当我从本地 IdP SAML SSO 登录 AWS 时出现 ExpiredTokenException
ExpiredTokenException when I SAML SSO login AWS from my local IdP
我正在本地构建一个 IdP 并在 AWS IAM 设置中配置了 IdP,现在我想从我的本地启动一个 IdP 初始 SSO 并登录 AWS,但是错误总是显示在 AWS 页面中:
响应已过期(服务:AWSSecurityTokenService;状态代码:400;错误代码:ExpiredTokenException;请求 ID:18fc7e20-97eb-11e9-97e4-0f55a663916e)。请重试。
遇到这种情况怎么办?
任何帮助将不胜感激。
这是 SAML 响应
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
Destination="https://signin.aws.amazon.com/saml"
ID="_9119012392457125943"
IssueInstant="2019-06-26T07:26:21.686Z"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
>http://localhost/lighting/idp</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_9119012392457125943">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="xsd"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>dcPz91uzrgFsoVvQafIH0erSoy9SsGQqs+NrEhEzpQ8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
J+U7AcD8QTXlgAvcGl4TIUrb5Q1CgJfJ/rP4VUEOeF67NvGQM12cA3HLzoFevMOxluwA4dleWuTd
I+Tsfc7QCuY6CZ9dsWCYhSP7jfpoAsbDwAGUqAiUf2sEC5jackNs5x1oobYac/9POzHesuelkQAF
Ld3zwxc7O+O3bH2pSC/FO0//b+mAZMdGVcYel2qyAgcW2Cwl41rl0YoSBv4zG435q17PqpIfh5tx
w/0UsYbuvdQIFcPE58okw8Q27XR8QdyD3b/9SGOm5s+v8JX/znapcf8KfeoNodvVu+hho9b/79i0
1H8aF/lTpOKq6xBL8zzK/m0Gqjjap8+Q7oR1xw==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDFjCCAf6gAwIBAgIVANvOACsHPeGyNtU+z6lwITrQht8JMA0GCSqGSIb3DQEBCwUAMBgxFjAU
BgNVBAMMDTE5Mi4xNjguMi4yMzcwHhcNMTkwNjI1MDM0NDE1WhcNMzkwNjI1MDM0NDE1WjAYMRYw
FAYDVQQDDA0xOTIuMTY4LjIuMjM3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArgef
LeT3WJIXwsW4IkO6utW0C6ARGdd6p6Q6NyYqPvGKACxScl1hUjpKaUdMeTKme1gpsvz5ho33B6sx
uYVZwS+g9gA6VBcAguwnHViDAYrYL4meggBUXDgLv5YxgMtFoKzyvYHoZI6mU1LaOV4sFbk2/UBE
X0TajsgzRN+w7/9YJcvfEHArideYWPZtobTEv/JvLEg+10Tncpa6dW7m9Vqpkm0HWfiPMp+vvoPD
ebKgMWo6U79yHjqRayPkwccQfVuzyrynE90HdA1T4FIbznc++O+OY68nndTJqJz+BhbhZqoIqLLM
sHoRXcexc26usEk4bXSlAt2ZWHg6j2baKQIDAQABo1cwVTAdBgNVHQ4EFgQUhf/SjfLdHAsFiwqy
KEVHAyPmM3EwNAYDVR0RBC0wK4INMTkyLjE2OC4yLjIzN4YaMTkyLjE2OC4yLjIzNy9pZHAvbWV0
YWRhdGEwDQYJKoZIhvcNAQELBQADggEBABszuNtGLSrQHKOU35ucB58+Si84xbcFg2L9A7NSKCZp
KC1K8hf5/yBlWZeYANtbz9zBH+IE7HQfCqMmqYFRZIMV5bn1zz376iWOt/meUEIOTguDFBcE1d9P
1N08527e5VZZ8z4Quoar+UZsux2gRyftZCbiDPZ3jztWXZQH4kmjKfPfYnTHmAJyJ0BpZPGdItD/
cTUsFEO6aVi/q/dSnyuAIgifjv+GcsCLvr9mNgYqU1zbSNdfg/uE1brczOxdjX/dgKq8F9YV2X/k
W7f1+UDweMZ/jjY6wX7rGtMRI53y1AOexaT2m6qLjgykgr8mL10cA2zYFOY1IWdZaTtSmL4=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
<saml2p:StatusMessage>urn:oasis:names:tc:SAML:2.0:status:Success</saml2p:StatusMessage>
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
ID="_4072804912448579929"
IssueInstant="2019-06-26T07:25:33.546Z"
Version="2.0"
>
<saml2:Issuer>http://localhost/lighting/idp</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_4072804912448579929">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="xsd"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>QE9YpUj05wSf69eoo/w+e3kcI458dSe/zfiFIGYJ9/s=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
ddCEn8eKvZQlqPXTf6NIzY2Y2OE3EvXYjQxNrvlWHUy5mD0J/hMpA1BjE1vMVsPtYs9+b8hqNMQC
vO3dBomyZ4fxMVeidUmKOVVxD/657zGeHpwKWWacb8bpvVptfv12SoSlCwR5daJmchv1D5VBJ7xU
2o7WXEx4mBH8M4Hq4jiysrVaqgCjbU6q8toNhvIo3fJSLpMQNMZt2oGQkAD1t520WSl6u7hL+FqW
z6PD/UlR/tlhNoyrlhK6SIkqqHC/xrVGXi/JDLWEZm8n6QwiSus/IlPHKmn7nXjwx6hQjRC0HjNt
/G+GdhSd+9Rz8VEKcrNZ19Fh/yQRvJgREEaALQ==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDFjCCAf6gAwIBAgIVANvOACsHPeGyNtU+z6lwITrQht8JMA0GCSqGSIb3DQEBCwUAMBgxFjAU
BgNVBAMMDTE5Mi4xNjguMi4yMzcwHhcNMTkwNjI1MDM0NDE1WhcNMzkwNjI1MDM0NDE1WjAYMRYw
FAYDVQQDDA0xOTIuMTY4LjIuMjM3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArgef
LeT3WJIXwsW4IkO6utW0C6ARGdd6p6Q6NyYqPvGKACxScl1hUjpKaUdMeTKme1gpsvz5ho33B6sx
uYVZwS+g9gA6VBcAguwnHViDAYrYL4meggBUXDgLv5YxgMtFoKzyvYHoZI6mU1LaOV4sFbk2/UBE
X0TajsgzRN+w7/9YJcvfEHArideYWPZtobTEv/JvLEg+10Tncpa6dW7m9Vqpkm0HWfiPMp+vvoPD
ebKgMWo6U79yHjqRayPkwccQfVuzyrynE90HdA1T4FIbznc++O+OY68nndTJqJz+BhbhZqoIqLLM
sHoRXcexc26usEk4bXSlAt2ZWHg6j2baKQIDAQABo1cwVTAdBgNVHQ4EFgQUhf/SjfLdHAsFiwqy
KEVHAyPmM3EwNAYDVR0RBC0wK4INMTkyLjE2OC4yLjIzN4YaMTkyLjE2OC4yLjIzNy9pZHAvbWV0
YWRhdGEwDQYJKoZIhvcNAQELBQADggEBABszuNtGLSrQHKOU35ucB58+Si84xbcFg2L9A7NSKCZp
KC1K8hf5/yBlWZeYANtbz9zBH+IE7HQfCqMmqYFRZIMV5bn1zz376iWOt/meUEIOTguDFBcE1d9P
1N08527e5VZZ8z4Quoar+UZsux2gRyftZCbiDPZ3jztWXZQH4kmjKfPfYnTHmAJyJ0BpZPGdItD/
cTUsFEO6aVi/q/dSnyuAIgifjv+GcsCLvr9mNgYqU1zbSNdfg/uE1brczOxdjX/dgKq8F9YV2X/k
W7f1+UDweMZ/jjY6wX7rGtMRI53y1AOexaT2m6qLjgykgr8mL10cA2zYFOY1IWdZaTtSmL4=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">fengAWS</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2019-06-26T07:25:28.267Z"
Recipient="https://signin.aws.amazon.com/saml"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2019-06-26T07:25:36.485Z"
NotOnOrAfter="2019-06-26T07:58:56.485Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>urn:amazon:webservices</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2019-06-26T07:25:28.267Z"
SessionIndex="_320981710988786175"
>
<saml2:SubjectLocality Address="urn:amazon:webservices" />
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="isFromNewLogin"
Name="isFromNewLogin"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>false</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="authenticationDate"
Name="authenticationDate"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>2019-06-26T15:25:18.192+08:00[Asia/Shanghai]</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="authenticationMethod"
Name="authenticationMethod"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>QueryDatabaseAuthenticationHandler</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="successfulAuthenticationHandlers"
Name="successfulAuthenticationHandlers"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>QueryDatabaseAuthenticationHandler</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="https://aws.amazon.com/SAML/Attributes/RoleSessionName"
Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>fengAWS</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="longTermAuthenticationRequestTokenUsed"
Name="longTermAuthenticationRequestTokenUsed"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>false</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="https://aws.amazon.com/SAML/Attributes/Role"
Name="https://aws.amazon.com/SAML/Attributes/Role"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>arn:aws:iam::490595513456:role/ParaSSO,arn:aws:iam::490595513456:saml-provider/Para</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="username"
Name="username"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>fengAWS</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
问题 1:我正在本地构建 IdP 并在 AWS IAM 设置中配置了 IdP,现在我想从我的 IdP 初始 SSO 开始本地和登录 AWS,但错误始终显示在 AWS 页面中:
响应已过期(服务:AWSSecurityTokenService;状态代码:400;错误代码:ExpiredTokenException;请求 ID:18fc7e20-97eb-11e9-97e4-0f55a663916e)。请重试。
遇到这种情况我该怎么办?任何帮助将不胜感激。
回答:
这是典型的 AWS-SAML IdP 联合用户错误(服务:AWSSecurityTokenService;状态代码:400;错误代码:ExpiredTokenException)。
SAML Response/Asserion/Token 必须在您的 SAML IdP 提供的发行后 5 分钟内兑换。
分辨率:
(I) 检查您的 SAML IdP Server 的时间是否与 NTP 服务器同步。
(II) 在您的 SAML IdP 服务器的时间与 AWS 服务器时区同步后(在 1 分钟或更短时间内),重新启动您的 SAML IdP。
问题2:错误页面截图
这是 SAML 响应
回答:
您的错误页面截图表明您的 AWS 角色是 MySSO,但您的 SAML 响应表明您的 AWS 角色是 ParaSSO。这将导致另一个 AWS-SAML IdP 联合用户错误。
我在另一个 Whosebug 问题 Why is Cognito rejecting my SAML assertion? 中与 Amazon AWS 分享了我在 Shibboleth SAML IdP 上的单点登录 (SSO) 成功经验。
下面提供了我成功登录 AWS 的 SAML 响应,供您参考。
<saml2p:Response Destination="https://signin.aws.amazon.com/saml"
ID="_fc89710799c4c2c540341e94bf7132d5"
IssueInstant="2019-06-11T18:49:38.300Z"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.example.com/idp/shibboleth</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion ID="_91749d5ecb8512c0c5d658a77cb25928"
IssueInstant="2019-06-11T18:49:38.300Z"
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>
<saml2:Issuer>https://idp.example.com/idp/shibboleth</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_91749d5ecb8512c0c5d658a77cb25928">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="xsd"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>mDAgwb9ZJxc+01sC99lAlAIAOEoiTgzHVTm4F9bdn/0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
LWiL3+CdU6y86zBLx3vG6na1o46EUgiN7iV+b4J2lPvZK7+Oeu6XSenJlzo/cUMT19pYYrDMM652
3lDAJCuOKPx4zTRIcabGrgzTKgmen0SHqWPxeL7t23RB6+v5AUvVw02tXqQhlggKEe3H+1T1k5q0
cGc1xw5CQtI8zE6GK7nG1INnU7mo872H9x+zM1zy3yyvrWOkHHhVFqQQ1Tu+0ev4BIhTQaVgC+pM
/ZvpctNjDMl1q4RSt1qumC+KFsYZlbrsLG7AvGJuR39wt/HV7F8Je3AUGGwMtGjkpRDuN1lIHrMq
VzFf/5eKUv20rEk3aOxoV/sMfcuhWo27+NjE1g==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDPDCCAiSgAwIBAgIVALPPoC598LJ6ZJJJXCA2ESASlN4AMA0GCSqGSIb3DQEBCwUAMB8xHTAb
BgNVBAMMFGlkcXNhbWwuaWRxdWFudGEuY29tMB4XDTE3MDYwMjIxNDI0NloXDTM3MDYwMjIxNDI0
NlowHzEdMBsGA1UEAwwUaWRxc2FtbC5pZHF1YW50YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAs4ml4G592b059YDgyD/MLWQKaKrc0/24Ufbl/JY7wOI1RpxW8DlbCvibzQge6Tu
/8LVy4GIDb8QLxmCfFKYn97HC68TgXVJ+m+sQm+e4SVg6V2q+JY94LLcoFVe8+78ZIYT23KLkTv2
RlHzes/sL1YaPSK4UuN+/ezppyX2t9BGNfuiUKA0KCf7wMFuQ07Fr65FTcGXQyxhPyaNrXjrNMJa
LqwpCaesVdVzoqPevYVN3+nzAvOWoEbi6IcwnF07D0FYren/GPRXPAk5sP6fF3X0rJCkSq+d5t5P
0gWONlvm9WlUrKadmeiibCtR2lGQ/dZGmyUzIILsuOwu4yp/EsI3AgMBAAGjbzBtMB0GA1UdDgQW
BBREpZrZlnm8YrbSFcl59WRR5IY2FTBMBgNVHREERTBDghRpZHFzYW1sLmlkcXVhbnRhLmNvbYYr
aHR0cHM6Ly9pZHFzYWQCV63ubc+tsfzCvL48k35RzLAD15DIdbS9pZHAvc2hpYmJvbGV0aDANBgk
AAOCAQEAEvrdnSvK2C2rcRr7kXn4Q/NaEovuUeqaNs1k/2+dSqs8rroM+m3Iq8RlBcmKnP/+mET3
wwUaWRxc2FtbC5pZHF1YW50YS5jb20wggEiLRXay9y1uJXyZx37RDkGu8SD7+zf8znM+TCsX/qAP
6Ve95WAeX4uB8Aeol3LULe1dePsRb/1RNpKsm8NomVzCwBXK9vyv8t3IVN40jZMaaTtR0YR22fTu
qTyIMarMPO0Eh0f1FHraYaXfyop1OJcYlISpYe+c4vNvAXwEtHkZD2Iu/2aEMGcvBo3uq6OYVDXO
fI3CvoB7sRtxURtj+vVSZKjDe6s7+lRcE1tpDkwOEEuDzA==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="https://idp.example.com/idp/shibboleth"
SPNameQualifier="urn:amazon:webservices"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>AAdzZWNyZXQx/wu+MEcVaUwjGOXhDKAO/5KXLD2AcDGnu1DyoP2C4ztOF01Su6tTJDytykrsv7W2dSV4FkL42ORYDiipBEuwiRSbnvViKbFBkHYN4YUmQzttx3DPNW/w42tMjLrY2iyn7sAUgQSVNGRHyMAH</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="192.168.150.10"
NotOnOrAfter="2019-06-11T18:54:38.412Z"
Recipient="https://signin.aws.amazon.com/saml"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2019-06-11T18:49:38.300Z"
NotOnOrAfter="2019-06-11T18:54:38.300Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>urn:amazon:webservices</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2019-06-11T18:49:38.041Z"
SessionIndex="_79ee919a4e3fcd2f6d13702b60bfd357"
>
<saml2:SubjectLocality Address="192.168.150.10" />
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="Role"
Name="https://aws.amazon.com/SAML/Attributes/Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>arn:aws:iam::my-aws-id:role/shibbolethidp,arn:aws:iam::my-aws-id:saml-provider/Shibboleth-IdP</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="RoleSessionName"
Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>winston.hong@example.com</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
Follow-up 问题3: 我改了skewAllowance,ExpiredTokenException 没有了,但是还是报AccessDenied 错误,请问有什么想法吗?
回答:
我从 SAML 断言中提取 SAML 属性 "Role"(如下所示)。可以看到 "Role" 属性由两个值 "role" 和 "saml-provider" 组成。
<saml2:Attribute FriendlyName="Role"
Name="https://aws.amazon.com/SAML/Attributes/Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" >
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>arn:aws:iam::my-aws-id:role/shibbolethidp,arn:aws:iam::my-aws-id:saml-provider/Shibboleth-IdP</saml2:AttributeValue>
</saml2:Attribute>
您需要确保 "Role" 属性的两个值(由 SAML assertion/SAML 响应携带)应该与您通过 Amazon AWS 管理控制台声明的完全相同。示例 #1:本地 IdP 的 ParaSSO 和 Para;示例 #2:我的 SAML IdP 的 shibbolethidp 和 Shibboleth-IdP。任何细微的差异都会导致 "Error Code: AccessDenied;".
Sub-question (3.a): 我试过 okta/onelogin 它可以 SAML 成功访问我的 AWS,并检查了 saml response/aws iam 配置,与我的本地 IdP 没有太大区别,我在内部网络 192.168.2.237 中启动了我的 IdP 服务器,是因为本地地址有一些 AWS 限制还是什么?任何帮助将不胜感激。
响应:
(I) 本地地址没有 AWS 限制,如我成功登录 AWS 的 SAML 响应所示。我还使用本地 Shibboleth IdP 成功登录到 Amazon AWS 管理控制台。
<saml2:SubjectLocality Address="192.168.150.10" />
(II) 除了"Role"属性和"RoleSessionName"属性外,您需要确保您本地IdP的SAML IdP元数据包含Amazon AWS要求的完整准确的SAML认证信息,至少 public certificate/key 用于验证签名断言和 SAML IdP 颁发者。
(II.a) 一个典型的拒绝访问错误是您的本地 IdP 元数据提供了错误的 public certificate/key 来验证对 Amazon AWS 的签名断言。
(II.b) 为方便起见,GitHub 存储库中的 How to build and run Shibboleth SAML IdP and SP using Docker container 提供了一个 Shibboleth SAML IdP 元数据 "shibboleth-idp-dockerized/ext-conf/metadata/idp-metadata.xml",该元数据已通过 Amazon AWS 的成功 SSO 验证.此 Shibboleth SAML IdP 元数据包含三个签名证书(签名响应、签名断言和加密断言)。
(II.c) Amazon AWS 将从您的 SAML IdP 元数据中提取 public certificate/key 用于签名断言。在我的 Shibboleth IdP 元数据 "shibboleth-idp-dockerized/ext-conf/metadata/idp-metadata.xml" 中,由上述 link 在 GitHub 存储库提供,第二个 public certificate/key (或签名证书)被亚马逊 AWS 用于验证签名断言。
(III) 为了您的方便,我已经第 9 次提交将 Amazon AWS SP 元数据和相应的 SAML 配置上传到 How to build and run Shibboleth SAML IdP and SP using Docker container。
请注意 我已经使用 Shibboleth IdP running with Docker Container with the 9th commit.[=19= 成功登录了用户名 "winston.hong@example.com" 的亚马逊 AWS 帐户("my-aws-id",例如 123456789012) ]
参考第9次提交到How to build and run Shibboleth SAML IdP and SP using Docker container执行Shibboleth SAML IdP配置,您可以登录您的Amazon AWS账户("my-aws-id" ,例如 123456789012) 以及您的用户名(例如 "winston.hong@your-company.com"),由 Shibboleth IdP 联合。
(IV) 我在另一个 Whosebug 问题 Why is Cognito rejecting my SAML assertion?.
上分享了我在 Amazon AWS 的 Shibboleth IdP SSO 上成功配置 SAML 的经验
我正在本地构建一个 IdP 并在 AWS IAM 设置中配置了 IdP,现在我想从我的本地启动一个 IdP 初始 SSO 并登录 AWS,但是错误总是显示在 AWS 页面中:
响应已过期(服务:AWSSecurityTokenService;状态代码:400;错误代码:ExpiredTokenException;请求 ID:18fc7e20-97eb-11e9-97e4-0f55a663916e)。请重试。
遇到这种情况怎么办? 任何帮助将不胜感激。
这是 SAML 响应
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
Destination="https://signin.aws.amazon.com/saml"
ID="_9119012392457125943"
IssueInstant="2019-06-26T07:26:21.686Z"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
>http://localhost/lighting/idp</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_9119012392457125943">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="xsd"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>dcPz91uzrgFsoVvQafIH0erSoy9SsGQqs+NrEhEzpQ8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
J+U7AcD8QTXlgAvcGl4TIUrb5Q1CgJfJ/rP4VUEOeF67NvGQM12cA3HLzoFevMOxluwA4dleWuTd
I+Tsfc7QCuY6CZ9dsWCYhSP7jfpoAsbDwAGUqAiUf2sEC5jackNs5x1oobYac/9POzHesuelkQAF
Ld3zwxc7O+O3bH2pSC/FO0//b+mAZMdGVcYel2qyAgcW2Cwl41rl0YoSBv4zG435q17PqpIfh5tx
w/0UsYbuvdQIFcPE58okw8Q27XR8QdyD3b/9SGOm5s+v8JX/znapcf8KfeoNodvVu+hho9b/79i0
1H8aF/lTpOKq6xBL8zzK/m0Gqjjap8+Q7oR1xw==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDFjCCAf6gAwIBAgIVANvOACsHPeGyNtU+z6lwITrQht8JMA0GCSqGSIb3DQEBCwUAMBgxFjAU
BgNVBAMMDTE5Mi4xNjguMi4yMzcwHhcNMTkwNjI1MDM0NDE1WhcNMzkwNjI1MDM0NDE1WjAYMRYw
FAYDVQQDDA0xOTIuMTY4LjIuMjM3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArgef
LeT3WJIXwsW4IkO6utW0C6ARGdd6p6Q6NyYqPvGKACxScl1hUjpKaUdMeTKme1gpsvz5ho33B6sx
uYVZwS+g9gA6VBcAguwnHViDAYrYL4meggBUXDgLv5YxgMtFoKzyvYHoZI6mU1LaOV4sFbk2/UBE
X0TajsgzRN+w7/9YJcvfEHArideYWPZtobTEv/JvLEg+10Tncpa6dW7m9Vqpkm0HWfiPMp+vvoPD
ebKgMWo6U79yHjqRayPkwccQfVuzyrynE90HdA1T4FIbznc++O+OY68nndTJqJz+BhbhZqoIqLLM
sHoRXcexc26usEk4bXSlAt2ZWHg6j2baKQIDAQABo1cwVTAdBgNVHQ4EFgQUhf/SjfLdHAsFiwqy
KEVHAyPmM3EwNAYDVR0RBC0wK4INMTkyLjE2OC4yLjIzN4YaMTkyLjE2OC4yLjIzNy9pZHAvbWV0
YWRhdGEwDQYJKoZIhvcNAQELBQADggEBABszuNtGLSrQHKOU35ucB58+Si84xbcFg2L9A7NSKCZp
KC1K8hf5/yBlWZeYANtbz9zBH+IE7HQfCqMmqYFRZIMV5bn1zz376iWOt/meUEIOTguDFBcE1d9P
1N08527e5VZZ8z4Quoar+UZsux2gRyftZCbiDPZ3jztWXZQH4kmjKfPfYnTHmAJyJ0BpZPGdItD/
cTUsFEO6aVi/q/dSnyuAIgifjv+GcsCLvr9mNgYqU1zbSNdfg/uE1brczOxdjX/dgKq8F9YV2X/k
W7f1+UDweMZ/jjY6wX7rGtMRI53y1AOexaT2m6qLjgykgr8mL10cA2zYFOY1IWdZaTtSmL4=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
<saml2p:StatusMessage>urn:oasis:names:tc:SAML:2.0:status:Success</saml2p:StatusMessage>
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
ID="_4072804912448579929"
IssueInstant="2019-06-26T07:25:33.546Z"
Version="2.0"
>
<saml2:Issuer>http://localhost/lighting/idp</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_4072804912448579929">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="xsd"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>QE9YpUj05wSf69eoo/w+e3kcI458dSe/zfiFIGYJ9/s=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
ddCEn8eKvZQlqPXTf6NIzY2Y2OE3EvXYjQxNrvlWHUy5mD0J/hMpA1BjE1vMVsPtYs9+b8hqNMQC
vO3dBomyZ4fxMVeidUmKOVVxD/657zGeHpwKWWacb8bpvVptfv12SoSlCwR5daJmchv1D5VBJ7xU
2o7WXEx4mBH8M4Hq4jiysrVaqgCjbU6q8toNhvIo3fJSLpMQNMZt2oGQkAD1t520WSl6u7hL+FqW
z6PD/UlR/tlhNoyrlhK6SIkqqHC/xrVGXi/JDLWEZm8n6QwiSus/IlPHKmn7nXjwx6hQjRC0HjNt
/G+GdhSd+9Rz8VEKcrNZ19Fh/yQRvJgREEaALQ==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDFjCCAf6gAwIBAgIVANvOACsHPeGyNtU+z6lwITrQht8JMA0GCSqGSIb3DQEBCwUAMBgxFjAU
BgNVBAMMDTE5Mi4xNjguMi4yMzcwHhcNMTkwNjI1MDM0NDE1WhcNMzkwNjI1MDM0NDE1WjAYMRYw
FAYDVQQDDA0xOTIuMTY4LjIuMjM3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArgef
LeT3WJIXwsW4IkO6utW0C6ARGdd6p6Q6NyYqPvGKACxScl1hUjpKaUdMeTKme1gpsvz5ho33B6sx
uYVZwS+g9gA6VBcAguwnHViDAYrYL4meggBUXDgLv5YxgMtFoKzyvYHoZI6mU1LaOV4sFbk2/UBE
X0TajsgzRN+w7/9YJcvfEHArideYWPZtobTEv/JvLEg+10Tncpa6dW7m9Vqpkm0HWfiPMp+vvoPD
ebKgMWo6U79yHjqRayPkwccQfVuzyrynE90HdA1T4FIbznc++O+OY68nndTJqJz+BhbhZqoIqLLM
sHoRXcexc26usEk4bXSlAt2ZWHg6j2baKQIDAQABo1cwVTAdBgNVHQ4EFgQUhf/SjfLdHAsFiwqy
KEVHAyPmM3EwNAYDVR0RBC0wK4INMTkyLjE2OC4yLjIzN4YaMTkyLjE2OC4yLjIzNy9pZHAvbWV0
YWRhdGEwDQYJKoZIhvcNAQELBQADggEBABszuNtGLSrQHKOU35ucB58+Si84xbcFg2L9A7NSKCZp
KC1K8hf5/yBlWZeYANtbz9zBH+IE7HQfCqMmqYFRZIMV5bn1zz376iWOt/meUEIOTguDFBcE1d9P
1N08527e5VZZ8z4Quoar+UZsux2gRyftZCbiDPZ3jztWXZQH4kmjKfPfYnTHmAJyJ0BpZPGdItD/
cTUsFEO6aVi/q/dSnyuAIgifjv+GcsCLvr9mNgYqU1zbSNdfg/uE1brczOxdjX/dgKq8F9YV2X/k
W7f1+UDweMZ/jjY6wX7rGtMRI53y1AOexaT2m6qLjgykgr8mL10cA2zYFOY1IWdZaTtSmL4=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">fengAWS</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2019-06-26T07:25:28.267Z"
Recipient="https://signin.aws.amazon.com/saml"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2019-06-26T07:25:36.485Z"
NotOnOrAfter="2019-06-26T07:58:56.485Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>urn:amazon:webservices</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2019-06-26T07:25:28.267Z"
SessionIndex="_320981710988786175"
>
<saml2:SubjectLocality Address="urn:amazon:webservices" />
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="isFromNewLogin"
Name="isFromNewLogin"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>false</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="authenticationDate"
Name="authenticationDate"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>2019-06-26T15:25:18.192+08:00[Asia/Shanghai]</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="authenticationMethod"
Name="authenticationMethod"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>QueryDatabaseAuthenticationHandler</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="successfulAuthenticationHandlers"
Name="successfulAuthenticationHandlers"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>QueryDatabaseAuthenticationHandler</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="https://aws.amazon.com/SAML/Attributes/RoleSessionName"
Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>fengAWS</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="longTermAuthenticationRequestTokenUsed"
Name="longTermAuthenticationRequestTokenUsed"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>false</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="https://aws.amazon.com/SAML/Attributes/Role"
Name="https://aws.amazon.com/SAML/Attributes/Role"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>arn:aws:iam::490595513456:role/ParaSSO,arn:aws:iam::490595513456:saml-provider/Para</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="username"
Name="username"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>fengAWS</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
问题 1:我正在本地构建 IdP 并在 AWS IAM 设置中配置了 IdP,现在我想从我的 IdP 初始 SSO 开始本地和登录 AWS,但错误始终显示在 AWS 页面中:
响应已过期(服务:AWSSecurityTokenService;状态代码:400;错误代码:ExpiredTokenException;请求 ID:18fc7e20-97eb-11e9-97e4-0f55a663916e)。请重试。
遇到这种情况我该怎么办?任何帮助将不胜感激。
回答:
这是典型的 AWS-SAML IdP 联合用户错误(服务:AWSSecurityTokenService;状态代码:400;错误代码:ExpiredTokenException)。
SAML Response/Asserion/Token 必须在您的 SAML IdP 提供的发行后 5 分钟内兑换。
分辨率:
(I) 检查您的 SAML IdP Server 的时间是否与 NTP 服务器同步。
(II) 在您的 SAML IdP 服务器的时间与 AWS 服务器时区同步后(在 1 分钟或更短时间内),重新启动您的 SAML IdP。
问题2:错误页面截图
这是 SAML 响应
回答:
您的错误页面截图表明您的 AWS 角色是 MySSO,但您的 SAML 响应表明您的 AWS 角色是 ParaSSO。这将导致另一个 AWS-SAML IdP 联合用户错误。
我在另一个 Whosebug 问题 Why is Cognito rejecting my SAML assertion? 中与 Amazon AWS 分享了我在 Shibboleth SAML IdP 上的单点登录 (SSO) 成功经验。
下面提供了我成功登录 AWS 的 SAML 响应,供您参考。
<saml2p:Response Destination="https://signin.aws.amazon.com/saml"
ID="_fc89710799c4c2c540341e94bf7132d5"
IssueInstant="2019-06-11T18:49:38.300Z"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.example.com/idp/shibboleth</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion ID="_91749d5ecb8512c0c5d658a77cb25928"
IssueInstant="2019-06-11T18:49:38.300Z"
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>
<saml2:Issuer>https://idp.example.com/idp/shibboleth</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_91749d5ecb8512c0c5d658a77cb25928">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="xsd"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>mDAgwb9ZJxc+01sC99lAlAIAOEoiTgzHVTm4F9bdn/0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
LWiL3+CdU6y86zBLx3vG6na1o46EUgiN7iV+b4J2lPvZK7+Oeu6XSenJlzo/cUMT19pYYrDMM652
3lDAJCuOKPx4zTRIcabGrgzTKgmen0SHqWPxeL7t23RB6+v5AUvVw02tXqQhlggKEe3H+1T1k5q0
cGc1xw5CQtI8zE6GK7nG1INnU7mo872H9x+zM1zy3yyvrWOkHHhVFqQQ1Tu+0ev4BIhTQaVgC+pM
/ZvpctNjDMl1q4RSt1qumC+KFsYZlbrsLG7AvGJuR39wt/HV7F8Je3AUGGwMtGjkpRDuN1lIHrMq
VzFf/5eKUv20rEk3aOxoV/sMfcuhWo27+NjE1g==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDPDCCAiSgAwIBAgIVALPPoC598LJ6ZJJJXCA2ESASlN4AMA0GCSqGSIb3DQEBCwUAMB8xHTAb
BgNVBAMMFGlkcXNhbWwuaWRxdWFudGEuY29tMB4XDTE3MDYwMjIxNDI0NloXDTM3MDYwMjIxNDI0
NlowHzEdMBsGA1UEAwwUaWRxc2FtbC5pZHF1YW50YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAs4ml4G592b059YDgyD/MLWQKaKrc0/24Ufbl/JY7wOI1RpxW8DlbCvibzQge6Tu
/8LVy4GIDb8QLxmCfFKYn97HC68TgXVJ+m+sQm+e4SVg6V2q+JY94LLcoFVe8+78ZIYT23KLkTv2
RlHzes/sL1YaPSK4UuN+/ezppyX2t9BGNfuiUKA0KCf7wMFuQ07Fr65FTcGXQyxhPyaNrXjrNMJa
LqwpCaesVdVzoqPevYVN3+nzAvOWoEbi6IcwnF07D0FYren/GPRXPAk5sP6fF3X0rJCkSq+d5t5P
0gWONlvm9WlUrKadmeiibCtR2lGQ/dZGmyUzIILsuOwu4yp/EsI3AgMBAAGjbzBtMB0GA1UdDgQW
BBREpZrZlnm8YrbSFcl59WRR5IY2FTBMBgNVHREERTBDghRpZHFzYW1sLmlkcXVhbnRhLmNvbYYr
aHR0cHM6Ly9pZHFzYWQCV63ubc+tsfzCvL48k35RzLAD15DIdbS9pZHAvc2hpYmJvbGV0aDANBgk
AAOCAQEAEvrdnSvK2C2rcRr7kXn4Q/NaEovuUeqaNs1k/2+dSqs8rroM+m3Iq8RlBcmKnP/+mET3
wwUaWRxc2FtbC5pZHF1YW50YS5jb20wggEiLRXay9y1uJXyZx37RDkGu8SD7+zf8znM+TCsX/qAP
6Ve95WAeX4uB8Aeol3LULe1dePsRb/1RNpKsm8NomVzCwBXK9vyv8t3IVN40jZMaaTtR0YR22fTu
qTyIMarMPO0Eh0f1FHraYaXfyop1OJcYlISpYe+c4vNvAXwEtHkZD2Iu/2aEMGcvBo3uq6OYVDXO
fI3CvoB7sRtxURtj+vVSZKjDe6s7+lRcE1tpDkwOEEuDzA==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="https://idp.example.com/idp/shibboleth"
SPNameQualifier="urn:amazon:webservices"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>AAdzZWNyZXQx/wu+MEcVaUwjGOXhDKAO/5KXLD2AcDGnu1DyoP2C4ztOF01Su6tTJDytykrsv7W2dSV4FkL42ORYDiipBEuwiRSbnvViKbFBkHYN4YUmQzttx3DPNW/w42tMjLrY2iyn7sAUgQSVNGRHyMAH</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="192.168.150.10"
NotOnOrAfter="2019-06-11T18:54:38.412Z"
Recipient="https://signin.aws.amazon.com/saml"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2019-06-11T18:49:38.300Z"
NotOnOrAfter="2019-06-11T18:54:38.300Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>urn:amazon:webservices</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2019-06-11T18:49:38.041Z"
SessionIndex="_79ee919a4e3fcd2f6d13702b60bfd357"
>
<saml2:SubjectLocality Address="192.168.150.10" />
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="Role"
Name="https://aws.amazon.com/SAML/Attributes/Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>arn:aws:iam::my-aws-id:role/shibbolethidp,arn:aws:iam::my-aws-id:saml-provider/Shibboleth-IdP</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="RoleSessionName"
Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>winston.hong@example.com</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
Follow-up 问题3: 我改了skewAllowance,ExpiredTokenException 没有了,但是还是报AccessDenied 错误,请问有什么想法吗?
回答:
我从 SAML 断言中提取 SAML 属性 "Role"(如下所示)。可以看到 "Role" 属性由两个值 "role" 和 "saml-provider" 组成。
<saml2:Attribute FriendlyName="Role"
Name="https://aws.amazon.com/SAML/Attributes/Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" >
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>arn:aws:iam::my-aws-id:role/shibbolethidp,arn:aws:iam::my-aws-id:saml-provider/Shibboleth-IdP</saml2:AttributeValue>
</saml2:Attribute>
您需要确保 "Role" 属性的两个值(由 SAML assertion/SAML 响应携带)应该与您通过 Amazon AWS 管理控制台声明的完全相同。示例 #1:本地 IdP 的 ParaSSO 和 Para;示例 #2:我的 SAML IdP 的 shibbolethidp 和 Shibboleth-IdP。任何细微的差异都会导致 "Error Code: AccessDenied;".
Sub-question (3.a): 我试过 okta/onelogin 它可以 SAML 成功访问我的 AWS,并检查了 saml response/aws iam 配置,与我的本地 IdP 没有太大区别,我在内部网络 192.168.2.237 中启动了我的 IdP 服务器,是因为本地地址有一些 AWS 限制还是什么?任何帮助将不胜感激。
响应:
(I) 本地地址没有 AWS 限制,如我成功登录 AWS 的 SAML 响应所示。我还使用本地 Shibboleth IdP 成功登录到 Amazon AWS 管理控制台。
<saml2:SubjectLocality Address="192.168.150.10" />
(II) 除了"Role"属性和"RoleSessionName"属性外,您需要确保您本地IdP的SAML IdP元数据包含Amazon AWS要求的完整准确的SAML认证信息,至少 public certificate/key 用于验证签名断言和 SAML IdP 颁发者。
(II.a) 一个典型的拒绝访问错误是您的本地 IdP 元数据提供了错误的 public certificate/key 来验证对 Amazon AWS 的签名断言。
(II.b) 为方便起见,GitHub 存储库中的 How to build and run Shibboleth SAML IdP and SP using Docker container 提供了一个 Shibboleth SAML IdP 元数据 "shibboleth-idp-dockerized/ext-conf/metadata/idp-metadata.xml",该元数据已通过 Amazon AWS 的成功 SSO 验证.此 Shibboleth SAML IdP 元数据包含三个签名证书(签名响应、签名断言和加密断言)。
(II.c) Amazon AWS 将从您的 SAML IdP 元数据中提取 public certificate/key 用于签名断言。在我的 Shibboleth IdP 元数据 "shibboleth-idp-dockerized/ext-conf/metadata/idp-metadata.xml" 中,由上述 link 在 GitHub 存储库提供,第二个 public certificate/key (或签名证书)被亚马逊 AWS 用于验证签名断言。
(III) 为了您的方便,我已经第 9 次提交将 Amazon AWS SP 元数据和相应的 SAML 配置上传到 How to build and run Shibboleth SAML IdP and SP using Docker container。
请注意 我已经使用 Shibboleth IdP running with Docker Container with the 9th commit.[=19= 成功登录了用户名 "winston.hong@example.com" 的亚马逊 AWS 帐户("my-aws-id",例如 123456789012) ]
参考第9次提交到How to build and run Shibboleth SAML IdP and SP using Docker container执行Shibboleth SAML IdP配置,您可以登录您的Amazon AWS账户("my-aws-id" ,例如 123456789012) 以及您的用户名(例如 "winston.hong@your-company.com"),由 Shibboleth IdP 联合。
(IV) 我在另一个 Whosebug 问题 Why is Cognito rejecting my SAML assertion?.
上分享了我在 Amazon AWS 的 Shibboleth IdP SSO 上成功配置 SAML 的经验