获取签名参考 URI 的 SAML 未解析为预期的父元素

SAML getting Signature Reference URI did not resolve to the expected parent Element

在 Spring SAML 中,我收到了来自 IDP 的成功响应,但是在验证 SAML 响应时,我收到了异常 Signature Reference URI '#JJl4B32SXAqLfdR2R0mkYN-yLimsrLWVGHmHIvEcpuQ' 没有解析到预期的父元素 。我没有得到响应中的问题是因为响应还是 spring SAML 我是否需要进行任何配置。请找到以下异常和 SAML 响应。

   2021-07-13 20:38:22,661 DEBUG [BaseSAMLSimpleSignatureSecurityPolicyRule] HTTP request was not signed via simple signature mechanism, skipping
    2021-07-13 20:38:22,661 ERROR [SAMLSignatureProfileValidator] Signature Reference URI '#JJl4B32SXAqLfdR2R0mkYN-yLimsrLWVGHmHIvEcpuQ' did not resolve to the expected parent Element
    2021-07-13 20:38:22,663 DEBUG [SAMLProtocolMessageXMLSignatureSecurityPolicyRule] Protocol message signature failed signature pre-validation
    org.opensaml.xml.validation.ValidationException: Signature Reference URI did not resolve to the expected parent Element
            at org.opensaml.security.SAMLSignatureProfileValidator.validateReferenceURI(SAMLSignatureProfileValidator.java:159)
            at org.opensaml.security.SAMLSignatureProfileValidator.validateSignatureImpl(SAMLSignatureProfileValidator.java:84)
            at org.opensaml.security.SAMLSignatureProfileValidator.validate(SAMLSignatureProfileValidator.java:56)
            at org.opensaml.security.SAMLSignatureProfileValidator.validate(SAMLSignatureProfileValidator.java:42)
            at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.performPreValidation(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:164)
            at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.evaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:105)
            at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:51)
            at org.opensaml.ws.message.decoder.BaseMessageDecoder.processSecurityPolicy(BaseMessageDecoder.java:132)
            at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:83)
            at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70)
            at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:105)
            at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172)
            at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:80)
            at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
            at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
            at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:186)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
            at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
            at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92)
            at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77)
            at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
            at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
            at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
            at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
            at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
            at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
            at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
            at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
            at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
            at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
            at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
            at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:543)
            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
            at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
            at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
            at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:615)
            at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
            at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:818)
            at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1627)
            at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
            at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
            at java.lang.Thread.run(Thread.java:748)
    2021-07-13 20:38:22,670 DEBUG [SAMLProcessingFilter] Incoming SAML message is invalid
    org.opensaml.ws.security.SecurityPolicyException: Protocol message signature failed signature pre-validation
            at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.performPreValidation(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:167)
            at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.evaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:105)
            at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:51)
            at org.opensaml.ws.message.decoder.BaseMessageDecoder.processSecurityPolicy(BaseMessageDecoder.java:132)
            at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:83)
            at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70)
            at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:105)
            at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172)
            at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:80)
            at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
            at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
            at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:186)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
            at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
            at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92)
            at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77)
            at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
            at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
            at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
            at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
            at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
            at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
            at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
            at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
            at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
            at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
            at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
            at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:543)
            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
            at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
            at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
            at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:615)
            at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
            at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:818)
            at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1627)
            at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
            at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
            at java.lang.Thread.run(Thread.java:748)
    Caused by: org.opensaml.xml.validation.ValidationException: Signature Reference URI did not resolve to the expected parent Element
            at org.opensaml.security.SAMLSignatureProfileValidator.validateReferenceURI(SAMLSignatureProfileValidator.java:159)
            at org.opensaml.security.SAMLSignatureProfileValidator.validateSignatureImpl(SAMLSignatureProfileValidator.java:84)
            at org.opensaml.security.SAMLSignatureProfileValidator.validate(SAMLSignatureProfileValidator.java:56)
            at org.opensaml.security.SAMLSignatureProfileValidator.validate(SAMLSignatureProfileValidator.java:42)
            at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.performPreValidation(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:164)
            ... 49 more

收到的 SAML 响应是:

<?xml version="1.0" encoding="UTF-8"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://10.11.4.96:8071/testapp/saml/SSO" ID="JJl4B32SXAqLfdR2R0mkYN-yLimsrLWVGHmHIvEcpuQ" InResponseTo="testapp" IssueInstant="2021-07-13T15:08:21.831Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
         <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
         <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
         <ds:Reference URI="#JJl4B32SXAqLfdR2R0mkYN-yLimsrLWVGHmHIvEcpuQ">
            <ds:Transforms>
               <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                  <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
               </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>zTgjwhpc8z+68RkAkrX0CS0kQXA=</ds:DigestValue>
         </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>JeiDJJRN0P+FnHOPqmpVjX50+/GwAJcTsqXQ3KTmveOpiW7RZKVpuGFTeO/bPredy/6imXBCM8vHtiVEnsre5C3qkS1QawGq7Da2SIEtn6pFxe8nDvl/F1mecEu/JtyPf+lwIAgp0r74fA+12MrTS/v7sUBA473gCtVdCQUFxXcpSRTCXdKWwZrPDyht/8RHkfWiKmq6Xr+VzxgjPP/X/sXl0AKnaCBQafOYyrbeTltCseUtvPP2rDkgTp7Shiw/mWLoynAJhQ0TmJBPsx+gDkyB5xPLB4ozyjuRfElhe3yWr1rGX0VkN/O5VgL1BB5Y8ECpFHiVPotlsb72/7nQlg==</ds:SignatureValue>
      <ds:KeyInfo>
         <ds:X509Data>
            <ds:X509Certificate>MIIF8DCCBNqgAwIBAgIEAPhxijALBgkqhkiG9w0BAQswgY4xCzAJBgNVBAYTAklOMSowKAYDVQQKEyFlTXVkaHJhIENvbnN1bWVyIFNlcnZpY2VzIExpbWl0ZWQxHTAbBgNVBAsTFENlcnRpZnlpbmcgQXV0aG9yaXR5MTQwMgYDVQQDEytlLU11ZGhyYSBTdWIgQ0EgZm9yIENsYXNzIDEgSW5kaXZpZHVhbCAyMDE0MB4XDTE5MDEzMTA5MTQzNFoXDTIyMDEzMDA5MTQzNFowgdgxCzAJBgNVBAYTAklOMRgwFgYDVQQKEw9lTXVkaHJhIExpbWl0ZWQxHTAbBgNVBAsTFENlcnRpZnlpbmcgQXV0aG9yaXR5MQ8wDQYDVQQREwY1NjAxMDMxEjAQBgNVBAgTCUthcm5hdGFrYTFJMEcGA1UEBRNAODFkN2NjNjlkNTdhOGU4ZWNmZjg3MDRmMTNhMWE0NjUwMjYwZjNlYzRhYTI1ZDAzNTU2ZTQ3M2I0ZTAzMzMzZDEgMB4GA1UEAhdfhgsafdhfsahfdhsgfhdsatBgZggmRkAgEwIzAhBggrBgEFBQcCAjAVGhNDbGFzcyAxIENlcnRpZmljYXRlMFAGB2CCZGQBCAIwRTBDBggrBgEFBQcCARY3aHR0cDovL3d3dy5lLW11ZGhyYS5jb20vcmVwb3NpdG9yeS9jcHMvZS1NdWRocmFfQ1BTLnBkZjB6BggrBgEFBQcBAQRuMGwwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmUtbXVkaHJhLmNvbTBEBggrBgEFBQcwAoY4aHR0cDovL3d3dy5lLW11ZGhyYS5jb20vcmVwb3NpdG9yeS9jYWNlcnRzL0MxU0NBMjAxNC5jcnQwRgYDVR0fBD8wPTA7oDmgN4Y1aHR0cDovL3d3dy5lLW11ZGhyYS5jb20vcmVwb3NpdG9yeS9jcmxzL0MxU0NBMjAxNC5jcmwwCwYJKoZIhvcNAQELA4IBAQAnIl1Un14pCfR0xv0iimPl1CFS8WocyDsp7Kbkofq5nTDgnYHyY+s+cjIIp5V0Yo1IEMK3abtl5HryjczRZ6yNtdcJsRmFz2s4wpA4PrjhOw8h8d8MRVc3AfmKGLRi0Y37RtGCieAcDSsZFrDn0SGphzkKmE4otbJhXwdioSiNWFh84bykzUtrr8YFGN+idjrFf5OiMeSCoN31ThAr3X70A1mc5x2c3k91WJQKuIQswwz+LtLKq2kLLQ4syRI0jlqcz+P+qfJWn7py7jU09txey2AuSndBNVWNhD+dNoRvKXnj6YW1uTBvVDFI5nnsoRqroLqaxbx4Ek4umXxwmK3D</ds:X509Certificate>
         </ds:X509Data>
      </ds:KeyInfo>
   </ds:Signature>
   <saml2p:Status>
      <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
      <saml2p:StatusMessage>accessGranted</saml2p:StatusMessage>
   </saml2p:Status>
   <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="JJl4B32SXAqLfdR2R0mkYN-yLimsrLWVGHmHIvEcpuQ" IssueInstant="2021-07-13T15:08:21.831Z" Version="2.0">
      <saml2:Issuer>IDP01</saml2:Issuer>
      <saml2:Subject>
         <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">admin</saml2:NameID>
         <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml2:SubjectConfirmationData InResponseTo="testapp" NotOnOrAfter="2021-07-13T15:23:21.831Z" Recipient="testapp"/>
         </saml2:SubjectConfirmation>
      </saml2:Subject>
      <saml2:Conditions NotOnOrAfter="2021-07-13T15:23:21.831Z">
         <saml2:AudienceRestriction>
            <saml2:Audience>testapp</saml2:Audience>
         </saml2:AudienceRestriction>
      </saml2:Conditions>
      <saml2:AuthnStatement AuthnInstant="2021-07-13T15:08:21.831Z" SessionIndex="JJl4B32SXAqLfdR2R0mkYN-yLimsrLWVGHmHIvEcpuQ" SessionNotOnOrAfter="2021-07-13T15:23:21.831Z">
         <saml2:AuthnContext>
            <saml2:AuthnContextClassRef/>
         </saml2:AuthnContext>
      </saml2:AuthnStatement>
      <saml2:AttributeStatement>
         <saml2:Attribute Name="app_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">testapp</saml2:AttributeValue>
         </saml2:Attribute>
         <saml2:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin.m@test.com</saml2:AttributeValue>
         </saml2:Attribute>
         <saml2:Attribute Name="access_mode" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">write</saml2:AttributeValue>
         </saml2:Attribute>
         <saml2:Attribute Name="user_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml2:AttributeValue>
         </saml2:Attribute>
      </saml2:AttributeStatement>
   </saml2:Assertion>
</saml2p:Response>  

您在验证 xml 签名的参考 URI 时出现异常。 验证规则是,如果引用 uri 不为空(在您的情况下不为空 - #JJl4B32SXAqLfdR2R0mkYN-yLimsrLWVGHmHIvEcpuQ 那么它必须是对本地文档片段的引用,并通过后者的 ID 属性值指向 SAMLObject 父级

如果您可以附加调试器,那么您可以在下面的 class SAMLSignatureProfileValidator 方法中看到它失败的原因。您的应用在此方法的最后一个代码块处失败。

当我使用 SSO Circle 作为 SAML IdP 测试我的本地设置时 - 它成功通过了验证(请参阅调试器屏幕截图)。两个对象引用相同 ( id=531)

protected void validateReferenceURI(String uri, SignableSAMLObject signableObject) throws ValidationException {
        String id = signableObject.getSignatureReferenceID();
        validateReferenceURI(uri, id);
        
        if (DatatypeHelper.isEmpty(uri)) {
            return;
        }
        
        String uriID = uri.substring(1);
        
        Element expected = signableObject.getDOM();
        if (expected == null) {
            log.error("SignableSAMLObject does not have a cached DOM Element.");
            throw new ValidationException("SignableSAMLObject does not have a cached DOM Element.");
        }
        Document doc = expected.getOwnerDocument();
        
        Element resolved = IdResolver.getElementById(doc, uriID);
        if (resolved == null) {
            log.error("Apache xmlsec IdResolver could not resolve the Element for id reference: {}", uriID);
            throw new ValidationException("Apache xmlsec IdResolver could not resolve the Element for id reference: "
                    +  uriID);
        }
        
        if (!expected.isSameNode(resolved)) {
            log.error("Signature Reference URI '{}' did not resolve to the expected parent Element", uri);
            throw new ValidationException("Signature Reference URI did not resolve to the expected parent Element");
        }
    }

在 opensaml santuario 中用于在某些“已知”命名空间(例如 SOAP Message Security)中搜索与请求 ID 匹配的元素的当前文档,因此来自 Apache XML Security for Java 1.5 .0 你实际上需要指向你想要解析这样的节点 - NodeName.removeAttributeNS(null, "ID")。 指向节点引用后不会出现错误。

在 SAML 响应中,由于 id 在任何地方都相同,这是导致异常的原因。因此,在将 SAML 响应 ID、断言 ID、会话索引更改为不同的值后,异常得到解决,可能是因为 SAML 响应解析没有发生冲突。