我正在测试一个使用spring安全saml并使用KeyCloak作为身份提供程序进行测试的应用程序。KeyCloak默认在http和https上运行,并带有自签名证书。
在浏览器中通过https检索元数据时https://localhost:8543/auth/realms/master/protocol/saml/descriptor它正确地返回以下内容:
<md:EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Name="urn:keycloak">
<md:EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://localhost:8543/auth/realms/master">
<md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:KeyName>phlmLKZ2YqrT_0hsZQYSpBPrZxPmgNdI3I2AmPQFjg8</ds:KeyName>
<ds:X509Data>
<ds:X509Certificate>MIICmzCCAYMCBgF05GlTszANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjAxMDAxMTM0NDAyWhcNMzAxMDAxMTM0NTQyWjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCYxMG75gqear+r+4fyvmyNSMcHzB46HRk7sNd0Y9LDbuUT24KoyBz5A0ln1WyvCszoxpKcuKMcwGUP+kszbo8D3FjH+2zET+KoilEzDBn3g0JP6K8BUPyOoBftmRCujaI/kEjya1AQzM44xvFPp6hFlsGICqk6NJe8eWlRyv6/VE2MB+WSKq0OOtZz+PrMHvJC6R50xm4DLXLRCPXJ3HA9J78ghQTziPs69kCi90xsuYubX+qs8KfDPy1i8geZZM+PXQrPfM1BcAnwe7hUayqMLk5OeVrixm1KEZhqHMKaCXhDJE3uH4c++/TR++zIbdz2x15k24D569gxPSKlcYpjAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAB5SYnR0JFWMRE1qutLArc4NeD3DjbyBwvOZaCsLRz3T7paZe3O0SmKQGPkUyARrERvV01R8Q04OVuf+/UJ2fgYqRTthh5G0Y2qak9UL7oefrsuB15C4ZEjBJnoBZNzDXhmDYoOguxrxXMN9XPgJSO08+7l8nJE6V1cu4811+ksV67JaNkk6oU1V3/HU5+tRc2GpjiwO0qr4dKOGrrfRuRZ7BqzgLh/KcZOxvc5hbmxvtJrGh/xuuspAG/3akeEXTD754YLoZVFJTJOdXlbaBrfSvvIndV/gVfJyAavTGQBCcz+bucJ2ijNa394S36t5KrU9Hu4hXC0TgPbFPq7IrIk=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:8543/auth/realms/master/protocol/saml"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:8543/auth/realms/master/protocol/saml"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:8543/auth/realms/master/protocol/saml"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:8543/auth/realms/master/protocol/saml"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://localhost:8543/auth/realms/master/protocol/saml"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>
</md:EntitiesDescriptor>
当我给我的应用程序提供相同的元数据位置时,它最终试图将我发送到一个没有端口8543的URL,尽管该端口位于上面的所有位置:
https://localhost/auth/realms/master/protocol/saml
调试到OpenSAML代码中,从AbstractMetadataProvider的第460行返回后,端口似乎丢失了,在那里它解析原始IDP元数据:
protected XMLObject unmarshallMetadata(InputStream metadataInput) throws UnmarshallingException {
try {
log.trace("Parsing retrieved metadata into a DOM object");
Document mdDocument = parser.parse(metadataInput);
有什么方法可以控制它并让它尊重元数据xml中的端口吗?
进一步调试后,HTTPMetadataProvider获得的原始响应中也不存在该端口。
事实证明,这个问题是由于HttpClient的错误配置造成的,该客户端没有发送主机标头中的端口,因此Keycloft当时没有用端口进行响应。