Meet "INTERNAL ERROR: Please contact your support." when configure SAML web SSO on WebSphere Application server
Meet "INTERNAL ERROR: Please contact your support." when configure SAML web SSO on WebSphere Application server
我正在使用 PingFederate 作为 IDP 在 WebSphere Application Server 上使用 SAML2 配置 Web SSO。
我所做的是,
- 下载并安装WebSphere Application Server,版本为9.0.0.5
- 已安装示例 Web 应用程序进行测试。
- 根据此文档为 SAML 配置 WebSphere 信任关联拦截器,https://www.ibm.com/docs/en/was/9.0.5?topic=users-saml-web-single-sign。
- 使用 IDP 发起的 SSO 验证连接并收到“内部错误:请联系您的支持人员。”问题。
我可以看到从 IDP 向 WebSphere 发送了一个 SAML 响应,并且服务器发送了一个成功的响应,但我不明白为什么用户不能被重定向到目标 URL。我已将调试级别设置为正常,但找不到任何错误。此外,错误 URL 也不起作用。
在 SSO link 后面添加“&TARGET=TARGETURL”后,它可以将用户重定向到 SAML SSO 之后的“TARGETURL”,但是中继状态应该由 SP 而不是 IDP 处理。
我想知道我是否犯了一些错误或遗漏了导致此问题的某些配置。
此外,我上传了部分跟踪日志,应该是它从 IDP 接收 SAML 响应的部分。
[21-9-21 15:38:53:460 EDT] 000000d9 EJSWebCollabo > preInvoke Entry
[21-9-21 15:38:53:460 EDT] 000000d9 EJSWebCollabo < preInvoke Exit
<null>
[21-9-21 15:38:53:460 EDT] 000000d9 EJSWebCollabo > preInvoke Entry
com.ibm.ws.webcontainer.srt.SRTServletRequest@99083b5f
com.ibm.ws.webcontainer.srt.SRTServletResponse@f46dafbe
samlsps
default_host
IBMWebSphereSamlACSListenerServlet
true
[21-9-21 15:38:53:461 EDT] 000000d9 EJSWebCollabo 3 Http Header names and values:
Host=[localhost:9443]
Connection=[keep-alive]
Content-Length=[3361]
Cache-Control=[max-age=0]
sec-ch-ua=["Google Chrome";v="93", " Not;A Brand";v="99", "Chromium";v="93"]
sec-ch-ua-mobile=[?0]
sec-ch-ua-platform=["Windows"]
Upgrade-Insecure-Requests=[1]
Origin=[https://localhost:9031]
Content-Type=[application/x-www-form-urlencoded]
User-Agent=[Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36]
Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9]
Sec-Fetch-Site=[same-site]
Sec-Fetch-Mode=[navigate]
Sec-Fetch-Dest=[document]
Referer=[https://localhost:9031/]
Accept-Encoding=[gzip, deflate, br]
Accept-Language=[en-US,en;q=0.9,zh-TW;q=0.8,zh;q=0.7,zh-CN;q=0.6]
Cookie=[PF=slGINjz4m5kSL7gpbfdUlA]
[21-9-21 15:38:53:461 EDT] 000000d9 EJSWebCollabo 3 Request Context Path=/samlsps, Servlet Path=, Path Info=/acs
[21-9-21 15:38:53:461 EDT] 000000d9 WebSecurityCo > <init> Entry
<null>
<null>
<null>
[21-9-21 15:38:53:461 EDT] 000000d9 WebSecurityCo < <init> Exit
com.ibm.ws.security.web.WebSecurityContext@936c75b7
[21-9-21 15:38:53:461 EDT] 000000d9 WebCollaborat > SetUnauthenticatedSubjectIfNeeded Entry
[21-9-21 15:38:53:461 EDT] 000000d9 WebCollaborat 3 Invoked and received Subject are null, setting it anonymous/unauthenticated.
[21-9-21 15:38:53:461 EDT] 000000d9 WebCollaborat < SetUnauthenticatedSubjectIfNeeded:true Exit
[21-9-21 15:38:53:461 EDT] 000000d9 WebCollaborat 3 com.ibm.ws.security.web.WebCollaborator.WebComponentMetaData attribute is set.
[21-9-21 15:38:53:461 EDT] 000000d9 EJSWebCollabo 3 WebComponentMetaData
com.ibm.ws.webcontainer.metadata.WebComponentMetaDataImpl@476b7334[WebSphereSamlSP#WebSphereSamlSPWeb.war#IBMWebSphereSamlACSListenerServlet]
[21-9-21 15:38:53:461 EDT] 000000d9 EJSWebCollabo 3 preInvoke pushing app name WebSphereSamlSP
[21-9-21 15:38:53:461 EDT] 000000d9 WebSecurityCo 3 Setting pushed security to "true" for: com.ibm.ws.security.web.WebSecurityContext@936c75b7
[21-9-21 15:38:53:461 EDT] 000000d9 EJSWebCollabo 3 preInvoke
app_name=WebSphereSamlSP isAdminApp=false isAppSecurityOn=false
[21-9-21 15:38:53:461 EDT] 000000d9 EJSWebCollabo 3 preInvoke
Skip authorization for non-system apps when app security is disabled.
[21-9-21 15:38:53:461 EDT] 000000d9 IBMWebSphereS > handleRedirect Entry
[21-9-21 15:38:53:464 EDT] 000000d9 IBMWebSphereS 3 samlres[not null]
[21-9-21 15:38:53:464 EDT] 000000d9 IBMWebSphereS 3 target[null]
[21-9-21 15:38:53:464 EDT] 000000d9 IBMWebSphereS 3 RelayState[null]
[21-9-21 15:38:53:464 EDT] 000000d9 IBMWebSphereS > getTarget(relayStateUri[null],decodeURL[true] Entry
[21-9-21 15:38:53:464 EDT] 000000d9 IBMWebSphereS 3 The RelayState is not a URL. target URL.
[21-9-21 15:38:53:467 EDT] 000000d9 IBMWebSphereS < handleRedirect Exit
[21-9-21 15:38:53:467 EDT] 000000d9 EJSWebCollabo > postInvoke Entry
com.ibm.ws.security.web.WebSecurityContext@936c75b7
[21-9-21 15:38:53:467 EDT] 000000d9 EJSWebCollabo 3 Resetting invoked: null and received: nullsubjects
[21-9-21 15:38:53:468 EDT] 000000d9 WebSecurityCo 3 Getting pushed security value "true" for: com.ibm.ws.security.web.WebSecurityContext@936c75b7
[21-9-21 15:38:53:468 EDT] 000000d9 EJSWebCollabo 3 postInvoke popped resource WebSphereSamlSP of type Application
[21-9-21 15:38:53:468 EDT] 000000d9 EJSWebCollabo < postInvoke Exit
[21-9-21 15:38:53:468 EDT] 000000d9 EJSWebCollabo > postInvoke Entry
<null>
[21-9-21 15:38:53:468 EDT] 000000d9 EJSWebCollabo < postInvoke Exit
启用应用程序安全后,我将被重定向到 login.errorUrl。在日志中,我可以看到 WebSphere 收到了 SAML 响应,但不知何故它无法处理它。我想我已经在 WebSphere 上上传了签署者证书并将“trustAnysigner”设置为“true”。这是日志的一部分:
[21-9-22 15:05:07:971 EDT] 000000c0 ACSTrustAssoc 3 Sending redirect
[21-9-22 15:05:07:972 EDT] 000000c0 ACSTrustAssoc < createTAIErrorResult Exit
[21-9-22 15:05:07:972 EDT] 000000c0 ACSTrustAssoc 3 SAMLResponse could not be verified. Auto Re-login.
[21-9-22 15:05:07:972 EDT] 000000c0 ACSTrustAssoc < invokeTAIbeforeSSO:null Exit
[21-9-22 15:05:07:972 EDT] 000000c0 ACSTrustAssoc < negotiateValidateandEstablishTrust returns [not null] Exit
[21-9-22 15:05:07:972 EDT] 000000c0 TAIWrapper < negotiateAndValidateEstablishedTrust(): status code = 403 Exit
[21-9-22 15:05:07:972 EDT] 000000c0 WebAuthentica < Exiting with TAI_CHALLENGE Exit
[21-9-22 15:05:07:972 EDT] 000000c0 WebAuthentica 3 result status is 5
[21-9-22 15:05:07:972 EDT] 000000c0 WebAuthentica < authenticate Exit
AuthenticationResult.TAI_CHALLENGE
[21-9-22 15:05:07:972 EDT] 000000c0 WebCollaborat 3 isAuthenticate is false
[21-9-22 15:05:07:972 EDT] 000000c0 WebRequestImp > getAppVHost Entry
[21-9-22 15:05:07:972 EDT] 000000c0 WebRequestImp < getAppVHost Exit
appVHost=default_host
isVHostAndContextRootSet=true
[21-9-22 15:05:07:972 EDT] 000000c0 WebCollaborat > validSecAttrs Entry
default_host:samlsps
/acs
POST
false
WebSphereSamlSP
com.ibm.ws.webcontainer.srt.SRTServletRequest@5ae9cdc7
default_host
false
[21-9-22 15:05:07:972 EDT] 000000c0 WebAppCache > getWebAccessContext Entry
WebSphereSamlSP
default_host:samlsps
false
[21-9-22 15:05:07:972 EDT] 000000c0 WebAppCache 3 Okay, I found the entry for [WebSphereSamlSP:default_host:samlsps]
[21-9-22 15:05:07:972 EDT] 000000c0 WebAppCache < getWebAccessContext Exit
[21-9-22 15:05:07:973 EDT] 000000c0 WebAccessCont > WebAccessContext with ServletMap Entry
[21-9-22 15:05:07:973 EDT] 000000c0 WebAccessCont < WebAccessContext with ServletMap Exit
[21-9-22 15:05:07:973 EDT] 000000c0 WebConstraint > getConstraints: Entry
/acs
POST
[21-9-22 15:05:07:973 EDT] 000000c0 WebConstraint 3 webConstraintsTable.length = 1
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo > isStandardHTTPMethod Entry
POST
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo < isStandardHTTPMethod Exit
true
[21-9-22 15:05:07:973 EDT] 000000c0 WebConstraint 3 Looking at webResourceCollectionConstraints with URL patterns:
[21-9-22 15:05:07:973 EDT] 000000c0 WebConstraint 3 url: /*
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo > matches Entry
/acs
POST
true
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 .... check if in http methods list
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 memberOfList, methodName: POST methodList[0]: GET
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 memberOfList, methodName: POST methodList[1]: PUT
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 memberOfList, methodName: POST methodList[2]: HEAD
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 memberOfList, methodName: POST methodList[3]: TRACE
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 memberOfList, methodName: POST methodList[4]: POST
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 methodName is in methodList, returning true
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo > isStandardHTTPMethod Entry
POST
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo < isStandardHTTPMethod Exit
true
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 .... check if in http omission methods list
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 methodName is not in methodList, returning false
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 -- Checking methods --
validateAllMethods: false existMethodsList :true memberOfMethodList :true isStandardHTTPMethod :true allowCustomHTTPMethods :true
existOmissionMethodsList :false memberOfOmissionMethodList :false
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 .... check if in http methods list
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 memberOfList, methodName: POST methodList[0]: GET
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 memberOfList, methodName: POST methodList[1]: PUT
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 memberOfList, methodName: POST methodList[2]: HEAD
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 memberOfList, methodName: POST methodList[3]: TRACE
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 memberOfList, methodName: POST methodList[4]: POST
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 methodName is in methodList, returning true
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 Checking URL: /*
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo < matches (PathName) : /* Exit
[21-9-22 15:05:07:973 EDT] 000000c0 WebConstraint < getConstraints not null Exit
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat > unprotectedSpecialURI Entry
webAppName[WebSphereSamlSPWeb]
isProtected[true]
realm[Default Realm]
challengeType[BASIC]
authMechanism[LTPA]
SSLEnabled[false]
SSOEnabled[true]
secureSSO[false]
defaultToBasic[false]
LTPACookieName[LtpaToken]
loginCookieName[null]
CookieSuffix[null]
/acs
POST
REQUEST
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat < unprotectedSpecialURI Exit
<null>
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat < validSecAttrs Exit
<null>
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat 3 List of required roles for uri /acs is:
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat 3 required role: WebSphereSamlAcsRole
[21-9-22 15:05:07:973 EDT] 000000c0 WebRequestImp > getAppContextRoot Entry
[21-9-22 15:05:07:973 EDT] 000000c0 WebRequestImp < getAppContextRoot Exit
appContextRoot=samlsps
isVHostAndContextRootSet=true
[21-9-22 15:05:07:973 EDT] 000000c0 WebRequestImp > getAppVHost Entry
[21-9-22 15:05:07:973 EDT] 000000c0 WebRequestImp < getAppVHost Exit
appVHost=default_host
isVHostAndContextRootSet=true
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat > isURIBoundByConstraint Entry
WebSphereSamlSP
samlsps
default_host
/acs
[21-9-22 15:05:07:973 EDT] 000000c0 WebAppCache > getWebAccessContext Entry
WebSphereSamlSP
default_host:samlsps
false
[21-9-22 15:05:07:973 EDT] 000000c0 WebAppCache 3 Okay, I found the entry for [WebSphereSamlSP:default_host:samlsps]
[21-9-22 15:05:07:973 EDT] 000000c0 WebAppCache < getWebAccessContext Exit
[21-9-22 15:05:07:973 EDT] 000000c0 WebAccessCont > WebAccessContext with ServletMap Entry
[21-9-22 15:05:07:973 EDT] 000000c0 WebAccessCont < WebAccessContext with ServletMap Exit
[21-9-22 15:05:07:973 EDT] 000000c0 WebConstraint > existsExactMatchURI Entry
/acs
[21-9-22 15:05:07:973 EDT] 000000c0 WebConstraint 3 webConstraintsTable.length = 1
[21-9-22 15:05:07:973 EDT] 000000c0 WebConstraint < existsExactMatchURI : no match, returning false Exit
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat < isURIBoundByConstraint Exit
false
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat 3 isURIBound for uri: /acs: false
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat 3 securityConstraints for uri /acs are: com.ibm.ws.security.web.WebResourceCollectionConstraints@393f3b2b
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat 3 URI - /acs.POST is protected
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat 3 Saving previous subject null
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat > checkAuthStatus Entry
AuthenticationResult.TAI_CHALLENGE
webAppName[WebSphereSamlSPWeb]
isProtected[true]
realm[Default Realm]
challengeType[BASIC]
authMechanism[LTPA]
SSLEnabled[false]
SSOEnabled[true]
secureSSO[false]
defaultToBasic[false]
LTPACookieName[LtpaToken]
loginCookieName[null]
CookieSuffix[null]
[21-9-22 15:05:07:974 EDT] 000000c0 TAIChallengeR > TAIChallengeReply(403) Entry
[21-9-22 15:05:07:974 EDT] 000000c0 TAIChallengeR < TAIChallengeReply() Exit
[21-9-22 15:05:07:974 EDT] 000000c0 WebCollaborat 3 TAI authentication challenge - sending 403
[21-9-22 15:05:07:974 EDT] 000000c0 WebCollaborat < checkAuthStatus 3 Exit
com.ibm.ws.security.web.TAIChallengeReply@54049520
[21-9-22 15:05:07:974 EDT] 000000c0 WebCollaborat < authorize Exit
com.ibm.ws.security.web.TAIChallengeReply@54049520
[21-9-22 15:05:07:974 EDT] 000000c0 EJSWebCollabo > handleException Entry
com.ibm.ws.webcontainer.srt.SRTServletRequest@5ae9cdc7
com.ibm.ws.webcontainer.srt.SRTServletResponse@25d3a5e1
com.ibm.ws.security.web.WebSecurityException
at com.ibm.ws.security.web.EJSWebCollaborator.preInvoke(EJSWebCollaborator.java:451)
at com.ibm.ws.webcontainer.collaborator.WebAppSecurityCollaboratorImpl.preInvoke(WebAppSecurityCollaboratorImpl.java:230)
at com.ibm.wsspi.webcontainer.collaborator.CollaboratorHelper.preInvokeCollaborators(CollaboratorHelper.java:436)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1101)
at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:4219)
at com.ibm.ws.webcontainer.webapp.WebAppImpl.handleRequest(WebAppImpl.java:2210)
at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:304)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1030)
at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1817)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:382)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:465)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest(HttpInboundLink.java:532)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequest(HttpInboundLink.java:318)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:289)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.determineNextChannel(SSLConnectionLink.java:1187)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.readyInboundPostHandshake(SSLConnectionLink.java:768)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink$MyHandshakeCompletedCallback.complete(SSLConnectionLink.java:464)
at com.ibm.ws.ssl.channel.impl.SSLUtils.handleHandshake(SSLUtils.java:1137)
at com.ibm.ws.ssl.channel.impl.SSLHandshakeIOCallback.complete(SSLHandshakeIOCallback.java:87)
at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:175)
at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138)
at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204)
at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775)
at com.ibm.io.async.ResultHandler.run(ResultHandler.java:905)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1909)
[21-9-22 15:05:07:976 EDT] 000000c0 EJSWebCollabo 3 Response is already committed
[21-9-22 15:05:07:976 EDT] 000000c0 EJSWebCollabo 3 com.ibm.websphere.security.allow.committed.response is false
[21-9-22 15:05:07:976 EDT] 000000c0 WebSecurityCo 3 Getting pushed security value "true" for: com.ibm.ws.security.web.WebSecurityContext@9d8e0360
[21-9-22 15:05:07:976 EDT] 000000c0 EJSWebCollabo 3 handleException popped resource WebSphereSamlSP of type Application
[21-9-22 15:05:07:976 EDT] 000000c0 WebSecurityCo 3 Getting pushed admin value "false" for: com.ibm.ws.security.web.WebSecurityContext@9d8e0360
[21-9-22 15:05:07:976 EDT] 000000c0 EJSWebCollabo < handleException Exit
[21-9-22 15:05:07:976 EDT] 000000c0 EJSWebCollabo > postInvoke Entry
com.ibm.ws.security.web.WebSecurityContext@9d8e0360
[21-9-22 15:05:07:976 EDT] 000000c0 EJSWebCollabo 3 Resetting invoked: null and received: nullsubjects
[21-9-22 15:05:07:976 EDT] 000000c0 WebSecurityCo 3 Getting pushed security value "true" for: com.ibm.ws.security.web.WebSecurityContext@9d8e0360
[21-9-22 15:05:07:976 EDT] 000000c0 EJSWebCollabo 3 postInvoke popped null resource
[21-9-22 15:05:07:976 EDT] 000000c0 EJSWebCollabo < postInvoke Exit
[21-9-22 15:05:07:976 EDT] 000000c0 EJSWebCollabo > postInvoke Entry
<null>
[21-9-22 15:05:07:976 EDT] 000000c0 EJSWebCollabo < postInvoke Exit
WAS端的targetUrl是怎么配置的? WAS 可以通过三种不同的方式确定其 targetUrl。按优先顺序排列:
- 来自在“书签样式”登录的第 3 步生成的 WASSamlSpReqUrl cookie,如本页所述:https://www.ibm.com/docs/en/was/9.0.5?topic=sign-saml-single-scenarios-features-limitations
- 来自IdP发送的RelayState参数
- 来自sso_.sp.targetUrl参数
以下跟踪规范将显示有关如何确定 targetUrl 的详细信息:
=信息:com.ibm.ws.security.web.=全部:com.ibm.ws.security.saml.=全部:com.ibm.websphere.wssecurity.=all:com.ibm.ws.wssecurity.=all:com.ibm.ws.wssecurity.platform.audit.=off
如果您有符合该规范的轨迹,请随时上传到此处,我也很乐意查看。
另外,作为旁注,我建议尽可能更新到最新的 WAS 修复包。对 SAML 运行时的日志记录进行了一些改进,可能有助于解决此类情况。
我正在使用 PingFederate 作为 IDP 在 WebSphere Application Server 上使用 SAML2 配置 Web SSO。
我所做的是,
- 下载并安装WebSphere Application Server,版本为9.0.0.5
- 已安装示例 Web 应用程序进行测试。
- 根据此文档为 SAML 配置 WebSphere 信任关联拦截器,https://www.ibm.com/docs/en/was/9.0.5?topic=users-saml-web-single-sign。
- 使用 IDP 发起的 SSO 验证连接并收到“内部错误:请联系您的支持人员。”问题。
我可以看到从 IDP 向 WebSphere 发送了一个 SAML 响应,并且服务器发送了一个成功的响应,但我不明白为什么用户不能被重定向到目标 URL。我已将调试级别设置为正常,但找不到任何错误。此外,错误 URL 也不起作用。
在 SSO link 后面添加“&TARGET=TARGETURL”后,它可以将用户重定向到 SAML SSO 之后的“TARGETURL”,但是中继状态应该由 SP 而不是 IDP 处理。
我想知道我是否犯了一些错误或遗漏了导致此问题的某些配置。
此外,我上传了部分跟踪日志,应该是它从 IDP 接收 SAML 响应的部分。
[21-9-21 15:38:53:460 EDT] 000000d9 EJSWebCollabo > preInvoke Entry
[21-9-21 15:38:53:460 EDT] 000000d9 EJSWebCollabo < preInvoke Exit
<null>
[21-9-21 15:38:53:460 EDT] 000000d9 EJSWebCollabo > preInvoke Entry
com.ibm.ws.webcontainer.srt.SRTServletRequest@99083b5f
com.ibm.ws.webcontainer.srt.SRTServletResponse@f46dafbe
samlsps
default_host
IBMWebSphereSamlACSListenerServlet
true
[21-9-21 15:38:53:461 EDT] 000000d9 EJSWebCollabo 3 Http Header names and values:
Host=[localhost:9443]
Connection=[keep-alive]
Content-Length=[3361]
Cache-Control=[max-age=0]
sec-ch-ua=["Google Chrome";v="93", " Not;A Brand";v="99", "Chromium";v="93"]
sec-ch-ua-mobile=[?0]
sec-ch-ua-platform=["Windows"]
Upgrade-Insecure-Requests=[1]
Origin=[https://localhost:9031]
Content-Type=[application/x-www-form-urlencoded]
User-Agent=[Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36]
Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9]
Sec-Fetch-Site=[same-site]
Sec-Fetch-Mode=[navigate]
Sec-Fetch-Dest=[document]
Referer=[https://localhost:9031/]
Accept-Encoding=[gzip, deflate, br]
Accept-Language=[en-US,en;q=0.9,zh-TW;q=0.8,zh;q=0.7,zh-CN;q=0.6]
Cookie=[PF=slGINjz4m5kSL7gpbfdUlA]
[21-9-21 15:38:53:461 EDT] 000000d9 EJSWebCollabo 3 Request Context Path=/samlsps, Servlet Path=, Path Info=/acs
[21-9-21 15:38:53:461 EDT] 000000d9 WebSecurityCo > <init> Entry
<null>
<null>
<null>
[21-9-21 15:38:53:461 EDT] 000000d9 WebSecurityCo < <init> Exit
com.ibm.ws.security.web.WebSecurityContext@936c75b7
[21-9-21 15:38:53:461 EDT] 000000d9 WebCollaborat > SetUnauthenticatedSubjectIfNeeded Entry
[21-9-21 15:38:53:461 EDT] 000000d9 WebCollaborat 3 Invoked and received Subject are null, setting it anonymous/unauthenticated.
[21-9-21 15:38:53:461 EDT] 000000d9 WebCollaborat < SetUnauthenticatedSubjectIfNeeded:true Exit
[21-9-21 15:38:53:461 EDT] 000000d9 WebCollaborat 3 com.ibm.ws.security.web.WebCollaborator.WebComponentMetaData attribute is set.
[21-9-21 15:38:53:461 EDT] 000000d9 EJSWebCollabo 3 WebComponentMetaData
com.ibm.ws.webcontainer.metadata.WebComponentMetaDataImpl@476b7334[WebSphereSamlSP#WebSphereSamlSPWeb.war#IBMWebSphereSamlACSListenerServlet]
[21-9-21 15:38:53:461 EDT] 000000d9 EJSWebCollabo 3 preInvoke pushing app name WebSphereSamlSP
[21-9-21 15:38:53:461 EDT] 000000d9 WebSecurityCo 3 Setting pushed security to "true" for: com.ibm.ws.security.web.WebSecurityContext@936c75b7
[21-9-21 15:38:53:461 EDT] 000000d9 EJSWebCollabo 3 preInvoke
app_name=WebSphereSamlSP isAdminApp=false isAppSecurityOn=false
[21-9-21 15:38:53:461 EDT] 000000d9 EJSWebCollabo 3 preInvoke
Skip authorization for non-system apps when app security is disabled.
[21-9-21 15:38:53:461 EDT] 000000d9 IBMWebSphereS > handleRedirect Entry
[21-9-21 15:38:53:464 EDT] 000000d9 IBMWebSphereS 3 samlres[not null]
[21-9-21 15:38:53:464 EDT] 000000d9 IBMWebSphereS 3 target[null]
[21-9-21 15:38:53:464 EDT] 000000d9 IBMWebSphereS 3 RelayState[null]
[21-9-21 15:38:53:464 EDT] 000000d9 IBMWebSphereS > getTarget(relayStateUri[null],decodeURL[true] Entry
[21-9-21 15:38:53:464 EDT] 000000d9 IBMWebSphereS 3 The RelayState is not a URL. target URL.
[21-9-21 15:38:53:467 EDT] 000000d9 IBMWebSphereS < handleRedirect Exit
[21-9-21 15:38:53:467 EDT] 000000d9 EJSWebCollabo > postInvoke Entry
com.ibm.ws.security.web.WebSecurityContext@936c75b7
[21-9-21 15:38:53:467 EDT] 000000d9 EJSWebCollabo 3 Resetting invoked: null and received: nullsubjects
[21-9-21 15:38:53:468 EDT] 000000d9 WebSecurityCo 3 Getting pushed security value "true" for: com.ibm.ws.security.web.WebSecurityContext@936c75b7
[21-9-21 15:38:53:468 EDT] 000000d9 EJSWebCollabo 3 postInvoke popped resource WebSphereSamlSP of type Application
[21-9-21 15:38:53:468 EDT] 000000d9 EJSWebCollabo < postInvoke Exit
[21-9-21 15:38:53:468 EDT] 000000d9 EJSWebCollabo > postInvoke Entry
<null>
[21-9-21 15:38:53:468 EDT] 000000d9 EJSWebCollabo < postInvoke Exit
启用应用程序安全后,我将被重定向到 login.errorUrl。在日志中,我可以看到 WebSphere 收到了 SAML 响应,但不知何故它无法处理它。我想我已经在 WebSphere 上上传了签署者证书并将“trustAnysigner”设置为“true”。这是日志的一部分:
[21-9-22 15:05:07:971 EDT] 000000c0 ACSTrustAssoc 3 Sending redirect
[21-9-22 15:05:07:972 EDT] 000000c0 ACSTrustAssoc < createTAIErrorResult Exit
[21-9-22 15:05:07:972 EDT] 000000c0 ACSTrustAssoc 3 SAMLResponse could not be verified. Auto Re-login.
[21-9-22 15:05:07:972 EDT] 000000c0 ACSTrustAssoc < invokeTAIbeforeSSO:null Exit
[21-9-22 15:05:07:972 EDT] 000000c0 ACSTrustAssoc < negotiateValidateandEstablishTrust returns [not null] Exit
[21-9-22 15:05:07:972 EDT] 000000c0 TAIWrapper < negotiateAndValidateEstablishedTrust(): status code = 403 Exit
[21-9-22 15:05:07:972 EDT] 000000c0 WebAuthentica < Exiting with TAI_CHALLENGE Exit
[21-9-22 15:05:07:972 EDT] 000000c0 WebAuthentica 3 result status is 5
[21-9-22 15:05:07:972 EDT] 000000c0 WebAuthentica < authenticate Exit
AuthenticationResult.TAI_CHALLENGE
[21-9-22 15:05:07:972 EDT] 000000c0 WebCollaborat 3 isAuthenticate is false
[21-9-22 15:05:07:972 EDT] 000000c0 WebRequestImp > getAppVHost Entry
[21-9-22 15:05:07:972 EDT] 000000c0 WebRequestImp < getAppVHost Exit
appVHost=default_host
isVHostAndContextRootSet=true
[21-9-22 15:05:07:972 EDT] 000000c0 WebCollaborat > validSecAttrs Entry
default_host:samlsps
/acs
POST
false
WebSphereSamlSP
com.ibm.ws.webcontainer.srt.SRTServletRequest@5ae9cdc7
default_host
false
[21-9-22 15:05:07:972 EDT] 000000c0 WebAppCache > getWebAccessContext Entry
WebSphereSamlSP
default_host:samlsps
false
[21-9-22 15:05:07:972 EDT] 000000c0 WebAppCache 3 Okay, I found the entry for [WebSphereSamlSP:default_host:samlsps]
[21-9-22 15:05:07:972 EDT] 000000c0 WebAppCache < getWebAccessContext Exit
[21-9-22 15:05:07:973 EDT] 000000c0 WebAccessCont > WebAccessContext with ServletMap Entry
[21-9-22 15:05:07:973 EDT] 000000c0 WebAccessCont < WebAccessContext with ServletMap Exit
[21-9-22 15:05:07:973 EDT] 000000c0 WebConstraint > getConstraints: Entry
/acs
POST
[21-9-22 15:05:07:973 EDT] 000000c0 WebConstraint 3 webConstraintsTable.length = 1
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo > isStandardHTTPMethod Entry
POST
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo < isStandardHTTPMethod Exit
true
[21-9-22 15:05:07:973 EDT] 000000c0 WebConstraint 3 Looking at webResourceCollectionConstraints with URL patterns:
[21-9-22 15:05:07:973 EDT] 000000c0 WebConstraint 3 url: /*
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo > matches Entry
/acs
POST
true
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 .... check if in http methods list
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 memberOfList, methodName: POST methodList[0]: GET
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 memberOfList, methodName: POST methodList[1]: PUT
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 memberOfList, methodName: POST methodList[2]: HEAD
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 memberOfList, methodName: POST methodList[3]: TRACE
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 memberOfList, methodName: POST methodList[4]: POST
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 methodName is in methodList, returning true
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo > isStandardHTTPMethod Entry
POST
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo < isStandardHTTPMethod Exit
true
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 .... check if in http omission methods list
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 methodName is not in methodList, returning false
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 -- Checking methods --
validateAllMethods: false existMethodsList :true memberOfMethodList :true isStandardHTTPMethod :true allowCustomHTTPMethods :true
existOmissionMethodsList :false memberOfOmissionMethodList :false
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 .... check if in http methods list
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 memberOfList, methodName: POST methodList[0]: GET
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 memberOfList, methodName: POST methodList[1]: PUT
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 memberOfList, methodName: POST methodList[2]: HEAD
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 memberOfList, methodName: POST methodList[3]: TRACE
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 memberOfList, methodName: POST methodList[4]: POST
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 methodName is in methodList, returning true
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo 3 Checking URL: /*
[21-9-22 15:05:07:973 EDT] 000000c0 WebResourceCo < matches (PathName) : /* Exit
[21-9-22 15:05:07:973 EDT] 000000c0 WebConstraint < getConstraints not null Exit
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat > unprotectedSpecialURI Entry
webAppName[WebSphereSamlSPWeb]
isProtected[true]
realm[Default Realm]
challengeType[BASIC]
authMechanism[LTPA]
SSLEnabled[false]
SSOEnabled[true]
secureSSO[false]
defaultToBasic[false]
LTPACookieName[LtpaToken]
loginCookieName[null]
CookieSuffix[null]
/acs
POST
REQUEST
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat < unprotectedSpecialURI Exit
<null>
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat < validSecAttrs Exit
<null>
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat 3 List of required roles for uri /acs is:
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat 3 required role: WebSphereSamlAcsRole
[21-9-22 15:05:07:973 EDT] 000000c0 WebRequestImp > getAppContextRoot Entry
[21-9-22 15:05:07:973 EDT] 000000c0 WebRequestImp < getAppContextRoot Exit
appContextRoot=samlsps
isVHostAndContextRootSet=true
[21-9-22 15:05:07:973 EDT] 000000c0 WebRequestImp > getAppVHost Entry
[21-9-22 15:05:07:973 EDT] 000000c0 WebRequestImp < getAppVHost Exit
appVHost=default_host
isVHostAndContextRootSet=true
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat > isURIBoundByConstraint Entry
WebSphereSamlSP
samlsps
default_host
/acs
[21-9-22 15:05:07:973 EDT] 000000c0 WebAppCache > getWebAccessContext Entry
WebSphereSamlSP
default_host:samlsps
false
[21-9-22 15:05:07:973 EDT] 000000c0 WebAppCache 3 Okay, I found the entry for [WebSphereSamlSP:default_host:samlsps]
[21-9-22 15:05:07:973 EDT] 000000c0 WebAppCache < getWebAccessContext Exit
[21-9-22 15:05:07:973 EDT] 000000c0 WebAccessCont > WebAccessContext with ServletMap Entry
[21-9-22 15:05:07:973 EDT] 000000c0 WebAccessCont < WebAccessContext with ServletMap Exit
[21-9-22 15:05:07:973 EDT] 000000c0 WebConstraint > existsExactMatchURI Entry
/acs
[21-9-22 15:05:07:973 EDT] 000000c0 WebConstraint 3 webConstraintsTable.length = 1
[21-9-22 15:05:07:973 EDT] 000000c0 WebConstraint < existsExactMatchURI : no match, returning false Exit
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat < isURIBoundByConstraint Exit
false
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat 3 isURIBound for uri: /acs: false
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat 3 securityConstraints for uri /acs are: com.ibm.ws.security.web.WebResourceCollectionConstraints@393f3b2b
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat 3 URI - /acs.POST is protected
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat 3 Saving previous subject null
[21-9-22 15:05:07:973 EDT] 000000c0 WebCollaborat > checkAuthStatus Entry
AuthenticationResult.TAI_CHALLENGE
webAppName[WebSphereSamlSPWeb]
isProtected[true]
realm[Default Realm]
challengeType[BASIC]
authMechanism[LTPA]
SSLEnabled[false]
SSOEnabled[true]
secureSSO[false]
defaultToBasic[false]
LTPACookieName[LtpaToken]
loginCookieName[null]
CookieSuffix[null]
[21-9-22 15:05:07:974 EDT] 000000c0 TAIChallengeR > TAIChallengeReply(403) Entry
[21-9-22 15:05:07:974 EDT] 000000c0 TAIChallengeR < TAIChallengeReply() Exit
[21-9-22 15:05:07:974 EDT] 000000c0 WebCollaborat 3 TAI authentication challenge - sending 403
[21-9-22 15:05:07:974 EDT] 000000c0 WebCollaborat < checkAuthStatus 3 Exit
com.ibm.ws.security.web.TAIChallengeReply@54049520
[21-9-22 15:05:07:974 EDT] 000000c0 WebCollaborat < authorize Exit
com.ibm.ws.security.web.TAIChallengeReply@54049520
[21-9-22 15:05:07:974 EDT] 000000c0 EJSWebCollabo > handleException Entry
com.ibm.ws.webcontainer.srt.SRTServletRequest@5ae9cdc7
com.ibm.ws.webcontainer.srt.SRTServletResponse@25d3a5e1
com.ibm.ws.security.web.WebSecurityException
at com.ibm.ws.security.web.EJSWebCollaborator.preInvoke(EJSWebCollaborator.java:451)
at com.ibm.ws.webcontainer.collaborator.WebAppSecurityCollaboratorImpl.preInvoke(WebAppSecurityCollaboratorImpl.java:230)
at com.ibm.wsspi.webcontainer.collaborator.CollaboratorHelper.preInvokeCollaborators(CollaboratorHelper.java:436)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1101)
at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:4219)
at com.ibm.ws.webcontainer.webapp.WebAppImpl.handleRequest(WebAppImpl.java:2210)
at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:304)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1030)
at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1817)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:382)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:465)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest(HttpInboundLink.java:532)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequest(HttpInboundLink.java:318)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:289)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.determineNextChannel(SSLConnectionLink.java:1187)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.readyInboundPostHandshake(SSLConnectionLink.java:768)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink$MyHandshakeCompletedCallback.complete(SSLConnectionLink.java:464)
at com.ibm.ws.ssl.channel.impl.SSLUtils.handleHandshake(SSLUtils.java:1137)
at com.ibm.ws.ssl.channel.impl.SSLHandshakeIOCallback.complete(SSLHandshakeIOCallback.java:87)
at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:175)
at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138)
at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204)
at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775)
at com.ibm.io.async.ResultHandler.run(ResultHandler.java:905)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1909)
[21-9-22 15:05:07:976 EDT] 000000c0 EJSWebCollabo 3 Response is already committed
[21-9-22 15:05:07:976 EDT] 000000c0 EJSWebCollabo 3 com.ibm.websphere.security.allow.committed.response is false
[21-9-22 15:05:07:976 EDT] 000000c0 WebSecurityCo 3 Getting pushed security value "true" for: com.ibm.ws.security.web.WebSecurityContext@9d8e0360
[21-9-22 15:05:07:976 EDT] 000000c0 EJSWebCollabo 3 handleException popped resource WebSphereSamlSP of type Application
[21-9-22 15:05:07:976 EDT] 000000c0 WebSecurityCo 3 Getting pushed admin value "false" for: com.ibm.ws.security.web.WebSecurityContext@9d8e0360
[21-9-22 15:05:07:976 EDT] 000000c0 EJSWebCollabo < handleException Exit
[21-9-22 15:05:07:976 EDT] 000000c0 EJSWebCollabo > postInvoke Entry
com.ibm.ws.security.web.WebSecurityContext@9d8e0360
[21-9-22 15:05:07:976 EDT] 000000c0 EJSWebCollabo 3 Resetting invoked: null and received: nullsubjects
[21-9-22 15:05:07:976 EDT] 000000c0 WebSecurityCo 3 Getting pushed security value "true" for: com.ibm.ws.security.web.WebSecurityContext@9d8e0360
[21-9-22 15:05:07:976 EDT] 000000c0 EJSWebCollabo 3 postInvoke popped null resource
[21-9-22 15:05:07:976 EDT] 000000c0 EJSWebCollabo < postInvoke Exit
[21-9-22 15:05:07:976 EDT] 000000c0 EJSWebCollabo > postInvoke Entry
<null>
[21-9-22 15:05:07:976 EDT] 000000c0 EJSWebCollabo < postInvoke Exit
WAS端的targetUrl是怎么配置的? WAS 可以通过三种不同的方式确定其 targetUrl。按优先顺序排列:
- 来自在“书签样式”登录的第 3 步生成的 WASSamlSpReqUrl cookie,如本页所述:https://www.ibm.com/docs/en/was/9.0.5?topic=sign-saml-single-scenarios-features-limitations
- 来自IdP发送的RelayState参数
- 来自sso_.sp.targetUrl参数
以下跟踪规范将显示有关如何确定 targetUrl 的详细信息:
=信息:com.ibm.ws.security.web.=全部:com.ibm.ws.security.saml.=全部:com.ibm.websphere.wssecurity.=all:com.ibm.ws.wssecurity.=all:com.ibm.ws.wssecurity.platform.audit.=off
如果您有符合该规范的轨迹,请随时上传到此处,我也很乐意查看。
另外,作为旁注,我建议尽可能更新到最新的 WAS 修复包。对 SAML 运行时的日志记录进行了一些改进,可能有助于解决此类情况。