IBM WAS 7 和 ADFS2.0 中的 Web 应用程序之间的 SSO
SSO between web application in IBM WAS 7 and ADFS2.0
我已经使用 spring-security-saml2 插件在 tomcat 网络应用程序和 ADFS 服务器之间建立了 sso。我正在尝试在部署在 IBM Websphere Application Server 7 中的 Web 应用程序中实现相同的目标。
我在 IBM WAS 中创建了一个自定义密钥库,并使用它在 WAS 上启用了 SSL。密钥库的个人证书在应用程序 securityContext.xml 中用于签署元数据和导入 ADFS 服务器的签署者证书。 ADFS 服务器证书作为签署者证书导入到 WAS 密钥库中。我能够向 ADFS 服务器发送身份验证请求,也能够在日志中查看响应。但是在屏幕上解码时出现以下错误。
Error 401: Authentication Failed: Error decoding incoming SAML message
在日志中:
29-09-2015 15:06:25,722 DEBUG org.opensaml.ws.message.decoder.BaseMessageDecoder:85 - Successfully decoded message.
29-09-2015 15:06:25,722 DEBUG org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder:191 - Checking SAML message intended destination endpoint against receiver endpoint
29-09-2015 15:06:25,722 DEBUG org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder:203 - SAML message intended destination endpoint in message was empty, not required by binding, skipping
29-09-2015 15:06:25,723 DEBUG org.springframework.security.saml.websso.WebSSOProfileImpl:109 - No inbound message in artifact response message.
29-09-2015 15:06:25,724 DEBUG org.springframework.security.saml.websso.WebSSOProfileImpl:122 - Could not decode artifact response message.
org.opensaml.ws.message.decoder.MessageDecodingException: No inbound message in artifact response message.
at org.springframework.security.saml.websso.ArtifactResolutionProfileBase.resolveArtifact(ArtifactResolutionProfileBase.java:110)
at org.opensaml.saml2.binding.decoding.HTTPArtifactDecoderImpl.doDecode(HTTPArtifactDecoderImpl.java:94)
at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:79)
at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70)
at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:105)
at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:77)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:86)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:190)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:125)
在 ADFS 服务器日志中出现以下错误。
The artifact resolution request failed.
Additional Data
Exception message:
MSIS3015: The signing certificate of the claims provider trust '+++++++++++++++++++++' identified by thumbprint '#################' is not valid. It might indicate that the certificate has been revoked, has expired, or that the certificate chain is not trusted.
谁能帮我解决这个问题。
您必须将 IBM WAS 作为 ADFS 中的依赖方。当我们实施此设置时,outcome/Income 声明将成为用于身份验证的用户配置文件加载的主要来源,并将 SAML 响应传递给 SP(结束 URL 您的应用程序)。
参考以下链接配置为 ADFS 的依赖方。
我使用 Websphere SAML TAI 与 ADFS 建立 SSO。我提到的一些链接是 developerworks and techblog
我已经使用 spring-security-saml2 插件在 tomcat 网络应用程序和 ADFS 服务器之间建立了 sso。我正在尝试在部署在 IBM Websphere Application Server 7 中的 Web 应用程序中实现相同的目标。
我在 IBM WAS 中创建了一个自定义密钥库,并使用它在 WAS 上启用了 SSL。密钥库的个人证书在应用程序 securityContext.xml 中用于签署元数据和导入 ADFS 服务器的签署者证书。 ADFS 服务器证书作为签署者证书导入到 WAS 密钥库中。我能够向 ADFS 服务器发送身份验证请求,也能够在日志中查看响应。但是在屏幕上解码时出现以下错误。
Error 401: Authentication Failed: Error decoding incoming SAML message
在日志中:
29-09-2015 15:06:25,722 DEBUG org.opensaml.ws.message.decoder.BaseMessageDecoder:85 - Successfully decoded message.
29-09-2015 15:06:25,722 DEBUG org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder:191 - Checking SAML message intended destination endpoint against receiver endpoint
29-09-2015 15:06:25,722 DEBUG org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder:203 - SAML message intended destination endpoint in message was empty, not required by binding, skipping
29-09-2015 15:06:25,723 DEBUG org.springframework.security.saml.websso.WebSSOProfileImpl:109 - No inbound message in artifact response message.
29-09-2015 15:06:25,724 DEBUG org.springframework.security.saml.websso.WebSSOProfileImpl:122 - Could not decode artifact response message.
org.opensaml.ws.message.decoder.MessageDecodingException: No inbound message in artifact response message.
at org.springframework.security.saml.websso.ArtifactResolutionProfileBase.resolveArtifact(ArtifactResolutionProfileBase.java:110)
at org.opensaml.saml2.binding.decoding.HTTPArtifactDecoderImpl.doDecode(HTTPArtifactDecoderImpl.java:94)
at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:79)
at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70)
at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:105)
at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:77)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:86)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:190)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:125)
在 ADFS 服务器日志中出现以下错误。
The artifact resolution request failed.
Additional Data
Exception message:
MSIS3015: The signing certificate of the claims provider trust '+++++++++++++++++++++' identified by thumbprint '#################' is not valid. It might indicate that the certificate has been revoked, has expired, or that the certificate chain is not trusted.
谁能帮我解决这个问题。
您必须将 IBM WAS 作为 ADFS 中的依赖方。当我们实施此设置时,outcome/Income 声明将成为用于身份验证的用户配置文件加载的主要来源,并将 SAML 响应传递给 SP(结束 URL 您的应用程序)。
参考以下链接配置为 ADFS 的依赖方。
我使用 Websphere SAML TAI 与 ADFS 建立 SSO。我提到的一些链接是 developerworks and techblog