调用 Saml2PostBinding.Unbind() 时签名无效

Question

我们在调用 Unbind() 时收到“签名无效”错误，并在代码中偶然发现了这一点。 https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/blob/42a2d6de46f38d14f0c6f607594d19f2366ad5f2/src/ITfoxtec.Identity.Saml2/Bindings/Saml2PostBinding.cs#L106

为什么 validateXmlSignature 参数总是 true 在 UnbindInternal() 内？

protected override Saml2Request UnbindInternal(HttpRequest request, Saml2Request saml2RequestResponse, string messageName)
{
  UnbindInternal(request, saml2RequestResponse);

  return Read(request, saml2RequestResponse, messageName, true, true);
}

我们的调用代码：

 var binding = new Saml2PostBinding();
var saml2AuthnResponse = new Saml2AuthnResponse(saml2Config);

binding.ReadSamlResponse(Request.ToGenericHttpRequest(), saml2AuthnResponse);
if (saml2AuthnResponse.Status != Saml2StatusCodes.Success)
{   
 throw new AuthenticationException($"SAML Response status: {saml2AuthnResponse.Status}");
}

binding.Unbind(Request.ToGenericHttpRequest(), saml2AuthnResponse);

Answer 1

validateXmlSignature 参数始终为 true，因为签名位于 POST 绑定中的 XML 中，并且必须验证 SAML 2.0 Authn 响应签名。签名验证是对 SAML 2.0 令牌的信任。

调用 Saml2PostBinding.Unbind() 时签名无效

Signature is invalid while calling Saml2PostBinding.Unbind()

itfoxtec-identity-saml2