断言已过期 - Keycloak
Assertion expired - Keycloak
我正在进行 IDP 发起的登录,其中 Azure AD 是我的 IDP,Keycloak 是代理。我在 Keycloak 服务器控制台中遇到以下错误 -
11:02:17,571 DEBUG [org.keycloak.saml.common] (default task-9)
org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil
issueInstant: 2021-01-01T05:32:17.571Z 11:02:17,575 DEBUG
[org.keycloak.saml.validators.ConditionsValidator] (default task-9)
Evaluating Conditions of Assertion
ID_ab13e885-3b1e-45d5-88ec-edff44a53988.
notBefore=2021-01-01T05:32:15.180Z,
notOnOrAfter=2021-01-01T05:33:15.180Z, updatedNotBefore:
2021-01-01T05:32:10.180Z, updatedOnOrAfter=2021-01-01T05:33:20.180Z,
now: 2021-01-01T05:32:17.571Z 11:02:17,578 INFO
[org.keycloak.saml.validators.ConditionsValidator] (default task-9)
Assertion ID_ab13e885-3b1e-45d5-88ec-edff44a53988 is not addressed to
this SP. 11:02:17,579 DEBUG
[org.keycloak.saml.validators.ConditionsValidator] (default task-9)
Allowed audiences are:
[https://localhost:8443/auth/realms/demo/broker/saml/endpoint/clients/azure-ad-client,
https://localhost:8443/auth/realms/demo] 11:02:17,579 DEBUG
[org.keycloak.saml.validators.ConditionsValidator] (default task-9)
Assertion ID_ab13e885-3b1e-45d5-88ec-edff44a53988 validity is INVALID
11:02:17,579 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default
task-9) Assertion expired.
下面是屏幕上的错误信息 -
下面是来自 Azure AD 的 SAML 响应 -
<samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://localhost:8443/auth/realms/demo/broker/saml/endpoint/clients/azure-ad-client" ID="ID_b1be4149-323d-48cc-b168-2bb80b7f9441" IssueInstant="2021-01-01T05:32:17.181Z" Version="2.0">
<saml:Issuer>https://localhost:8443/auth/realms/demo</saml:Issuer>
<dsig:Signature
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<dsig:Reference URI="#ID_b1be4149-323d-48cc-b168-2bb80b7f9441">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<dsig:DigestValue>mjUOWFliMQNyplLPE4/Ft6TxAkWeRi7uR3pYcqLPlQQ=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>ZTbyuqYzUuJYH74DMuU3aJZlinj9aP3GjlV7bI2fmzJJANW7/LEDda+qGMQ6x4/yu6LBA6gOLYF3wOqVEH+UQICotl0BUVANzA4rF5fI1oVWedW0KjR6KtgagppHFUJmPteIgiT677VWFVcdJZLlLMs46S+E587r/+jxbaC2c03W2qH1dog07Tw5ajqTcNsOiC1nOjhOj9pIfIERtDaGpLCFzxu+x0nuoMu91bDDjl9evqXvPV6iybmyFQJSCkJMEE37mJKisqeRmaQ+Qiw3nfd35/kivKX60GjhuKC0UYkt2uQEazn5EykxgDnoa7+CHZAYeKnKiCXvTwBxiPjhSQ==</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:KeyName>fSgfAWKE3nBNWMouTUNT3e-rG5UNyqu75SR0-unXWx8</dsig:KeyName>
<dsig:X509Data>
<dsig:X509Certificate>MIIClzCCAX8CBgF2kTu+HTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARkZW1vMB4XDTIwMTIyMzIwMTEyMFoXDTMwMTIyMzIwMTMwMFowDzENMAsGA1UEAwwEZGVtbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI2ZZ7aZT2Qp3q3b0Ie18HT47IcKWHqxA5UXqSrPltoclTapZUAmwyD7E+Nc8uSlLiKg6BudxuWLjfpnylKCNfcV5IpJp46sOt3kXyui9UGDXZe8HUBeYHdrvVL3mKShnQ1eBFTE4BwRXVSNEOK8i0KyuKeCygIDB1e0vE16oSL1PItDLH8hnQnHvD7IX3hi9QjaYqgwREILdoa3F/Nv4hN1bcXpdTDVkairD0xge1S0E5Y3tBZND36JZExePWuOfw0jM4hvXaT6LLMYHvv6XjjqjJvBRsWVn5C9FlSlzXMI1X4ND7n+y1GLeq2MGKo6z8ADGBDy96gkuLrtLmpU8jMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAZLpjEhBuBDLz/TAZtCubu7+KBbZZCiWb6ymCZvCRDfxd6L+QPnbXxGDJPiEYB6Bpsrdun8N/KbCgKzu9KSlyjSrYTq6UGWz20h+bHumJ0JKYA262fm8o+YHGgAzJi2/liW8e4XeSYQ7t4MLRu7mgTCMAaCQAoWLt+PLVl9mpr+mbIi8ptRCxyGxQsr6b8u1J9tCzur7StSopfQ4kuM6QsooJwocG0HHDwnxmRV9lNmL1ix0u5XRWSECrkKMbdGiE/+P6CCc6T2Ff43myCpDXam6lprTKjftAGj86irevASvxQKJ74julecN2AsZVLlaW4sC4xzqOKxHm7HVuWEznBQ==</dsig:X509Certificate>
</dsig:X509Data>
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>jZlntplPZCnerdvQh7XwdPjshwpYerEDlRepKs+W2hyVNqllQCbDIPsT41zy5KUuIqDoG53G5YuN+mfKUoI19xXkikmnjqw63eRfK6L1QYNdl7wdQF5gd2u9UveYpKGdDV4EVMTgHBFdVI0Q4ryLQrK4p4LKAgMHV7S8TXqhIvU8i0MsfyGdCce8PshfeGL1CNpiqDBEQgt2hrcX82/iE3Vtxel1MNWRqKsPTGB7VLQTlje0Fk0PfolkTF49a45/DSMziG9dpPossxge+/peOOqMm8FGxZWfkL0WVKXNcwjVfg0Puf7LUYt6rYwYqjrPwAMYEPL3qCS4uu0ualTyMw==</dsig:Modulus>
<dsig:Exponent>AQAB</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</dsig:KeyInfo>
</dsig:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion
xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_ab13e885-3b1e-45d5-88ec-edff44a53988" IssueInstant="2021-01-01T05:32:17.180Z" Version="2.0">
<saml:Issuer>https://localhost:8443/auth/realms/demo</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">akash.solankey@gmail.com</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2021-01-01T05:37:15.180Z" Recipient="https://localhost:8443/auth/realms/demo/broker/saml/endpoint/clients/azure-ad-client"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2021-01-01T05:32:15.180Z" NotOnOrAfter="2021-01-01T05:33:15.180Z">
<saml:AudienceRestriction>
<saml:Audience>azure-ad-client</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2021-01-01T05:32:17.181Z" SessionIndex="b6ed36be-e94a-4928-ab6d-2082c4df1cb4::1f136816-2bad-4bd9-bfe0-f16169bf7638" SessionNotOnOrAfter="2021-01-01T15:32:17.181Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">manage-account
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">view-profile
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">offline_access
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">uma_authorization
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">manage-account-links
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
PS - 我是 运行 独立 Keycloak 12.0.1
问题是我在 Azure IDP 设置中使用了错误的密钥斗篷领域 url 作为实体 ID。简而言之,因为我使用的是 https,端口应该是 8443 -
旧实体 ID:
正确的实体 ID:
我正在进行 IDP 发起的登录,其中 Azure AD 是我的 IDP,Keycloak 是代理。我在 Keycloak 服务器控制台中遇到以下错误 -
11:02:17,571 DEBUG [org.keycloak.saml.common] (default task-9) org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil issueInstant: 2021-01-01T05:32:17.571Z 11:02:17,575 DEBUG [org.keycloak.saml.validators.ConditionsValidator] (default task-9) Evaluating Conditions of Assertion ID_ab13e885-3b1e-45d5-88ec-edff44a53988. notBefore=2021-01-01T05:32:15.180Z, notOnOrAfter=2021-01-01T05:33:15.180Z, updatedNotBefore: 2021-01-01T05:32:10.180Z, updatedOnOrAfter=2021-01-01T05:33:20.180Z, now: 2021-01-01T05:32:17.571Z 11:02:17,578 INFO [org.keycloak.saml.validators.ConditionsValidator] (default task-9) Assertion ID_ab13e885-3b1e-45d5-88ec-edff44a53988 is not addressed to this SP. 11:02:17,579 DEBUG [org.keycloak.saml.validators.ConditionsValidator] (default task-9) Allowed audiences are: [https://localhost:8443/auth/realms/demo/broker/saml/endpoint/clients/azure-ad-client, https://localhost:8443/auth/realms/demo] 11:02:17,579 DEBUG [org.keycloak.saml.validators.ConditionsValidator] (default task-9) Assertion ID_ab13e885-3b1e-45d5-88ec-edff44a53988 validity is INVALID 11:02:17,579 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default task-9) Assertion expired.
下面是屏幕上的错误信息 -
下面是来自 Azure AD 的 SAML 响应 -
<samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://localhost:8443/auth/realms/demo/broker/saml/endpoint/clients/azure-ad-client" ID="ID_b1be4149-323d-48cc-b168-2bb80b7f9441" IssueInstant="2021-01-01T05:32:17.181Z" Version="2.0">
<saml:Issuer>https://localhost:8443/auth/realms/demo</saml:Issuer>
<dsig:Signature
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<dsig:Reference URI="#ID_b1be4149-323d-48cc-b168-2bb80b7f9441">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<dsig:DigestValue>mjUOWFliMQNyplLPE4/Ft6TxAkWeRi7uR3pYcqLPlQQ=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>ZTbyuqYzUuJYH74DMuU3aJZlinj9aP3GjlV7bI2fmzJJANW7/LEDda+qGMQ6x4/yu6LBA6gOLYF3wOqVEH+UQICotl0BUVANzA4rF5fI1oVWedW0KjR6KtgagppHFUJmPteIgiT677VWFVcdJZLlLMs46S+E587r/+jxbaC2c03W2qH1dog07Tw5ajqTcNsOiC1nOjhOj9pIfIERtDaGpLCFzxu+x0nuoMu91bDDjl9evqXvPV6iybmyFQJSCkJMEE37mJKisqeRmaQ+Qiw3nfd35/kivKX60GjhuKC0UYkt2uQEazn5EykxgDnoa7+CHZAYeKnKiCXvTwBxiPjhSQ==</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:KeyName>fSgfAWKE3nBNWMouTUNT3e-rG5UNyqu75SR0-unXWx8</dsig:KeyName>
<dsig:X509Data>
<dsig:X509Certificate>MIIClzCCAX8CBgF2kTu+HTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARkZW1vMB4XDTIwMTIyMzIwMTEyMFoXDTMwMTIyMzIwMTMwMFowDzENMAsGA1UEAwwEZGVtbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI2ZZ7aZT2Qp3q3b0Ie18HT47IcKWHqxA5UXqSrPltoclTapZUAmwyD7E+Nc8uSlLiKg6BudxuWLjfpnylKCNfcV5IpJp46sOt3kXyui9UGDXZe8HUBeYHdrvVL3mKShnQ1eBFTE4BwRXVSNEOK8i0KyuKeCygIDB1e0vE16oSL1PItDLH8hnQnHvD7IX3hi9QjaYqgwREILdoa3F/Nv4hN1bcXpdTDVkairD0xge1S0E5Y3tBZND36JZExePWuOfw0jM4hvXaT6LLMYHvv6XjjqjJvBRsWVn5C9FlSlzXMI1X4ND7n+y1GLeq2MGKo6z8ADGBDy96gkuLrtLmpU8jMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAZLpjEhBuBDLz/TAZtCubu7+KBbZZCiWb6ymCZvCRDfxd6L+QPnbXxGDJPiEYB6Bpsrdun8N/KbCgKzu9KSlyjSrYTq6UGWz20h+bHumJ0JKYA262fm8o+YHGgAzJi2/liW8e4XeSYQ7t4MLRu7mgTCMAaCQAoWLt+PLVl9mpr+mbIi8ptRCxyGxQsr6b8u1J9tCzur7StSopfQ4kuM6QsooJwocG0HHDwnxmRV9lNmL1ix0u5XRWSECrkKMbdGiE/+P6CCc6T2Ff43myCpDXam6lprTKjftAGj86irevASvxQKJ74julecN2AsZVLlaW4sC4xzqOKxHm7HVuWEznBQ==</dsig:X509Certificate>
</dsig:X509Data>
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>jZlntplPZCnerdvQh7XwdPjshwpYerEDlRepKs+W2hyVNqllQCbDIPsT41zy5KUuIqDoG53G5YuN+mfKUoI19xXkikmnjqw63eRfK6L1QYNdl7wdQF5gd2u9UveYpKGdDV4EVMTgHBFdVI0Q4ryLQrK4p4LKAgMHV7S8TXqhIvU8i0MsfyGdCce8PshfeGL1CNpiqDBEQgt2hrcX82/iE3Vtxel1MNWRqKsPTGB7VLQTlje0Fk0PfolkTF49a45/DSMziG9dpPossxge+/peOOqMm8FGxZWfkL0WVKXNcwjVfg0Puf7LUYt6rYwYqjrPwAMYEPL3qCS4uu0ualTyMw==</dsig:Modulus>
<dsig:Exponent>AQAB</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</dsig:KeyInfo>
</dsig:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion
xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_ab13e885-3b1e-45d5-88ec-edff44a53988" IssueInstant="2021-01-01T05:32:17.180Z" Version="2.0">
<saml:Issuer>https://localhost:8443/auth/realms/demo</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">akash.solankey@gmail.com</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2021-01-01T05:37:15.180Z" Recipient="https://localhost:8443/auth/realms/demo/broker/saml/endpoint/clients/azure-ad-client"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2021-01-01T05:32:15.180Z" NotOnOrAfter="2021-01-01T05:33:15.180Z">
<saml:AudienceRestriction>
<saml:Audience>azure-ad-client</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2021-01-01T05:32:17.181Z" SessionIndex="b6ed36be-e94a-4928-ab6d-2082c4df1cb4::1f136816-2bad-4bd9-bfe0-f16169bf7638" SessionNotOnOrAfter="2021-01-01T15:32:17.181Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">manage-account
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">view-profile
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">offline_access
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">uma_authorization
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">manage-account-links
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
PS - 我是 运行 独立 Keycloak 12.0.1
问题是我在 Azure IDP 设置中使用了错误的密钥斗篷领域 url 作为实体 ID。简而言之,因为我使用的是 https,端口应该是 8443 -
旧实体 ID:
正确的实体 ID: