在此响应中未找到有效的 SubjectConfirmation,laravel 和 saml2
A valid SubjectConfirmation was not found on this Response, laravel and saml2
过去几天我一直在努力弄清楚为什么我从 IdP 得到的响应被我正在使用的包拒绝了。我正在使用这个 https://github.com/aacotroneo/laravel-saml2
这是我得到的回复:
xml: """
<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" ID="vDJfB_2Fr9fGfh9izuYf6pSoE6q" IssueInstant="2020-11-04T08:55:23.144Z" InResp ▶
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">idP</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="kle-id.i4AcYYOSNJEX0biJ1lhh" IssueInstant="2020-11-04T08:55:23.302Z" Version="2.0">
<saml:Issuer>idP</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#kle-id.i4AcYYOSNJEX0biJ1lhh">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>Bm0ARLP+duLFtM0UwVkXYr+W9PRSYYuW4sv0rzQsGlI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
RlvQm/VDU13e1oFU+y/0wr//bA6blrYBQER+57/hHq+SBRPDJl8hpEXnLaiv5AAEtzVteJrlhgc+
9YbTg8478l8hmBfVZVzlIa0POypWrNA8lwzhwDRAsQtbxypY3RPwKW0SSs6kq0K0EduxecG4grcl
1lWEpTRBtdv/NqVg6w8swSQzMXXf0GKjmqeagAqm3HeA6nSNc2T02ChwQ/78OZEbZjDaKj2Rqv2Y
1zqf/xyM2QZES3IlVfA5yekoJfG81sZYn5s+RiTsqFjAMvKrBsaPbEMZoT3ZcFQLY+/b08cTxCEM
RirLXRp86rAHhqps0+y1j9eFg0HWdvTO/3Ss0w==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
DELETED FOR PRIVACY REASONS
</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
DELETED
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">DELETED FOR PRIVACY REASONS</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData Recipient="DELETED FOR PRIVACY REASONS" NotOnOrAfter="2020-11-04T09:00:23.305Z" InResponseTo="ONELOGIN_6134c96d0e247a491cc1a83286b4226c2d30004a"
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2020-11-04T08:50:23.305Z" NotOnOrAfter="2020-11-04T09:00:23.305Z">
<saml:AudienceRestriction>
<saml:Audience>DELETED FOR PRIVACY REASONS</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement SessionIndex="kle-id.i4AcYYOSNJEX0biJ1lhh" AuthnInstant="2020-11-04T08:36:22.912Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
"""
我不确定发生了什么,但我一直在跟踪验证,在我看来,在 OneLogin\Saml2\Response.php[=] 第 359 行检查 NotBefore 属性后,它拒绝了此响应13=]
谁能帮我弄清楚这到底是怎么回事?
idp 来自 PingFederate
通过查看响应中的 NotBefore 和 NotOnOrAfter 时间戳,Ping 设置为 5 分钟的时钟偏差,即 normal/default。
没有更具体的错误消息,如果您的 SP 抱怨 NotBefore,则听起来 IDP 服务器 (PF) 和您的 SP 应用程序之间存在时钟漂移问题。确保两台服务器在 OS 设置中不仅具有正确的时间,而且具有正确的时区。您可能需要重新启动 PF 才能pick-up 对系统时间进行任何更改(如果您进行了任何更改)。
过去几天我一直在努力弄清楚为什么我从 IdP 得到的响应被我正在使用的包拒绝了。我正在使用这个 https://github.com/aacotroneo/laravel-saml2 这是我得到的回复:
xml: """
<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" ID="vDJfB_2Fr9fGfh9izuYf6pSoE6q" IssueInstant="2020-11-04T08:55:23.144Z" InResp ▶
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">idP</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="kle-id.i4AcYYOSNJEX0biJ1lhh" IssueInstant="2020-11-04T08:55:23.302Z" Version="2.0">
<saml:Issuer>idP</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#kle-id.i4AcYYOSNJEX0biJ1lhh">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>Bm0ARLP+duLFtM0UwVkXYr+W9PRSYYuW4sv0rzQsGlI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
RlvQm/VDU13e1oFU+y/0wr//bA6blrYBQER+57/hHq+SBRPDJl8hpEXnLaiv5AAEtzVteJrlhgc+
9YbTg8478l8hmBfVZVzlIa0POypWrNA8lwzhwDRAsQtbxypY3RPwKW0SSs6kq0K0EduxecG4grcl
1lWEpTRBtdv/NqVg6w8swSQzMXXf0GKjmqeagAqm3HeA6nSNc2T02ChwQ/78OZEbZjDaKj2Rqv2Y
1zqf/xyM2QZES3IlVfA5yekoJfG81sZYn5s+RiTsqFjAMvKrBsaPbEMZoT3ZcFQLY+/b08cTxCEM
RirLXRp86rAHhqps0+y1j9eFg0HWdvTO/3Ss0w==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
DELETED FOR PRIVACY REASONS
</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
DELETED
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">DELETED FOR PRIVACY REASONS</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData Recipient="DELETED FOR PRIVACY REASONS" NotOnOrAfter="2020-11-04T09:00:23.305Z" InResponseTo="ONELOGIN_6134c96d0e247a491cc1a83286b4226c2d30004a"
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2020-11-04T08:50:23.305Z" NotOnOrAfter="2020-11-04T09:00:23.305Z">
<saml:AudienceRestriction>
<saml:Audience>DELETED FOR PRIVACY REASONS</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement SessionIndex="kle-id.i4AcYYOSNJEX0biJ1lhh" AuthnInstant="2020-11-04T08:36:22.912Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
"""
我不确定发生了什么,但我一直在跟踪验证,在我看来,在 OneLogin\Saml2\Response.php[=] 第 359 行检查 NotBefore 属性后,它拒绝了此响应13=]
谁能帮我弄清楚这到底是怎么回事? idp 来自 PingFederate
通过查看响应中的 NotBefore 和 NotOnOrAfter 时间戳,Ping 设置为 5 分钟的时钟偏差,即 normal/default。
没有更具体的错误消息,如果您的 SP 抱怨 NotBefore,则听起来 IDP 服务器 (PF) 和您的 SP 应用程序之间存在时钟漂移问题。确保两台服务器在 OS 设置中不仅具有正确的时间,而且具有正确的时区。您可能需要重新启动 PF 才能pick-up 对系统时间进行任何更改(如果您进行了任何更改)。