [] <samlp:Response ID="_3c8ba3f7-240d-4de5-9f81-a1ee1ba9b9ad" Version="2.0" IssueInstant="2019-01-09T10:25:48.352Z" Destination="https://cslk-cl-ix-1.myapp.co:8443/auth/login/saml" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="ID_9ec9cec9-725c-485a-9d1e-e8204ae5caaf" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.devops.myapp.co/adfs/services/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_3c8ba3f7-240d-4de5-9f81-a1ee1ba9b9ad"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>ZGooIpoucxJm2hHqZ8ENYCHV1aUQ+rjnCJZb3aYi794=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>UQvi9POISqTJriLE4Cnp/oS8qiEzbSCstRQ2Yk2Cz1NW2ZJa5rSLk/+Vrn/2oaj+dm/GB/5ymHGbj8vLh8mR6KpEJUwpZGSVt2fQqG8t4+b0/YiB4OXHoxBdLlTs4/1yJ3gBw6CWfAK+0oOBMbMt/RDQ85YHqIAjra8knQkJDZW0RDRkzZD7fIQnMBAEAGlqGRXmZ/Y2XoVWijAr088DKFDMPLkxAJlFsDgvuZ55JLUmRo2DK3XrAS9ilg43hym8PxvGascdc33d5oicpvOIG/8ymzDDZEQzIYhIHO5E+NT1bU+1k+AuCBj48L7/oIvGSN5nBuOHFJ6AGlr0Z0+dvw==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIGQzCCBSugAwIBAgIQCoRLTdpfWPYhb+4+0jJ8nzANBgkqhkiG9w0BAQsFADBNMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5EaWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTgwMTMwMDAwMDAwWhcNMTkwMjA0MTIwMDAwWjB2MQswCQYDVQQGEwJTRTESMBAGA1UEBxMJTGlua29waW5nMSUwIwYDVQQKExxDYW1iaW8gSGVhbHRoY2FyZSBTeXN0ZW1zIEFCMQ8wDQYDVQQLEwZEZXZPcHMxGzAZBgNVBAMMEiouZGV2b3BzLmNhbWJpby5zZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMhVmc1fY7uIoJRptyErVxZIylGFS7YTSM7hXbu/jLoNdybSPaSEuIaBeZM8CF3YPYOw4HjPUPSwm0mS+nHVcHLWq0L+YvlRDQPEfvLtbNp9qPlBWy+lQUde2mUEAclazGvv9JcUBWQZ2adw/tX8aUreR1WwsXCE06/kmlwWuaHT9f6uyiARLN9yjxCBJpv2H9qvMOYL3ddtZVigu+5BpD0b6jBceWtJf2vtfhMx7W/3csH7bmPD5/Zk8o/iDt86clhRCpvC6HG/Rp1wiPVxTfBnsdNGbZ/rL3NpNIFISOzMlFyrTRrYOd0IoV7h+N87LPv2V4ehF1Gojsp3PRbsCGECAwEAAaOCAvQwggLwMB8GA1UdIwQYMBaAFA+AYRyCMWHVLyjnjUY4tCzhxtniMB0GA1UdDgQWBBQa16XymyMUbzBg50nZEnKYoyDXgzAvBgNVHREEKDAmghIqLmRldm9wcy5jYW1iaW8uc2WCEGRldm9wcy5jYW1iaW8uc2UwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBrBgNVHR8EZDBiMC+gLaArhilodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc3NjYS1zaGEyLWc2LmNybDAvoC2gK4YpaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NzY2Etc2hhMi1nNi5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBAgIwfAYIKwYBBQUHAQEEcDBuMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRgYIKwYBBQUHMAKGOmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJTZWN1cmVTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABYUhNaOYAAAQDAEcwRQIhAJfqhCeN/+ctydVvdHDA+ob+Oi8BdddU/JR/MXULemKrAiASdWjbsZgjdZnOP0D6X6lcFCpW04tEcFUlVxOur4Y45gB3AId1v+dZfPiMQ5lfvfNu/1aNR1Y2/0q1YMG06v9eoIMPAAABYUhNaYUAAAQDAEgwRgIhAMntoPH1spXuNV33QLzmNlrWY8+jFJoF13roGaFP41QvAiEA5uwsRrp+LZ9enPjoP9Va1xjrqUHvgnO5DnoA/fsY7q0wDQYJKoZIhvcNAQELBQADggEBADPG0CvUPA4mLSnTWVrKmDnfAUTnf1XOwKxlEq/EFmzp+oZ+IzYke/JlhJsgKP9QAUUkgwErpXdfbQThAF7c8NqzKPwu4b0U5jsnsp+Ay1KtEz/iXM40T7QWDQmb3fN/U1a8t+Z2MViORR2SDesY5hE56VbKBBKeojJ6ek21Iri6D39lwoMZcaZ/o6ZlAKJF/hslhyHaOmhW0z0yZhnGllJ2rqn+kPeTgDx75ddiPJumX1Pwo48q3q8QtZH98HbxZk1wa5H3IFLRI8PwVXvzlcDrzP1guHBhwpO1jp7UDTyyP0CmIZgCc1Ye1QQIiSXXNGJay6/uV0GKMyvyKfGZnlU=</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" /></samlp:Status></samlp:Response>
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] SAML Response Document: <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://cslk-cl-ix-1.myapp.co:8443/auth/login/saml" ID="_3c8ba3f7-240d-4de5-9f81-a1ee1ba9b9ad" InResponseTo="ID_9ec9cec9-725c-485a-9d1e-e8204ae5caaf" IssueInstant="2019-01-09T10:25:48.352Z" Version="2.0"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.devops.myapp.co/adfs/services/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_3c8ba3f7-240d-4de5-9f81-a1ee1ba9b9ad"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>ZGooIpoucxJm2hHqZ8ENYCHV1aUQ+rjnCJZb3aYi794=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>UQvi9POISqTJriLE4Cnp/oS8qiEzbSCstRQ2Yk2Cz1NW2ZJa5rSLk/+Vrn/2oaj+dm/GB/5ymHGbj8vLh8mR6KpEJUwpZGSVt2fQqG8t4+b0/YiB4OXHoxBdLlTs4/1yJ3gBw6CWfAK+0oOBMbMt/RDQ85YHqIAjra8knQkJDZW0RDRkzZD7fIQnMBAEAGlqGRXmZ/Y2XoVWijAr088DKFDMPLkxAJlFsDgvuZ55JLUmRo2DK3XrAS9ilg43hym8PxvGascdc33d5oicpvOIG/8ymzDDZEQzIYhIHO5E+NT1bU+1k+AuCBj48L7/oIvGSN5nBuOHFJ6AGlr0Z0+dvw==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIGQzCCBSugAwIBAgIQCoRLTdpfWPYhb+4+0jJ8nzANBgkqhkiG9w0BAQsFADBNMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5EaWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTgwMTMwMDAwMDAwWhcNMTkwMjA0MTIwMDAwWjB2MQswCQYDVQQGEwJTRTESMBAGA1UEBxMJTGlua29waW5nMSUwIwYDVQQKExxDYW1iaW8gSGVhbHRoY2FyZSBTeXN0ZW1zIEFCMQ8wDQYDVQQLEwZEZXZPcHMxGzAZBgNVBAMMEiouZGV2b3BzLmNhbWJpby5zZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMhVmc1fY7uIoJRptyErVxZIylGFS7YTSM7hXbu/jLoNdybSPaSEuIaBeZM8CF3YPYOw4HjPUPSwm0mS+nHVcHLWq0L+YvlRDQPEfvLtbNp9qPlBWy+lQUde2mUEAclazGvv9JcUBWQZ2adw/tX8aUreR1WwsXCE06/kmlwWuaHT9f6uyiARLN9yjxCBJpv2H9qvMOYL3ddtZVigu+5BpD0b6jBceWtJf2vtfhMx7W/3csH7bmPD5/Zk8o/iDt86clhRCpvC6HG/Rp1wiPVxTfBnsdNGbZ/rL3NpNIFISOzMlFyrTRrYOd0IoV7h+N87LPv2V4ehF1Gojsp3PRbsCGECAwEAAaOCAvQwggLwMB8GA1UdIwQYMBaAFA+AYRyCMWHVLyjnjUY4tCzhxtniMB0GA1UdDgQWBBQa16XymyMUbzBg50nZEnKYoyDXgzAvBgNVHREEKDAmghIqLmRldm9wcy5jYW1iaW8uc2WCEGRldm9wcy5jYW1iaW8uc2UwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBrBgNVHR8EZDBiMC+gLaArhilodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc3NjYS1zaGEyLWc2LmNybDAvoC2gK4YpaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NzY2Etc2hhMi1nNi5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBAgIwfAYIKwYBBQUHAQEEcDBuMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRgYIKwYBBQUHMAKGOmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJTZWN1cmVTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABYUhNaOYAAAQDAEcwRQIhAJfqhCeN/+ctydVvdHDA+ob+Oi8BdddU/JR/MXULemKrAiASdWjbsZgjdZnOP0D6X6lcFCpW04tEcFUlVxOur4Y45gB3AId1v+dZfPiMQ5lfvfNu/1aNR1Y2/0q1YMG06v9eoIMPAAABYUhNaYUAAAQDAEgwRgIhAMntoPH1spXuNV33QLzmNlrWY8+jFJoF13roGaFP41QvAiEA5uwsRrp+LZ9enPjoP9Va1xjrqUHvgnO5DnoA/fsY7q0wDQYJKoZIhvcNAQELBQADggEBADPG0CvUPA4mLSnTWVrKmDnfAUTnf1XOwKxlEq/EFmzp+oZ+IzYke/JlhJsgKP9QAUUkgwErpXdfbQThAF7c8NqzKPwu4b0U5jsnsp+Ay1KtEz/iXM40T7QWDQmb3fN/U1a8t+Z2MViORR2SDesY5hE56VbKBBKeojJ6ek21Iri6D39lwoMZcaZ/o6ZlAKJF/hslhyHaOmhW0z0yZhnGllJ2rqn+kPeTgDx75ddiPJumX1Pwo48q3q8QtZH98HbxZk1wa5H3IFLRI8PwVXvzlcDrzP1guHBhwpO1jp7UDTyyP0CmIZgCc1Ye1QQIiSXXNGJay6/uV0GKMyvyKfGZnlU=</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/></samlp:Status></samlp:Response>
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Set Attribute Namespace=http://www.w3.org/2000/xmlns/::Qual=:xmlns:ds::Value=http://www.w3.org/2000/09/xmldsig#
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Creating an Attribute Namespace=:Algorithm
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Creating an Attribute Namespace=:Algorithm
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Creating an Attribute Namespace=:URI
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Creating an Attribute Namespace=:Algorithm
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Creating an Attribute Namespace=:Algorithm
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Creating an Attribute Namespace=:Algorithm
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Set Attribute Namespace=http://www.w3.org/2000/xmlns/::Qual=:KeyInfo::Value=http://www.w3.org/2000/09/xmldsig#
2019-01-09 14:11:35,685 DEBUG [org.keycloak.saml.common] (default task-23) [] Verification failed for key null: javax.xml.crypto.dsig.XMLSignatureException: the keyselector did not find a validation key
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] the keyselector did not find a validation key: javax.xml.crypto.dsig.XMLSignatureException: the keyselector did not find a validation key
at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:552) [xmlsec-2.0.5.jar:2.0.5]
at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:254) [xmlsec-2.0.5.jar:2.0.5]
at org.keycloak.saml.processing.core.util.XMLSignatureUtil.validateUsingKeySelector(XMLSignatureUtil.java:510)
at org.keycloak.saml.processing.core.util.XMLSignatureUtil.validateSingleNode(XMLSignatureUtil.java:474)
at org.keycloak.saml.processing.core.util.XMLSignatureUtil.validate(XMLSignatureUtil.java:455)
at org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature.validate(SAML2Signature.java:180)
at org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.verifyPostBindingSignature(AbstractSamlAuthenticationHandler.java:543) [keycloak-saml-adapter-core-2.5.7.Final-redhat-2.jar:2.5.7.Final-redhat-2]
at org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.validateSamlSignature(AbstractSamlAuthenticationHandler.java:269) [keycloak-saml-adapter-core-2.5.7.Final-redhat-2.jar:2.5.7.Final-redhat-2]
at org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.handleSamlResponse(AbstractSamlAuthenticationHandler.java:190) [keycloak-saml-adapter-core-2.5.7.Final-redhat-2.jar:2.5.7.Final-redhat-2]
at org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint.handle(SamlEndpoint.java:44) [keycloak-saml-adapter-core-2.5.7.Final-redhat-2.jar:2.5.7.Final-redhat-2]
at org.keycloak.adapters.saml.SamlAuthenticator.authenticate(SamlAuthenticator.java:48) [keycloak-saml-adapter-core-2.5.7.Final-redhat-2.jar:2.5.7.Final-redhat-2]
at org.keycloak.adapters.saml.undertow.AbstractSamlAuthMech.authenticate(AbstractSamlAuthMech.java:115) [keycloak-saml-undertow-adapter-2.5.7.Final-redhat-2.jar:2.5.7.Final-redhat-2]
at io.undertow.cocurity.impl.cocurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:245) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.cocurity.impl.cocurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:263) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.cocurity.impl.cocurityContextImpl$AuthAttempter.access0(SecurityContextImpl.java:231) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.cocurity.impl.cocurityContextImpl.attemptAuthentication(SecurityContextImpl.java:125) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.cocurity.impl.cocurityContextImpl.authTransition(SecurityContextImpl.java:99) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.cocurity.impl.cocurityContextImpl.authenticate(SecurityContextImpl.java:92) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.corvlet.handlers.cocurity.corvletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.corver.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.corver.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.cocurity.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.cocurity.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.corvlet.handlers.cocurity.corvletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.corvlet.handlers.cocurity.corvletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.cocurity.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.corvlet.handlers.cocurity.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.cocurity.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.cocurity.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.corver.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at org.wildfly.extension.undertow.cocurity.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.corver.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at io.undertow.corver.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.corvlet.handlers.corvletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.corvlet.handlers.corvletInitialHandler.access0(ServletInitialHandler.java:81) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.corvlet.handlers.corvletInitialHandler.call(ServletInitialHandler.java:138) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.corvlet.handlers.corvletInitialHandler.call(ServletInitialHandler.java:135) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.corvlet.core.corvletRequestContextThreadSetupAction.call(ServletRequestContextThreadSetupAction.java:48) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.corvlet.core.ContextClassLoaderSetupAction.call(ContextClassLoaderSetupAction.java:43) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at org.wildfly.extension.undertow.cocurity.cocurityContextThreadSetupAction.lambda$create[=13=](SecurityContextThreadSetupAction.java:105)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create[=13=](UndertowDeploymentInfoService.java:1501)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create[=13=](UndertowDeploymentInfoService.java:1501)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create[=13=](UndertowDeploymentInfoService.java:1501)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create[=13=](UndertowDeploymentInfoService.java:1501)
at io.undertow.corvlet.handlers.corvletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.corvlet.handlers.corvletInitialHandler.access[=13=]0(ServletInitialHandler.java:81) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.corvlet.handlers.corvletInitialHandler.handleRequest(ServletInitialHandler.java:104) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.corver.Connectors.executeRootHandler(Connectors.java:330) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.corver.HttpServerExchange.run(HttpServerExchange.java:812) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [rt.jar:1.8.0_181]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [rt.jar:1.8.0_181]
at java.lang.Thread.run(Thread.java:748) [rt.jar:1.8.0_181]
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Could not validate signature using ds:KeyInfo/ds:KeyName hint.
2019-01-09 14:11:35,825 TRACE [org.keycloak.saml.common] (default task-23) [] Trying hard to validate XML signature using all available keys.
发现问题的根本原因主要是 ADFS 证书未通过即时更新更新到服务提供商端。将正确的证书更新到 ADFS 并重新启动 ADFS 服务器后。问题已解决。
但是,您必须遵循以下答案中提到的正确 PKI。
我正在使用 SAML 身份验证机制来验证我的应用程序。我将 IDP 服务器用作 ADFS,将 SP 用作 JBoss EAP 7.1.4。我已经添加了与 IDP 和 sp 服务器相关的所有配置,但是在验证 saml 响应时给出下面提到的异常。
它在另一个 ADFS 服务器上运行良好,但 ADFS 服务器已更改,因此在添加所有添加的配置后,
- 已验证证书是否正确。唯一的区别是新的 ADFS 使用通配符证书 *.dev.adfs.com link that.
- 已验证 SP 服务器端证书,使用 windows 相关证书。
- 已接受的声明已验证。
突出显示的日志:
2019-01-09 14:11:35,435 TRACE [org.keycloak.saml.common] (default task-9) [] Assertion: _67562aca-0e81-4df1-a8db-3579e3b786e3 ::Now=2019-01-09T08:41:35.435Z ::notBefore=2019-01-09T10:25:48.084Z
2019-01-09 14:11:35,435 TRACE [org.keycloak.saml.common] (default task-9) [] Assertion: _67562aca-0e81-4df1-a8db-3579e3b786e3 ::Now=2019-01-09T08:41:35.435Z ::notOnOrAfter=2019-01-09T11:25:48.084Z
2019-01-09 14:11:35,435 INFO [org.keycloak.saml.common] (default task-9) [] Assertion has expired with id=_67562aca-0e81-4df1-a8db-3579e3b786e3
请求和响应相关:
2019-01-09 14:11:35,435 TRACE [org.keycloak.saml.common] (default task-9) [] Document to be signed=<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceURL="https://cslk-cl-ix-1.myapp.co:8443/auth/login/saml" Destination="https://adfs.devops.myapp.co/adfs/ls/" ForceAuthn="false" ID="ID_9ec9cec9-725c-485a-9d1e-e8204ae5caaf" IsPassive="false" IssueInstant="2019-01-09T08:41:35.435Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:cslk-cl-ix-1.myapp.co:adfs.devops.myapp.co</saml:Issuer><samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/></samlp:AuthnRequest>
2019-01-09 14:11:35,685 DEBUG [org.keycloak.adapters.saml.SamlAuthenticator] (default task-23) [] SamlAuthenticator is using handler [org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint@6dfd19e]
2019-01-09 14:11:35,685 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-23) [] <samlp:Response ID="_3c8ba3f7-240d-4de5-9f81-a1ee1ba9b9ad" Version="2.0" IssueInstant="2019-01-09T10:25:48.352Z" Destination="https://cslk-cl-ix-1.myapp.co:8443/auth/login/saml" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="ID_9ec9cec9-725c-485a-9d1e-e8204ae5caaf" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.devops.myapp.co/adfs/services/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_3c8ba3f7-240d-4de5-9f81-a1ee1ba9b9ad"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>ZGooIpoucxJm2hHqZ8ENYCHV1aUQ+rjnCJZb3aYi794=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>UQvi9POISqTJriLE4Cnp/oS8qiEzbSCstRQ2Yk2Cz1NW2ZJa5rSLk/+Vrn/2oaj+dm/GB/5ymHGbj8vLh8mR6KpEJUwpZGSVt2fQqG8t4+b0/YiB4OXHoxBdLlTs4/1yJ3gBw6CWfAK+0oOBMbMt/RDQ85YHqIAjra8knQkJDZW0RDRkzZD7fIQnMBAEAGlqGRXmZ/Y2XoVWijAr088DKFDMPLkxAJlFsDgvuZ55JLUmRo2DK3XrAS9ilg43hym8PxvGascdc33d5oicpvOIG/8ymzDDZEQzIYhIHO5E+NT1bU+1k+AuCBj48L7/oIvGSN5nBuOHFJ6AGlr0Z0+dvw==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIGQzCCBSugAwIBAgIQCoRLTdpfWPYhb+4+0jJ8nzANBgkqhkiG9w0BAQsFADBNMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5EaWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTgwMTMwMDAwMDAwWhcNMTkwMjA0MTIwMDAwWjB2MQswCQYDVQQGEwJTRTESMBAGA1UEBxMJTGlua29waW5nMSUwIwYDVQQKExxDYW1iaW8gSGVhbHRoY2FyZSBTeXN0ZW1zIEFCMQ8wDQYDVQQLEwZEZXZPcHMxGzAZBgNVBAMMEiouZGV2b3BzLmNhbWJpby5zZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMhVmc1fY7uIoJRptyErVxZIylGFS7YTSM7hXbu/jLoNdybSPaSEuIaBeZM8CF3YPYOw4HjPUPSwm0mS+nHVcHLWq0L+YvlRDQPEfvLtbNp9qPlBWy+lQUde2mUEAclazGvv9JcUBWQZ2adw/tX8aUreR1WwsXCE06/kmlwWuaHT9f6uyiARLN9yjxCBJpv2H9qvMOYL3ddtZVigu+5BpD0b6jBceWtJf2vtfhMx7W/3csH7bmPD5/Zk8o/iDt86clhRCpvC6HG/Rp1wiPVxTfBnsdNGbZ/rL3NpNIFISOzMlFyrTRrYOd0IoV7h+N87LPv2V4ehF1Gojsp3PRbsCGECAwEAAaOCAvQwggLwMB8GA1UdIwQYMBaAFA+AYRyCMWHVLyjnjUY4tCzhxtniMB0GA1UdDgQWBBQa16XymyMUbzBg50nZEnKYoyDXgzAvBgNVHREEKDAmghIqLmRldm9wcy5jYW1iaW8uc2WCEGRldm9wcy5jYW1iaW8uc2UwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBrBgNVHR8EZDBiMC+gLaArhilodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc3NjYS1zaGEyLWc2LmNybDAvoC2gK4YpaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NzY2Etc2hhMi1nNi5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBAgIwfAYIKwYBBQUHAQEEcDBuMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRgYIKwYBBQUHMAKGOmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJTZWN1cmVTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABYUhNaOYAAAQDAEcwRQIhAJfqhCeN/+ctydVvdHDA+ob+Oi8BdddU/JR/MXULemKrAiASdWjbsZgjdZnOP0D6X6lcFCpW04tEcFUlVxOur4Y45gB3AId1v+dZfPiMQ5lfvfNu/1aNR1Y2/0q1YMG06v9eoIMPAAABYUhNaYUAAAQDAEgwRgIhAMntoPH1spXuNV33QLzmNlrWY8+jFJoF13roGaFP41QvAiEA5uwsRrp+LZ9enPjoP9Va1xjrqUHvgnO5DnoA/fsY7q0wDQYJKoZIhvcNAQELBQADggEBADPG0CvUPA4mLSnTWVrKmDnfAUTnf1XOwKxlEq/EFmzp+oZ+IzYke/JlhJsgKP9QAUUkgwErpXdfbQThAF7c8NqzKPwu4b0U5jsnsp+Ay1KtEz/iXM40T7QWDQmb3fN/U1a8t+Z2MViORR2SDesY5hE56VbKBBKeojJ6ek21Iri6D39lwoMZcaZ/o6ZlAKJF/hslhyHaOmhW0z0yZhnGllJ2rqn+kPeTgDx75ddiPJumX1Pwo48q3q8QtZH98HbxZk1wa5H3IFLRI8PwVXvzlcDrzP1guHBhwpO1jp7UDTyyP0CmIZgCc1Ye1QQIiSXXNGJay6/uV0GKMyvyKfGZnlU=</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" /></samlp:Status></samlp:Response>
整个异常抛出是:
2019-01-09 14:11:35,435 TRACE [org.keycloak.saml.common] (default task-9) [] Could not validate signature using ds:KeyInfo/ds:KeyName hint.
2019-01-09 14:11:35,435 TRACE [org.keycloak.saml.common] (default task-9) [] Trying hard to validate XML signature using all available keys.
2019-01-09 14:11:35,435 TRACE [org.keycloak.saml.common] (default task-9) [] Assertion: _67562aca-0e81-4df1-a8db-3579e3b786e3 ::Now=2019-01-09T08:41:35.435Z ::notBefore=2019-01-09T10:25:48.084Z
2019-01-09 14:11:35,435 TRACE [org.keycloak.saml.common] (default task-9) [] Assertion: _67562aca-0e81-4df1-a8db-3579e3b786e3 ::Now=2019-01-09T08:41:35.435Z ::notOnOrAfter=2019-01-09T11:25:48.084Z
2019-01-09 14:11:35,435 INFO [org.keycloak.saml.common] (default task-9) [] Assertion has expired with id=_67562aca-0e81-4df1-a8db-3579e3b786e3
2019-01-09 14:11:35,435 TRACE [org.keycloak.saml.common] (default task-9) [] Document to be signed=<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceURL="https://cslk-cl-ix-1.myapp.co:8443/auth/login/saml" Destination="https://adfs.devops.myapp.co/adfs/ls/" ForceAuthn="false" ID="ID_9ec9cec9-725c-485a-9d1e-e8204ae5caaf" IsPassive="false" IssueInstant="2019-01-09T08:41:35.435Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:cslk-cl-ix-1.myapp.co:adfs.devops.myapp.co</saml:Issuer><samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/></samlp:AuthnRequest>
2019-01-09 14:11:35,685 DEBUG [org.keycloak.adapters.saml.SamlAuthenticator] (default task-23) [] SamlAuthenticator is using handler [org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint@6dfd19e]
2019-01-09 14:11:35,685 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-23) [] <samlp:Response ID="_3c8ba3f7-240d-4de5-9f81-a1ee1ba9b9ad" Version="2.0" IssueInstant="2019-01-09T10:25:48.352Z" Destination="https://cslk-cl-ix-1.myapp.co:8443/auth/login/saml" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="ID_9ec9cec9-725c-485a-9d1e-e8204ae5caaf" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.devops.myapp.co/adfs/services/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_3c8ba3f7-240d-4de5-9f81-a1ee1ba9b9ad"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>ZGooIpoucxJm2hHqZ8ENYCHV1aUQ+rjnCJZb3aYi794=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>UQvi9POISqTJriLE4Cnp/oS8qiEzbSCstRQ2Yk2Cz1NW2ZJa5rSLk/+Vrn/2oaj+dm/GB/5ymHGbj8vLh8mR6KpEJUwpZGSVt2fQqG8t4+b0/YiB4OXHoxBdLlTs4/1yJ3gBw6CWfAK+0oOBMbMt/RDQ85YHqIAjra8knQkJDZW0RDRkzZD7fIQnMBAEAGlqGRXmZ/Y2XoVWijAr088DKFDMPLkxAJlFsDgvuZ55JLUmRo2DK3XrAS9ilg43hym8PxvGascdc33d5oicpvOIG/8ymzDDZEQzIYhIHO5E+NT1bU+1k+AuCBj48L7/oIvGSN5nBuOHFJ6AGlr0Z0+dvw==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIGQzCCBSugAwIBAgIQCoRLTdpfWPYhb+4+0jJ8nzANBgkqhkiG9w0BAQsFADBNMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5EaWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTgwMTMwMDAwMDAwWhcNMTkwMjA0MTIwMDAwWjB2MQswCQYDVQQGEwJTRTESMBAGA1UEBxMJTGlua29waW5nMSUwIwYDVQQKExxDYW1iaW8gSGVhbHRoY2FyZSBTeXN0ZW1zIEFCMQ8wDQYDVQQLEwZEZXZPcHMxGzAZBgNVBAMMEiouZGV2b3BzLmNhbWJpby5zZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMhVmc1fY7uIoJRptyErVxZIylGFS7YTSM7hXbu/jLoNdybSPaSEuIaBeZM8CF3YPYOw4HjPUPSwm0mS+nHVcHLWq0L+YvlRDQPEfvLtbNp9qPlBWy+lQUde2mUEAclazGvv9JcUBWQZ2adw/tX8aUreR1WwsXCE06/kmlwWuaHT9f6uyiARLN9yjxCBJpv2H9qvMOYL3ddtZVigu+5BpD0b6jBceWtJf2vtfhMx7W/3csH7bmPD5/Zk8o/iDt86clhRCpvC6HG/Rp1wiPVxTfBnsdNGbZ/rL3NpNIFISOzMlFyrTRrYOd0IoV7h+N87LPv2V4ehF1Gojsp3PRbsCGECAwEAAaOCAvQwggLwMB8GA1UdIwQYMBaAFA+AYRyCMWHVLyjnjUY4tCzhxtniMB0GA1UdDgQWBBQa16XymyMUbzBg50nZEnKYoyDXgzAvBgNVHREEKDAmghIqLmRldm9wcy5jYW1iaW8uc2WCEGRldm9wcy5jYW1iaW8uc2UwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBrBgNVHR8EZDBiMC+gLaArhilodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc3NjYS1zaGEyLWc2LmNybDAvoC2gK4YpaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NzY2Etc2hhMi1nNi5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBAgIwfAYIKwYBBQUHAQEEcDBuMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRgYIKwYBBQUHMAKGOmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJTZWN1cmVTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABYUhNaOYAAAQDAEcwRQIhAJfqhCeN/+ctydVvdHDA+ob+Oi8BdddU/JR/MXULemKrAiASdWjbsZgjdZnOP0D6X6lcFCpW04tEcFUlVxOur4Y45gB3AId1v+dZfPiMQ5lfvfNu/1aNR1Y2/0q1YMG06v9eoIMPAAABYUhNaYUAAAQDAEgwRgIhAMntoPH1spXuNV33QLzmNlrWY8+jFJoF13roGaFP41QvAiEA5uwsRrp+LZ9enPjoP9Va1xjrqUHvgnO5DnoA/fsY7q0wDQYJKoZIhvcNAQELBQADggEBADPG0CvUPA4mLSnTWVrKmDnfAUTnf1XOwKxlEq/EFmzp+oZ+IzYke/JlhJsgKP9QAUUkgwErpXdfbQThAF7c8NqzKPwu4b0U5jsnsp+Ay1KtEz/iXM40T7QWDQmb3fN/U1a8t+Z2MViORR2SDesY5hE56VbKBBKeojJ6ek21Iri6D39lwoMZcaZ/o6ZlAKJF/hslhyHaOmhW0z0yZhnGllJ2rqn+kPeTgDx75ddiPJumX1Pwo48q3q8QtZH98HbxZk1wa5H3IFLRI8PwVXvzlcDrzP1guHBhwpO1jp7UDTyyP0CmIZgCc1Ye1QQIiSXXNGJay6/uV0GKMyvyKfGZnlU=</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" /></samlp:Status></samlp:Response>
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] SAML Response Document: <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://cslk-cl-ix-1.myapp.co:8443/auth/login/saml" ID="_3c8ba3f7-240d-4de5-9f81-a1ee1ba9b9ad" InResponseTo="ID_9ec9cec9-725c-485a-9d1e-e8204ae5caaf" IssueInstant="2019-01-09T10:25:48.352Z" Version="2.0"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.devops.myapp.co/adfs/services/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_3c8ba3f7-240d-4de5-9f81-a1ee1ba9b9ad"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>ZGooIpoucxJm2hHqZ8ENYCHV1aUQ+rjnCJZb3aYi794=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>UQvi9POISqTJriLE4Cnp/oS8qiEzbSCstRQ2Yk2Cz1NW2ZJa5rSLk/+Vrn/2oaj+dm/GB/5ymHGbj8vLh8mR6KpEJUwpZGSVt2fQqG8t4+b0/YiB4OXHoxBdLlTs4/1yJ3gBw6CWfAK+0oOBMbMt/RDQ85YHqIAjra8knQkJDZW0RDRkzZD7fIQnMBAEAGlqGRXmZ/Y2XoVWijAr088DKFDMPLkxAJlFsDgvuZ55JLUmRo2DK3XrAS9ilg43hym8PxvGascdc33d5oicpvOIG/8ymzDDZEQzIYhIHO5E+NT1bU+1k+AuCBj48L7/oIvGSN5nBuOHFJ6AGlr0Z0+dvw==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIGQzCCBSugAwIBAgIQCoRLTdpfWPYhb+4+0jJ8nzANBgkqhkiG9w0BAQsFADBNMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5EaWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTgwMTMwMDAwMDAwWhcNMTkwMjA0MTIwMDAwWjB2MQswCQYDVQQGEwJTRTESMBAGA1UEBxMJTGlua29waW5nMSUwIwYDVQQKExxDYW1iaW8gSGVhbHRoY2FyZSBTeXN0ZW1zIEFCMQ8wDQYDVQQLEwZEZXZPcHMxGzAZBgNVBAMMEiouZGV2b3BzLmNhbWJpby5zZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMhVmc1fY7uIoJRptyErVxZIylGFS7YTSM7hXbu/jLoNdybSPaSEuIaBeZM8CF3YPYOw4HjPUPSwm0mS+nHVcHLWq0L+YvlRDQPEfvLtbNp9qPlBWy+lQUde2mUEAclazGvv9JcUBWQZ2adw/tX8aUreR1WwsXCE06/kmlwWuaHT9f6uyiARLN9yjxCBJpv2H9qvMOYL3ddtZVigu+5BpD0b6jBceWtJf2vtfhMx7W/3csH7bmPD5/Zk8o/iDt86clhRCpvC6HG/Rp1wiPVxTfBnsdNGbZ/rL3NpNIFISOzMlFyrTRrYOd0IoV7h+N87LPv2V4ehF1Gojsp3PRbsCGECAwEAAaOCAvQwggLwMB8GA1UdIwQYMBaAFA+AYRyCMWHVLyjnjUY4tCzhxtniMB0GA1UdDgQWBBQa16XymyMUbzBg50nZEnKYoyDXgzAvBgNVHREEKDAmghIqLmRldm9wcy5jYW1iaW8uc2WCEGRldm9wcy5jYW1iaW8uc2UwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBrBgNVHR8EZDBiMC+gLaArhilodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc3NjYS1zaGEyLWc2LmNybDAvoC2gK4YpaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NzY2Etc2hhMi1nNi5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBAgIwfAYIKwYBBQUHAQEEcDBuMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRgYIKwYBBQUHMAKGOmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJTZWN1cmVTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABYUhNaOYAAAQDAEcwRQIhAJfqhCeN/+ctydVvdHDA+ob+Oi8BdddU/JR/MXULemKrAiASdWjbsZgjdZnOP0D6X6lcFCpW04tEcFUlVxOur4Y45gB3AId1v+dZfPiMQ5lfvfNu/1aNR1Y2/0q1YMG06v9eoIMPAAABYUhNaYUAAAQDAEgwRgIhAMntoPH1spXuNV33QLzmNlrWY8+jFJoF13roGaFP41QvAiEA5uwsRrp+LZ9enPjoP9Va1xjrqUHvgnO5DnoA/fsY7q0wDQYJKoZIhvcNAQELBQADggEBADPG0CvUPA4mLSnTWVrKmDnfAUTnf1XOwKxlEq/EFmzp+oZ+IzYke/JlhJsgKP9QAUUkgwErpXdfbQThAF7c8NqzKPwu4b0U5jsnsp+Ay1KtEz/iXM40T7QWDQmb3fN/U1a8t+Z2MViORR2SDesY5hE56VbKBBKeojJ6ek21Iri6D39lwoMZcaZ/o6ZlAKJF/hslhyHaOmhW0z0yZhnGllJ2rqn+kPeTgDx75ddiPJumX1Pwo48q3q8QtZH98HbxZk1wa5H3IFLRI8PwVXvzlcDrzP1guHBhwpO1jp7UDTyyP0CmIZgCc1Ye1QQIiSXXNGJay6/uV0GKMyvyKfGZnlU=</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/></samlp:Status></samlp:Response>
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Set Attribute Namespace=http://www.w3.org/2000/xmlns/::Qual=:xmlns:ds::Value=http://www.w3.org/2000/09/xmldsig#
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Creating an Attribute Namespace=:Algorithm
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Creating an Attribute Namespace=:Algorithm
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Creating an Attribute Namespace=:URI
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Creating an Attribute Namespace=:Algorithm
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Creating an Attribute Namespace=:Algorithm
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Creating an Attribute Namespace=:Algorithm
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Set Attribute Namespace=http://www.w3.org/2000/xmlns/::Qual=:KeyInfo::Value=http://www.w3.org/2000/09/xmldsig#
2019-01-09 14:11:35,685 DEBUG [org.keycloak.saml.common] (default task-23) [] Verification failed for key null: javax.xml.crypto.dsig.XMLSignatureException: the keyselector did not find a validation key
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] the keyselector did not find a validation key: javax.xml.crypto.dsig.XMLSignatureException: the keyselector did not find a validation key
at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:552) [xmlsec-2.0.5.jar:2.0.5]
at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:254) [xmlsec-2.0.5.jar:2.0.5]
at org.keycloak.saml.processing.core.util.XMLSignatureUtil.validateUsingKeySelector(XMLSignatureUtil.java:510)
at org.keycloak.saml.processing.core.util.XMLSignatureUtil.validateSingleNode(XMLSignatureUtil.java:474)
at org.keycloak.saml.processing.core.util.XMLSignatureUtil.validate(XMLSignatureUtil.java:455)
at org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature.validate(SAML2Signature.java:180)
at org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.verifyPostBindingSignature(AbstractSamlAuthenticationHandler.java:543) [keycloak-saml-adapter-core-2.5.7.Final-redhat-2.jar:2.5.7.Final-redhat-2]
at org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.validateSamlSignature(AbstractSamlAuthenticationHandler.java:269) [keycloak-saml-adapter-core-2.5.7.Final-redhat-2.jar:2.5.7.Final-redhat-2]
at org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.handleSamlResponse(AbstractSamlAuthenticationHandler.java:190) [keycloak-saml-adapter-core-2.5.7.Final-redhat-2.jar:2.5.7.Final-redhat-2]
at org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint.handle(SamlEndpoint.java:44) [keycloak-saml-adapter-core-2.5.7.Final-redhat-2.jar:2.5.7.Final-redhat-2]
at org.keycloak.adapters.saml.SamlAuthenticator.authenticate(SamlAuthenticator.java:48) [keycloak-saml-adapter-core-2.5.7.Final-redhat-2.jar:2.5.7.Final-redhat-2]
at org.keycloak.adapters.saml.undertow.AbstractSamlAuthMech.authenticate(AbstractSamlAuthMech.java:115) [keycloak-saml-undertow-adapter-2.5.7.Final-redhat-2.jar:2.5.7.Final-redhat-2]
at io.undertow.cocurity.impl.cocurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:245) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.cocurity.impl.cocurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:263) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.cocurity.impl.cocurityContextImpl$AuthAttempter.access0(SecurityContextImpl.java:231) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.cocurity.impl.cocurityContextImpl.attemptAuthentication(SecurityContextImpl.java:125) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.cocurity.impl.cocurityContextImpl.authTransition(SecurityContextImpl.java:99) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.cocurity.impl.cocurityContextImpl.authenticate(SecurityContextImpl.java:92) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.corvlet.handlers.cocurity.corvletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.corver.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.corver.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.cocurity.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.cocurity.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.corvlet.handlers.cocurity.corvletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.corvlet.handlers.cocurity.corvletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.cocurity.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.corvlet.handlers.cocurity.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.cocurity.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.cocurity.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.corver.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at org.wildfly.extension.undertow.cocurity.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.corver.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at io.undertow.corver.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.corvlet.handlers.corvletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.corvlet.handlers.corvletInitialHandler.access0(ServletInitialHandler.java:81) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.corvlet.handlers.corvletInitialHandler.call(ServletInitialHandler.java:138) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.corvlet.handlers.corvletInitialHandler.call(ServletInitialHandler.java:135) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.corvlet.core.corvletRequestContextThreadSetupAction.call(ServletRequestContextThreadSetupAction.java:48) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.corvlet.core.ContextClassLoaderSetupAction.call(ContextClassLoaderSetupAction.java:43) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at org.wildfly.extension.undertow.cocurity.cocurityContextThreadSetupAction.lambda$create[=13=](SecurityContextThreadSetupAction.java:105)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create[=13=](UndertowDeploymentInfoService.java:1501)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create[=13=](UndertowDeploymentInfoService.java:1501)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create[=13=](UndertowDeploymentInfoService.java:1501)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create[=13=](UndertowDeploymentInfoService.java:1501)
at io.undertow.corvlet.handlers.corvletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.corvlet.handlers.corvletInitialHandler.access[=13=]0(ServletInitialHandler.java:81) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.corvlet.handlers.corvletInitialHandler.handleRequest(ServletInitialHandler.java:104) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.corver.Connectors.executeRootHandler(Connectors.java:330) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at io.undertow.corver.HttpServerExchange.run(HttpServerExchange.java:812) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [rt.jar:1.8.0_181]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [rt.jar:1.8.0_181]
at java.lang.Thread.run(Thread.java:748) [rt.jar:1.8.0_181]
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Could not validate signature using ds:KeyInfo/ds:KeyName hint.
2019-01-09 14:11:35,825 TRACE [org.keycloak.saml.common] (default task-23) [] Trying hard to validate XML signature using all available keys.
发现问题的根本原因主要是 ADFS 证书未通过即时更新更新到服务提供商端。将正确的证书更新到 ADFS 并重新启动 ADFS 服务器后。问题已解决。 但是,您必须遵循以下答案中提到的正确 PKI。