Sustainsys Saml2 身份验证失败不清楚消息
Sustainsys Saml2 Authentication failed unclear message
我在 .Net 4.8 中使用 Systainsys SAML2 owin 库。启用日志记录后,我记录了此响应。我不明白问题出在哪里我正在编辑 SAML 响应 JIC
中的一些内容
Saml2 验证失败。收到的 SAML 数据为
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Destination="https://####.####.com/Saml2/Acs" ID="_c68e19d777a7a13bab9ff8d54e83ad54" InResponseTo="id4cced0bf2ffe4967a605d630433a5b72" IssueInstant="2020-12-29T08:34:21Z" Version="2.0">
<saml:Issuer>https://ut1-www.is.sg.######.com/_fed/1/244023058963</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_c68e19d777a7a13bab9ff8d54e83ad54">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>gDIpQQwjNoeuy99R70CK3foRdds=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>quIekezIAu/n4BzOFuhFLqGhV4s80O0dPeogYufJq/oz6hxFqVETwnZ4ogd+62gyAX7EpRQ2q/NT
EdnnonD7RIVK89E5/K+LXjNWpXGxYFOmyrjUVCpWpo4WoNh720TkRwAAOnDSSnimb/EZf/c74dFp
4O5oNPC2r1uYYZ2ka6Zz0BcwnDIkFnJ60Q90ooJlYKZyBgGWpia7iyr3B61FCb/4bd6XWo5f3OZX
+mUPkacouj8nvYVAnbvOZZd+jXsOEkPvBCiCT+iEOrd4zzGkdPnowN9/eDljGYmBvT7GdqkrDIN6
2UMiBArIe0lk9LkhLNSHWl0o4Fd7ca6i96tZeA==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIDA....</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion ID="_4c8ae5013fa6e1c8ba67d5274cec9bbd" IssueInstant="2020-12-29T08:34:21Z" Version="2.0">
<saml:Issuer>https://ut1-www.is.sg.#####.com/_fed/1/244023058963</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">######</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="id4cced0bf2ffe4967a605d630433a5b72" NotOnOrAfter="2020-12-29T08:39:21Z" Recipient="https://#####.#####.com/Saml2/Acs" />
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2020-12-29T08:34:21Z" NotOnOrAfter="2020-12-29T08:39:21Z">
<saml:AudienceRestriction>
<saml:Audience>https://####.#####.com/SAML2</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2020-12-29T08:34:21Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
编辑
启用 Katana 日志记录后我收到此错误
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException:IDX10214:观众验证失败。听众:'https://.soterion.com/SAML2'。不匹配:validationParameters.ValidAudience:'https://.soterion.com/Saml2' 或 validationParameters.ValidAudiences:'null'。
在 Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable`1 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters) 在 C:\agent2_work\s\src\Microsoft.IdentityModel.Tokens\Validators.cs:line 108
在 Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateConditions(Saml2SecurityToken samlToken, TokenValidationParameters validationParameters) 在 C:\agent2_work\s\src\Microsoft.IdentityModel.Tokens.Saml\Saml2\Saml2SecurityTokenHandler.cs:line 948
Owin 库在故障排除时非常不友好。启用 Katana 日志记录以获取更多详细信息。
您需要设置令牌验证参数。 Audiences 的值将是您应用程序的实体 ID,然后传递 tokenvalidation 参数进行验证。
TokenValidationParameter parameters = new TokenValidationParameters();
parameters.ValidAudiences = new string[] {entity ID of SP}
我在 .Net 4.8 中使用 Systainsys SAML2 owin 库。启用日志记录后,我记录了此响应。我不明白问题出在哪里我正在编辑 SAML 响应 JIC
中的一些内容Saml2 验证失败。收到的 SAML 数据为
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Destination="https://####.####.com/Saml2/Acs" ID="_c68e19d777a7a13bab9ff8d54e83ad54" InResponseTo="id4cced0bf2ffe4967a605d630433a5b72" IssueInstant="2020-12-29T08:34:21Z" Version="2.0">
<saml:Issuer>https://ut1-www.is.sg.######.com/_fed/1/244023058963</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_c68e19d777a7a13bab9ff8d54e83ad54">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>gDIpQQwjNoeuy99R70CK3foRdds=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>quIekezIAu/n4BzOFuhFLqGhV4s80O0dPeogYufJq/oz6hxFqVETwnZ4ogd+62gyAX7EpRQ2q/NT
EdnnonD7RIVK89E5/K+LXjNWpXGxYFOmyrjUVCpWpo4WoNh720TkRwAAOnDSSnimb/EZf/c74dFp
4O5oNPC2r1uYYZ2ka6Zz0BcwnDIkFnJ60Q90ooJlYKZyBgGWpia7iyr3B61FCb/4bd6XWo5f3OZX
+mUPkacouj8nvYVAnbvOZZd+jXsOEkPvBCiCT+iEOrd4zzGkdPnowN9/eDljGYmBvT7GdqkrDIN6
2UMiBArIe0lk9LkhLNSHWl0o4Fd7ca6i96tZeA==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIDA....</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion ID="_4c8ae5013fa6e1c8ba67d5274cec9bbd" IssueInstant="2020-12-29T08:34:21Z" Version="2.0">
<saml:Issuer>https://ut1-www.is.sg.#####.com/_fed/1/244023058963</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">######</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="id4cced0bf2ffe4967a605d630433a5b72" NotOnOrAfter="2020-12-29T08:39:21Z" Recipient="https://#####.#####.com/Saml2/Acs" />
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2020-12-29T08:34:21Z" NotOnOrAfter="2020-12-29T08:39:21Z">
<saml:AudienceRestriction>
<saml:Audience>https://####.#####.com/SAML2</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2020-12-29T08:34:21Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
编辑
启用 Katana 日志记录后我收到此错误
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException:IDX10214:观众验证失败。听众:'https://.soterion.com/SAML2'。不匹配:validationParameters.ValidAudience:'https://.soterion.com/Saml2' 或 validationParameters.ValidAudiences:'null'。 在 Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable`1 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters) 在 C:\agent2_work\s\src\Microsoft.IdentityModel.Tokens\Validators.cs:line 108 在 Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateConditions(Saml2SecurityToken samlToken, TokenValidationParameters validationParameters) 在 C:\agent2_work\s\src\Microsoft.IdentityModel.Tokens.Saml\Saml2\Saml2SecurityTokenHandler.cs:line 948
Owin 库在故障排除时非常不友好。启用 Katana 日志记录以获取更多详细信息。
您需要设置令牌验证参数。 Audiences 的值将是您应用程序的实体 ID,然后传递 tokenvalidation 参数进行验证。
TokenValidationParameter parameters = new TokenValidationParameters();
parameters.ValidAudiences = new string[] {entity ID of SP}