断言已过期 - Keycloak

Assertion expired - Keycloak

我正在进行 IDP 发起的登录,其中 Azure AD 是我的 IDP,Keycloak 是代理。我在 Keycloak 服务器控制台中遇到以下错误 -

11:02:17,571 DEBUG [org.keycloak.saml.common] (default task-9) org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil issueInstant: 2021-01-01T05:32:17.571Z 11:02:17,575 DEBUG [org.keycloak.saml.validators.ConditionsValidator] (default task-9) Evaluating Conditions of Assertion ID_ab13e885-3b1e-45d5-88ec-edff44a53988. notBefore=2021-01-01T05:32:15.180Z, notOnOrAfter=2021-01-01T05:33:15.180Z, updatedNotBefore: 2021-01-01T05:32:10.180Z, updatedOnOrAfter=2021-01-01T05:33:20.180Z, now: 2021-01-01T05:32:17.571Z 11:02:17,578 INFO [org.keycloak.saml.validators.ConditionsValidator] (default task-9) Assertion ID_ab13e885-3b1e-45d5-88ec-edff44a53988 is not addressed to this SP. 11:02:17,579 DEBUG [org.keycloak.saml.validators.ConditionsValidator] (default task-9) Allowed audiences are: [https://localhost:8443/auth/realms/demo/broker/saml/endpoint/clients/azure-ad-client, https://localhost:8443/auth/realms/demo] 11:02:17,579 DEBUG [org.keycloak.saml.validators.ConditionsValidator] (default task-9) Assertion ID_ab13e885-3b1e-45d5-88ec-edff44a53988 validity is INVALID 11:02:17,579 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default task-9) Assertion expired.

下面是屏幕上的错误信息 -

下面是来自 Azure AD 的 SAML 响应 -

 <samlp:Response
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://localhost:8443/auth/realms/demo/broker/saml/endpoint/clients/azure-ad-client" ID="ID_b1be4149-323d-48cc-b168-2bb80b7f9441" IssueInstant="2021-01-01T05:32:17.181Z" Version="2.0">
    <saml:Issuer>https://localhost:8443/auth/realms/demo</saml:Issuer>
    <dsig:Signature
        xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
        <dsig:SignedInfo>
            <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <dsig:Reference URI="#ID_b1be4149-323d-48cc-b168-2bb80b7f9441">
                <dsig:Transforms>
                    <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </dsig:Transforms>
                <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <dsig:DigestValue>mjUOWFliMQNyplLPE4/Ft6TxAkWeRi7uR3pYcqLPlQQ=</dsig:DigestValue>
            </dsig:Reference>
        </dsig:SignedInfo>
        <dsig:SignatureValue>ZTbyuqYzUuJYH74DMuU3aJZlinj9aP3GjlV7bI2fmzJJANW7/LEDda+qGMQ6x4/yu6LBA6gOLYF3wOqVEH+UQICotl0BUVANzA4rF5fI1oVWedW0KjR6KtgagppHFUJmPteIgiT677VWFVcdJZLlLMs46S+E587r/+jxbaC2c03W2qH1dog07Tw5ajqTcNsOiC1nOjhOj9pIfIERtDaGpLCFzxu+x0nuoMu91bDDjl9evqXvPV6iybmyFQJSCkJMEE37mJKisqeRmaQ+Qiw3nfd35/kivKX60GjhuKC0UYkt2uQEazn5EykxgDnoa7+CHZAYeKnKiCXvTwBxiPjhSQ==</dsig:SignatureValue>
        <dsig:KeyInfo>
            <dsig:KeyName>fSgfAWKE3nBNWMouTUNT3e-rG5UNyqu75SR0-unXWx8</dsig:KeyName>
            <dsig:X509Data>
                <dsig:X509Certificate>MIIClzCCAX8CBgF2kTu+HTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARkZW1vMB4XDTIwMTIyMzIwMTEyMFoXDTMwMTIyMzIwMTMwMFowDzENMAsGA1UEAwwEZGVtbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI2ZZ7aZT2Qp3q3b0Ie18HT47IcKWHqxA5UXqSrPltoclTapZUAmwyD7E+Nc8uSlLiKg6BudxuWLjfpnylKCNfcV5IpJp46sOt3kXyui9UGDXZe8HUBeYHdrvVL3mKShnQ1eBFTE4BwRXVSNEOK8i0KyuKeCygIDB1e0vE16oSL1PItDLH8hnQnHvD7IX3hi9QjaYqgwREILdoa3F/Nv4hN1bcXpdTDVkairD0xge1S0E5Y3tBZND36JZExePWuOfw0jM4hvXaT6LLMYHvv6XjjqjJvBRsWVn5C9FlSlzXMI1X4ND7n+y1GLeq2MGKo6z8ADGBDy96gkuLrtLmpU8jMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAZLpjEhBuBDLz/TAZtCubu7+KBbZZCiWb6ymCZvCRDfxd6L+QPnbXxGDJPiEYB6Bpsrdun8N/KbCgKzu9KSlyjSrYTq6UGWz20h+bHumJ0JKYA262fm8o+YHGgAzJi2/liW8e4XeSYQ7t4MLRu7mgTCMAaCQAoWLt+PLVl9mpr+mbIi8ptRCxyGxQsr6b8u1J9tCzur7StSopfQ4kuM6QsooJwocG0HHDwnxmRV9lNmL1ix0u5XRWSECrkKMbdGiE/+P6CCc6T2Ff43myCpDXam6lprTKjftAGj86irevASvxQKJ74julecN2AsZVLlaW4sC4xzqOKxHm7HVuWEznBQ==</dsig:X509Certificate>
            </dsig:X509Data>
            <dsig:KeyValue>
                <dsig:RSAKeyValue>
                    <dsig:Modulus>jZlntplPZCnerdvQh7XwdPjshwpYerEDlRepKs+W2hyVNqllQCbDIPsT41zy5KUuIqDoG53G5YuN+mfKUoI19xXkikmnjqw63eRfK6L1QYNdl7wdQF5gd2u9UveYpKGdDV4EVMTgHBFdVI0Q4ryLQrK4p4LKAgMHV7S8TXqhIvU8i0MsfyGdCce8PshfeGL1CNpiqDBEQgt2hrcX82/iE3Vtxel1MNWRqKsPTGB7VLQTlje0Fk0PfolkTF49a45/DSMziG9dpPossxge+/peOOqMm8FGxZWfkL0WVKXNcwjVfg0Puf7LUYt6rYwYqjrPwAMYEPL3qCS4uu0ualTyMw==</dsig:Modulus>
                    <dsig:Exponent>AQAB</dsig:Exponent>
                </dsig:RSAKeyValue>
            </dsig:KeyValue>
        </dsig:KeyInfo>
    </dsig:Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion
        xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_ab13e885-3b1e-45d5-88ec-edff44a53988" IssueInstant="2021-01-01T05:32:17.180Z" Version="2.0">
        <saml:Issuer>https://localhost:8443/auth/realms/demo</saml:Issuer>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">akash.solankey@gmail.com</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData NotOnOrAfter="2021-01-01T05:37:15.180Z" Recipient="https://localhost:8443/auth/realms/demo/broker/saml/endpoint/clients/azure-ad-client"/>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2021-01-01T05:32:15.180Z" NotOnOrAfter="2021-01-01T05:33:15.180Z">
            <saml:AudienceRestriction>
                <saml:Audience>azure-ad-client</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2021-01-01T05:32:17.181Z" SessionIndex="b6ed36be-e94a-4928-ab6d-2082c4df1cb4::1f136816-2bad-4bd9-bfe0-f16169bf7638" SessionNotOnOrAfter="2021-01-01T15:32:17.181Z">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement>
            <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue
                    xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">manage-account
                </saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue
                    xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">view-profile
                </saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue
                    xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">offline_access
                </saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue
                    xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">uma_authorization
                </saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue
                    xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">manage-account-links
                </saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>

PS - 我是 运行 独立 Keycloak 12.0.1

问题是我在 Azure IDP 设置中使用了错误的密钥斗篷领域 url 作为实体 ID。简而言之,因为我使用的是 https,端口应该是 8443 -

旧实体 ID:

正确的实体 ID: