WS-Trust 未使用 PHP 进行身份验证

WS-Trust not authenticating with PHP

这让我很头疼.... 我在这里缺少什么......必须是带有时间戳的东西,因为当我玩这些时我会得到不同的错误......

我有以下信封(供应商是这样给我使用的) 但它一直在给我

<s:Body> <s:Fault> <s:Code> <s:Value> s:Sender</s:Value> <s:Subcode> <s:Value xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> a:InvalidSecurity</s:Value> </s:Subcode> </s:Code> <s:Reason> <s:Text xml:lang="en-US"> An error occurred when verifying security for the message.</s:Text> </s:Reason> </s:Fault> </s:Body>

这是我的代码:

$c = $this->getTimestamp();
    $e = $this->getTimestamp(300);


$envelope = '
       <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <s:Header>
            <a:Action s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</a:Action>
            <a:MessageID>urn:uuid:4137dbed-db9f-40d9-ba9c-6fc82eb8aa46</a:MessageID>
            <a:ReplyTo>
                <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
            </a:ReplyTo>
            <a:To s:mustUnderstand="1">https://sts.service.net/adfs/services/trust/13/usernamemixed</a:To>
            <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                <u:Timestamp u:Id="_0">
                    <u:Created>'.$c.'</u:Created>
                    <u:Expires>'.$e.'</u:Expires>
                </u:Timestamp>
                <o:UsernameToken u:Id="uuid-4137dbed-db9f-40d9-ba9c-6fc82eb8aa46">
                    <o:Username>'.$username.'</o:Username>
                    <o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">'.$password.'</o:Password>
                </o:UsernameToken>
            </o:Security>
        </s:Header>
        <s:Body>
            <trust:RequestSecurityToken xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
                <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
                    <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
                        <wsa:Address>'.$appliesTo.'</wsa:Address>
                    </wsa:EndpointReference>
                </wsp:AppliesTo>
                <trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
                <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
            </trust:RequestSecurityToken>
        </s:Body>
       </s:Envelope>
       ';


        $soap_do = curl_init();
        curl_setopt($soap_do, CURLOPT_URL,"https://sts.service.net/adfs/services/trust/13/usernamemixed");
        curl_setopt($soap_do, CURLOPT_FOLLOWLOCATION, 1);
        curl_setopt($soap_do, CURLOPT_HEADER, 0);
        curl_setopt($soap_do, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($soap_do, CURLOPT_CONNECTTIMEOUT, 20);
        curl_setopt($soap_do, CURLOPT_TIMEOUT,        20);
        curl_setopt($soap_do, CURLOPT_SSL_VERIFYPEER, 0);
        curl_setopt($soap_do, CURLOPT_SSL_VERIFYHOST, 0);
        curl_setopt($soap_do, CURLOPT_POST,           true );            
        curl_setopt($soap_do, CURLOPT_POSTFIELDS,     $envelope); 
        curl_setopt($soap_do, CURLOPT_HTTPHEADER,     array('Content-Type: application/soap+xml; charset=utf-8'));

        $this->payload = curl_exec($soap_do);

您将当前时间戳记同时放在 Created 元素和 Expires 元素中。这意味着当接收方收到 RST 时,消息将过期并且接收方将被迫拒绝它。使用例如:

gmdate("Y-m-d\TH:i:s\Z", time() + 300);

对于 Expires 元素。

还要检查时钟漂移:客户端和服务器上的时间应该同步。

最后但同样重要的是:默认情况下,ADFS 2.0 将尝试加密响应中的令牌,因此它需要为依赖方配置加密证书。确保您已经为与 appliesTo 关联的实体配置了一个。 ADFS 错误日志应该会为您提供有关该错误的提示。

我做了以下操作来解决这个问题。 我已经更改了 current_time - 300 秒和 current_time + 3600 秒

有效