使用 wso2is 的 Play-pac4j 抛出 "IDP Metadata cannot be null"
Play-pac4j with wso2is throws "IDP Metadata cannot be null"
我需要一点帮助。我正在使用这个 project (play-pac4j-scala-demo) 来测试我的 wso2is SAML 服务器,我所做的唯一更改是在 openidp-feide.xml 文件中,替换为以下内容:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
entityID="https://localhost:9443/samlsso" validUntil="2023-09-23T06:57:15.396Z">
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:X509Data >
<ds:X509Certificate >
MIIEVTCCAz2gAwIBAgIQIzI6SPzN4kG8sJ2/gY6QDTANBgkqhkiG9w0BAQsFADCB
hDE7MDkGA1UECwwyZ2VuZXJhdGVkIGJ5IGF2YXN0ISBhbnRpdmlydXMgZm9yIFNT
TC9UTFMgc2Nhbm5pbmcxHzAdBgNVBAoMFmF2YXN0ISBXZWIvTWFpbCBTaGllbGQx
JDAiBgNVBAMMG2F2YXN0ISBXZWIvTWFpbCBTaGllbGQgUm9vdDAeFw0xNTAxMjAy
MDA2MzlaFw0xNjAxMjAyMDA2MzlaMD8xITAfBgNVBAsTGERvbWFpbiBDb250cm9s
IFZhbGlkYXRlZDEaMBgGA1UEAwwRKi5qZndlYnBvcnRhbC5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvNSZgsBqc+0iEQL//mc/sWCKsTQTnxCEs
4FL4JN7RzoV0rftB0XkxxSdss66YeSwZ1/hN8hNkswDyL9ttlsum8r4brirJdRgI
XaXYj5gzGKWa5fhbQjeUQ3FqXQbM+ytnHvUvD4JqRgs3ccXEpHf35dk/2MtveI0b
us8IeCbvrScerbG5a6zdz2pPmlh5jRc/MQ8mHWQjYZTf4/hLMZR2iXzVAhCD59BG
aPAWUBbv4uz44xs288QDhA8Ty0+M0fHNxH6v5v1AFENMaMVwoeLb8d2VkFZK+1nm
kRTgGeVupab3k4+3XlV7QKD9EqsfDso+oAiRIrvvmAXC3BMkwEflAgMBAAGjggEF
MIIBATAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjAOBgNVHQ8BAf8EBAMCBaAwUwYDVR0gBEwwSjBIBgtghkgBhv1tAQcXATA5MDcG
CCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9z
aXRvcnkvMB8GA1UdIwQYMBaAFBlpv0JwXwGkdtayZXqLgJRKp/VxMC0GA1UdEQQm
MCSCESouamZ3ZWJwb3J0YWwuY29tgg9qZndlYnBvcnRhbC5jb20wHQYDVR0OBBYE
FBpRAaygfEl1uFhj8ijqTcjA71V0MA0GCSqGSIb3DQEBCwUAA4IBAQCT7CS4yUUd
VI+oE7KGsGmTgtjEc7Ui211v5f6HUmscz2g/udFJwppKkutoRVovrVl6S64LVIpY
pgmwDCreBwxhwmn+x4W1GpQ97R9PLTW2QAh5AoBbUCT8y/RbLvxY9W9Qz5gj5RIi
NRi7i2J/omo/qh5mQfC6WRmHz91mKSv6+Ts5S+PGB30kkezYXc7KG/1z4L7nBlLs
brsIcG7fVu7fRJEyxG64ePONIm0zu4agOWd+AqBbfz6PS+RimgqGbIBNjBjJxGNi
ySG0z4s5NUsOxMgWc54HEOyTu6ULCaslrWVQqAZIYRDBoYt98LfkhDSMmT7+YN04
aWezsyuqis2V
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:9443/samlsso" ResponseLocation="https://localhost:9443/samlsso"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:9443/samlsso"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:9443/samlsso"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>
以上是 Idp 元数据。接下来,在 wso2is 服务器中我创建了一个发行者,如下所示:
Issuer : http://localhost:9000/callback?client_name=Saml2Client
Assertion Consumer URL *: http://localhost:9000/callback?client_name=Saml2Client
NameID format : urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Enable Attribute Profile: true
其他属性保留默认选项。
但是当我尝试验证 project (play-pac4j-scala-demo) 时抛出这个异常:
[debug] - org.pac4j.play.CallbackController - defaultUrl : /?2
at scala.concurrent.impl.CallbackRunnable.executeWithValue(Promise.scala:40) [scala-library-2.11.6.jar:na]
at scala.concurrent.impl.Promise$DefaultPromise.tryComplete(Promise.scala:248) [scala-library-2.11.6.jar:na]
at scala.concurrent.Promise$class.complete(Promise.scala:55) [scala-library-2.11.6.jar:na]
at scala.concurrent.impl.Promise$DefaultPromise.complete(Promise.scala:153) [scala-library-2.11.6.jar:na]
at scala.concurrent.Future$$anonfun$recover.apply(Future.scala:324) [scala-library-2.11.6.jar:na]
at scala.concurrent.Future$$anonfun$recover.apply(Future.scala:324) [scala-library-2.11.6.jar:na]
at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:32) [scala-library-2.11.6.jar:na]
at play.core.j.HttpExecutionContext$$anon.run(HttpExecutionContext.scala:40) [play_2.11-2.4.0.jar:2.4.0]
at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:40) [akka-actor_2.11-2.3.11.jar:na]
at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(AbstractDispatcher.scala:397) [akka-actor_2.11-2.3.11.jar:na]
at scala.concurrent.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260) [scala-library-2.11.6.jar:na]
at scala.concurrent.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339) [scala-library-2.11.6.jar:na]
at scala.concurrent.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979) [scala-library-2.11.6.jar:na]
at scala.concurrent.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107) [scala-library-2.11.6.jar:na]
Caused by: org.pac4j.saml.exceptions.SamlException: IDP Metadata cannot be null
at org.pac4j.saml.sso.Saml2WebSSOProfileHandler.receiveMessage(Saml2WebSSOProfileHandler.java:127) ~[pac4j-saml-1.7.0.jar:na]
at org.pac4j.saml.client.Saml2Client.retrieveCredentials(Saml2Client.java:322) ~[pac4j-saml-1.7.0.jar:na]
at org.pac4j.saml.client.Saml2Client.retrieveCredentials(Saml2Client.java:95) ~[pac4j-saml-1.7.0.jar:na]
at org.pac4j.core.client.BaseClient.getCredentials(BaseClient.java:220) ~[pac4j-core-1.7.0.jar:na]
at org.pac4j.play.java.RequiresAuthenticationAction.apply(RequiresAuthenticationAction.java:202) ~[play-pac4j-java-1.5.0-SNAPSHOT.jar:na]
at org.pac4j.play.java.RequiresAuthenticationAction.apply(RequiresAuthenticationAction.java:194) ~[play-pac4j-java-1.5.0-SNAPSHOT.jar:na]
at play.core.j.FPromiseHelper$$anonfun$promise.apply(FPromiseHelper.scala:36) ~[play_2.11-2.4.0.jar:2.4.0]
at scala.concurrent.impl.Future$PromiseCompletingRunnable.liftedTree1(Future.scala:24) ~[scala-library-2.11.6.jar:na]
at scala.concurrent.impl.Future$PromiseCompletingRunnable.run(Future.scala:24) ~[scala-library-2.11.6.jar:na]
... 7 common frames omitted
这里有什么问题?谁能帮忙?
谢谢!
我是 play-pac4j 的创建者,但遗憾的是我不是 SAML 专家。我猜你的 IdP 的 SAML 响应不包含必要的数据,因为它是一个显式检查:https://github.com/pac4j/pac4j/blob/pac4j-1.7.0/pac4j-saml/src/main/java/org/pac4j/saml/sso/Saml2WebSSOProfileHandler.java#L127 在 pac4j(和 pac4j-saml v1.7.1)中,SAML 支持已经发展:也许你应该试一试...
这表示方法 decoder.decode 无法从 SAML 身份验证响应中确定要使用的 IDP。
如果您此时遇到错误,我假设您已成功重定向到您的 IDP,输入您的凭据并重定向回您的应用程序,这是一个很好的起点。
请使用调试工具(例如 SAML Tracer for Firefox)读取 SAML 断言并检查 IDP 实体 ID 是否与您的设置一致。
我需要一点帮助。我正在使用这个 project (play-pac4j-scala-demo) 来测试我的 wso2is SAML 服务器,我所做的唯一更改是在 openidp-feide.xml 文件中,替换为以下内容:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
entityID="https://localhost:9443/samlsso" validUntil="2023-09-23T06:57:15.396Z">
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:X509Data >
<ds:X509Certificate >
MIIEVTCCAz2gAwIBAgIQIzI6SPzN4kG8sJ2/gY6QDTANBgkqhkiG9w0BAQsFADCB
hDE7MDkGA1UECwwyZ2VuZXJhdGVkIGJ5IGF2YXN0ISBhbnRpdmlydXMgZm9yIFNT
TC9UTFMgc2Nhbm5pbmcxHzAdBgNVBAoMFmF2YXN0ISBXZWIvTWFpbCBTaGllbGQx
JDAiBgNVBAMMG2F2YXN0ISBXZWIvTWFpbCBTaGllbGQgUm9vdDAeFw0xNTAxMjAy
MDA2MzlaFw0xNjAxMjAyMDA2MzlaMD8xITAfBgNVBAsTGERvbWFpbiBDb250cm9s
IFZhbGlkYXRlZDEaMBgGA1UEAwwRKi5qZndlYnBvcnRhbC5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvNSZgsBqc+0iEQL//mc/sWCKsTQTnxCEs
4FL4JN7RzoV0rftB0XkxxSdss66YeSwZ1/hN8hNkswDyL9ttlsum8r4brirJdRgI
XaXYj5gzGKWa5fhbQjeUQ3FqXQbM+ytnHvUvD4JqRgs3ccXEpHf35dk/2MtveI0b
us8IeCbvrScerbG5a6zdz2pPmlh5jRc/MQ8mHWQjYZTf4/hLMZR2iXzVAhCD59BG
aPAWUBbv4uz44xs288QDhA8Ty0+M0fHNxH6v5v1AFENMaMVwoeLb8d2VkFZK+1nm
kRTgGeVupab3k4+3XlV7QKD9EqsfDso+oAiRIrvvmAXC3BMkwEflAgMBAAGjggEF
MIIBATAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjAOBgNVHQ8BAf8EBAMCBaAwUwYDVR0gBEwwSjBIBgtghkgBhv1tAQcXATA5MDcG
CCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9z
aXRvcnkvMB8GA1UdIwQYMBaAFBlpv0JwXwGkdtayZXqLgJRKp/VxMC0GA1UdEQQm
MCSCESouamZ3ZWJwb3J0YWwuY29tgg9qZndlYnBvcnRhbC5jb20wHQYDVR0OBBYE
FBpRAaygfEl1uFhj8ijqTcjA71V0MA0GCSqGSIb3DQEBCwUAA4IBAQCT7CS4yUUd
VI+oE7KGsGmTgtjEc7Ui211v5f6HUmscz2g/udFJwppKkutoRVovrVl6S64LVIpY
pgmwDCreBwxhwmn+x4W1GpQ97R9PLTW2QAh5AoBbUCT8y/RbLvxY9W9Qz5gj5RIi
NRi7i2J/omo/qh5mQfC6WRmHz91mKSv6+Ts5S+PGB30kkezYXc7KG/1z4L7nBlLs
brsIcG7fVu7fRJEyxG64ePONIm0zu4agOWd+AqBbfz6PS+RimgqGbIBNjBjJxGNi
ySG0z4s5NUsOxMgWc54HEOyTu6ULCaslrWVQqAZIYRDBoYt98LfkhDSMmT7+YN04
aWezsyuqis2V
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:9443/samlsso" ResponseLocation="https://localhost:9443/samlsso"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:9443/samlsso"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:9443/samlsso"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>
以上是 Idp 元数据。接下来,在 wso2is 服务器中我创建了一个发行者,如下所示:
Issuer : http://localhost:9000/callback?client_name=Saml2Client
Assertion Consumer URL *: http://localhost:9000/callback?client_name=Saml2Client
NameID format : urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Enable Attribute Profile: true
其他属性保留默认选项。
但是当我尝试验证 project (play-pac4j-scala-demo) 时抛出这个异常:
[debug] - org.pac4j.play.CallbackController - defaultUrl : /?2
at scala.concurrent.impl.CallbackRunnable.executeWithValue(Promise.scala:40) [scala-library-2.11.6.jar:na]
at scala.concurrent.impl.Promise$DefaultPromise.tryComplete(Promise.scala:248) [scala-library-2.11.6.jar:na]
at scala.concurrent.Promise$class.complete(Promise.scala:55) [scala-library-2.11.6.jar:na]
at scala.concurrent.impl.Promise$DefaultPromise.complete(Promise.scala:153) [scala-library-2.11.6.jar:na]
at scala.concurrent.Future$$anonfun$recover.apply(Future.scala:324) [scala-library-2.11.6.jar:na]
at scala.concurrent.Future$$anonfun$recover.apply(Future.scala:324) [scala-library-2.11.6.jar:na]
at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:32) [scala-library-2.11.6.jar:na]
at play.core.j.HttpExecutionContext$$anon.run(HttpExecutionContext.scala:40) [play_2.11-2.4.0.jar:2.4.0]
at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:40) [akka-actor_2.11-2.3.11.jar:na]
at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(AbstractDispatcher.scala:397) [akka-actor_2.11-2.3.11.jar:na]
at scala.concurrent.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260) [scala-library-2.11.6.jar:na]
at scala.concurrent.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339) [scala-library-2.11.6.jar:na]
at scala.concurrent.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979) [scala-library-2.11.6.jar:na]
at scala.concurrent.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107) [scala-library-2.11.6.jar:na]
Caused by: org.pac4j.saml.exceptions.SamlException: IDP Metadata cannot be null
at org.pac4j.saml.sso.Saml2WebSSOProfileHandler.receiveMessage(Saml2WebSSOProfileHandler.java:127) ~[pac4j-saml-1.7.0.jar:na]
at org.pac4j.saml.client.Saml2Client.retrieveCredentials(Saml2Client.java:322) ~[pac4j-saml-1.7.0.jar:na]
at org.pac4j.saml.client.Saml2Client.retrieveCredentials(Saml2Client.java:95) ~[pac4j-saml-1.7.0.jar:na]
at org.pac4j.core.client.BaseClient.getCredentials(BaseClient.java:220) ~[pac4j-core-1.7.0.jar:na]
at org.pac4j.play.java.RequiresAuthenticationAction.apply(RequiresAuthenticationAction.java:202) ~[play-pac4j-java-1.5.0-SNAPSHOT.jar:na]
at org.pac4j.play.java.RequiresAuthenticationAction.apply(RequiresAuthenticationAction.java:194) ~[play-pac4j-java-1.5.0-SNAPSHOT.jar:na]
at play.core.j.FPromiseHelper$$anonfun$promise.apply(FPromiseHelper.scala:36) ~[play_2.11-2.4.0.jar:2.4.0]
at scala.concurrent.impl.Future$PromiseCompletingRunnable.liftedTree1(Future.scala:24) ~[scala-library-2.11.6.jar:na]
at scala.concurrent.impl.Future$PromiseCompletingRunnable.run(Future.scala:24) ~[scala-library-2.11.6.jar:na]
... 7 common frames omitted
这里有什么问题?谁能帮忙? 谢谢!
我是 play-pac4j 的创建者,但遗憾的是我不是 SAML 专家。我猜你的 IdP 的 SAML 响应不包含必要的数据,因为它是一个显式检查:https://github.com/pac4j/pac4j/blob/pac4j-1.7.0/pac4j-saml/src/main/java/org/pac4j/saml/sso/Saml2WebSSOProfileHandler.java#L127 在 pac4j(和 pac4j-saml v1.7.1)中,SAML 支持已经发展:也许你应该试一试...
这表示方法 decoder.decode 无法从 SAML 身份验证响应中确定要使用的 IDP。
如果您此时遇到错误,我假设您已成功重定向到您的 IDP,输入您的凭据并重定向回您的应用程序,这是一个很好的起点。
请使用调试工具(例如 SAML Tracer for Firefox)读取 SAML 断言并检查 IDP 实体 ID 是否与您的设置一致。