我正在使用PySaml2来实现SAML服务提供程序。
当我接收到有效负载(base64SAMLResponse(时,我的服务器无法接受它,并返回错误SignatureError('Failed to verify signature')。
失败的部分是对XMLSec-lib:xmlsec1 --verify --enabled-reference-uris empty,same-doc --enabled-key-data raw-x509-cert --pubkey-cert-pem /path/to/cert.pem --id-attr:ID urn:oasis:names:tc:SAML:2.0:assertion:Assertion --node-id ... --output /path/to/out.xml /path/to/payload.xml的调用。
然而,我使用的是IdP发给我的证书,我可以在传递给上面调用的cert.pem中看到,它确实是传递给xmlsec1的正确证书(与有效载荷本身相同(。
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_d9e74668-c20d-43ea-9952-fb129adec5c2" Version="2.0" IssueInstant="2021-11-02T15:10:46.745Z" Destination="..." InResponseTo="_4606cc1f427fa981e6ffd653ee8d6972fc5ce398c4">
<saml:Issuer>...</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_d3f5b2cb-b7d8-4844-9c0f-46e83ba6a7df" Version="2.0" IssueInstant="2021-11-02T15:10:46.745Z">
<saml:Issuer>...</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_d3f5b2cb-b7d8-4844-9c0f-46e83ba6a7df">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>...</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>... Here the certificate base64 ...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">lui@gmail.com</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2021-11-02T15:15:46.745Z" Recipient="..." InResponseTo="_4606cc1f427fa981e6ffd653ee8d6972fc5ce398c4"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2021-11-02T15:10:46.745Z" NotOnOrAfter="2021-11-02T15:15:46.745Z">
<saml:AudienceRestriction>
<saml:Audience>...</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AttributeStatement>
<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">lui@gmail.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Luis</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Lui</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Luis Lui</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">431b0975-c262-4a9c-ab6c-95297efadedb</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
可能出了什么问题?
编辑:下面是收到的base64编码的XML有效载荷:
PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfYjdiMjA4NDktYjA4Yi00MmYyLTliYTYtZjdlZDNjN2ZkZGUxIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAyMS0xMS0xNVQxMjo0NTo1NS4yMjNaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9hcGkuZGV2LmZvb2RsZXMuY28vYXBpL2F1dGgvc2FtbDIvYWNzL21vbmJ1aWxkaW5nLyIgSW5SZXNwb25zZVRvPSJfNDYwNmNjMWY0MjdmYTk4MWU2ZmZkNjUzZWU4ZDY5NzJmYzVjZTM5OGM0Ij48c2FtbDpJc3N1ZXI+V2l0Y288L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiLz48ZHM6UmVmZXJlbmNlIFVSST0iI19iN2IyMDg0OS1iMDhiLTQyZjItOWJhNi1mN2VkM2M3ZmRkZTEiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI3NoYTI1NiIvPjxkczpEaWdlc3RWYWx1ZT5URXlOVkdLTndCeHpMSzRzcExBL043bndCMjdlL09HZnN2YkpZalpqSUlNPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5YejRKWktTSjBrZzY2UmhESnlJb1Q2WG9qVjRDSXRSbmp3eS85eHhTL0l5cHNxNWhiaExaSkFNWEtyTlJCT245YnNOcDVIS3JLcUprSldKeUJGdS8xUy9RNE14VGhXTlV0QnpIdUs3eHlLdjI3L2VUQ1lWS1hEYS8zT2FJZTNxait5M05ESEFzS1I3SC8zU29iNnZjUS93dlNCbjdlaFdXT0prRmJDM3IxZWhLakoxaE1mRGgwdWlkVGRDOFJKblZlbWluWU42TEFkck9Bb2dtdHJXOWhsRWhWcHl3MnNqUEF5NWJhc3A3TS9uU1BhclhpbnJOb1dJMlgrSURZK2dVY3JqL0dCeHBISDk0TGowQkZaNWhEZDQ3em85SmRNSG5kOGNzc2xXLzlQbCtXOUNZVkJRR1NvQUtRY1laVDdBaWlORnlyanpjRHBaNG1oZDNHZUJReDNsSGxjMGtqTU9OYnFHMGZTVFY3TzZxcXk5cFVPQkdxZm9ZZzBSY1lrbC90R01lbFBPcXNIbUNqUU44TE1BZXZaTmozK2NkbjMyYVhFaExmcjE5Q1VCUE5CUHFGR3NmVVNyQllGTWQwWGFJY2FyWFFvSEJ1N01PZlhDYUFDUW5wN3pLTjF5WVZpcDBxWGZ2SksrUm52T1hyaXN3V0lJU0o2bVRhZ1RkNmJmV1FxOXA3NW1pMVl4NUVuSGlnNEtZNkNLU3YxY2s4M2kzMFJ4ZUNyLzRmRzk5V1NNSnRKRTNHUmwwanYzZEE4UFJEeGhOYUxmN2d1K2t1cjkyQ3grWTM5TU1ocS9QTTc4Skk5c0lVbXE5SklVM0FyN2Jnd1ZzNXhSZUZjTktmMDQxNDh6RWtDOHB0azhFazRyaWJGUUJSd1N5UUZtY3E2RXJDeE54RVRZSmNmST08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUZ3ekNDQTZ1Z0F3SUJBZ0lVTS9XS1U0VDJHZzlRRFVJRDJScTRVWVhOeVE0d0RRWUpLb1pJaHZjTkFRRUxCUUF3Y1RFTE1Ba0dBMVVFQmhNQ1JsSXhEakFNQmdOVkJBY01CVkJoY21sek1SUXdFZ1lEVlFRS0RBdE5iMjVDZFdsc1pHbHVaekVZTUJZR0ExVUVBd3dQYlc5dVluVnBiR1JwYm1jdVkyOXRNU0l3SUFZSktvWklodmNOQVFrQkZoTmtaWFpBYlc5dVluVnBiR1JwYm1jdVkyOXRNQjRYRFRJeE1EUXlNekUxTVRNMU4xb1hEVFF4TURReE9ERTFNVE0xTjFvd2NURUxNQWtHQTFVRUJoTUNSbEl4RGpBTUJnTlZCQWNNQlZCaGNtbHpNUlF3RWdZRFZRUUtEQXROYjI1Q2RXbHNaR2x1WnpFWU1CWUdBMVVFQXd3UGJXOXVZblZwYkdScGJtY3VZMjl0TVNJd0lBWUpLb1pJaHZjTkFRa0JGaE5rWlhaQWJXOXVZblZwYkdScGJtY3VZMjl0TUlJQ0lqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FnOEFNSUlDQ2dLQ0FnRUF3eFY3TFRiMlQ3a0VlUm1tREIwaUd1cDR2SjI4Uy9DQ2NQVkJpRHNTSWxiVDVFZXBSSzdOTmtWbW9oOW1lWk5CVGdHUkc0QklCMG9BTFU1SXo3Zm8wY1c1YjlpRlJJN0ZNMlhGSDc4ZFlnRUV1NlBmN04vSVBLc1dTVVZkdFVHYlNSaGZESWlUYVB5ZTJ5TmszSW8ybjFhNjZOQjBIMkMrUmFKd0lZMG5Vd3dMYTBCRWtWbG54QUFtaGd6Ums3MnNKZU1aeWtWZmZENXZjNm4vMkhuVFFBVENEQzQweXQ1SkZyN1lxRFM5Y01tcFg1d0NVU2JVTUdBS2ROVU9KTzNKYXV6b2hEcVRNazNncDVVKytwSjdGS0Q2MTBCQU90cDlBM1prS2ptSkRMNGhKeU5UbnVqMEIxWEF6Q09aR3pXQ1ZwWEdNckNqaU9PT2MvRmlPWE9GYVI5d3habmdqUjlQZDhEY3B6RnpjK2tVMTBydGJ3VENuYm9TSDI5UG83YjhDVXh5TTBSUTBQVm13RWh2TlNOWTNhVEZBV1NlUWRtVkNOajZSKy9SV3YzaG8yOTkzekU2V21RSDQ0YW54OVM3QzBvMFFFcEVRZzMyMmFqYS8vcUc5WjJWREtwQlF3ZlBacFB3QTc5OTgrZ2JTNnRuK2szQ2RnU3NZc2owY28xN3llYVl6ejRyLyt2dTN1UFNKSnl0dUU5eWM5RDgvc2xJZ1ZtUFcrdWhUNjFMaFlrbU5scXZEN2FKRkkwK1pqbFNCQUtCTVY5R0prRDZLZFM2VHVML1ZkRE1kL290RmR2VW05RFF4TmpYV2VISzBHOEhxWlZSWVVDcUJIdTRlbTdXdVpQcFV2Q091RTdpS2lSdWZQMjdLZU1mVHdPb1FvaElsYVdFZS9PSnR0OENBd0VBQWFOVE1GRXdIUVlEVlIwT0JCWUVGRTBFOEJLY0lQT2wyU0pnWjVaY3ZqOVNTTmJDTUI4R0ExVWRJd1FZTUJhQUZFMEU4QktjSVBPbDJTSmdaNVpjdmo5U1NOYkNNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnSUJBRFBpTnBXS1lzRWx3K1lXV3gwMDcxMnRKV0xDT2JSSXloWFFGbVdvMmRadUdGSnhMbys0WURraWJlZU1HNjJSNkZHTDF0aVBIZ2Z5aW1WOWNYa3BzZkZEK0prMkw5MDVTL2F2N2JBNm54MU1RQTN0WkxQUm9PcFRKZ2w4bklqcW51ei9lOTc1eVBUeThmRmtMaFBoMmROQmJqRWFCTHpDVmZVNWpLaG9DdU13eDlJT2JvZUgrRWpGWjRNeGV5SGQxMVBFbjlZejFIYmQ4SmtCdC9DV2RHa28yYWtWZFRqU2Y0WTZjUjhUbHdwc3YyVFYwQnFDZUlyQW5XTURTanFTRlEvZGxiMy9sRG1SV2U2bVZYVkNTQk5OeUNDcUlxeDhlTjVwdFA1aHZhbk1UU0lCcUVCVGMyQVVRb0dsUm5lNWpJdEFiOHQ3T0VuMWJVQ0Z0NFIwUDBpRzR3Z2t5YUZlTktVOHloSUJ5MzRmRCszTk5BeDkyTTBEcCs4ek1LUE9WSnFsM3lwbUJJM1JISVpKcHBrRlp4UGl0Zi9sMUJ5MWx4cUxmMFhwdGNDbElaSWZNVVVyZFRQZnc1OUNYT0twNHNZa0hjQVpJQnI1QnJUa0JHbW1weDQxZmwxOFpIenFKVXBUaFNWUERZQnN4TXhGYzFrQlVDeWhWdXFpN0J3eFF5VzF0QjJSUEkwaldRL21IdzV4QWtuMmZkdGZ5L0ZET3ZvRWF3dnRsd1ZxTnJEY2JueXdTcDdJaURNWGJETlI1UnlNaGdUMW1wNG4zWnhtMXRkZmRaeTM3SXhhRVNtRkdQQlZQOVdTVGx4UU1GM0ZHYU9YMExxU2hpRjh1dGRGeS90STdsWmp6SGk0WWpiM3dQYnNRcEoxU1RybVY2d24weFNJYUR0REdYTUE8L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24geG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iXzY5OTUyMzViLWIzZmMtNDI4NS04M2E1LTUzZTAxNzcxYjUxOSIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMjEtMTEtMTVUMTI6NDU6NTUuMjIzWiI+PHNhbWw6SXNzdWVyPldpdGNvPC9zYW1sOklzc3Vlcj48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+bWFuYWdlckBzdGFya2luZHVzdHJpZXN0ZXN0LmNvbTwvc2FtbDpOYW1lSUQ+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAyMS0xMS0xNVQxMjo1MDo1NS4yMjNaIiBSZWNpcGllbnQ9InVuZGVmaW5lZCIgSW5SZXNwb25zZVRvPSJfNDYwNmNjMWY0MjdmYTk4MWU2ZmZkNjUzZWU4ZDY5NzJmYzVjZTM5OGM0Ii8+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+PC9zYW1sOlN1YmplY3Q+PHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMjEtMTEtMTVUMTI6NDU6NTUuMjIzWiIgTm90T25PckFmdGVyPSIyMDIxLTExLTE1VDEyOjUwOjU1LjIyM1oiPjxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PHNhbWw6QXVkaWVuY2U+dW5kZWZpbmVkPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvZW1haWxhZGRyZXNzIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPm1hbmFnZXJAc3RhcmtpbmR1c3RyaWVzdGVzdC5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvZ2l2ZW5uYW1lIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPkFudGhvbnk8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvc3VybmFtZSIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5TdGFyazwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1lIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPkFudGhvbnkgU3Rhcms8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvbmFtZWlkZW50aWZpZXIiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+NDMxYjA5NzUtYzI2Mi00YTljLWFiNmMtOTUyOTdlZmFkZWRiPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+
这很难调试,因为您发布的XML不包括cert、digest,并且已被修改。
XML在发布到网站时可能很难进行检查。修改后是不可能的。请从测试系统生成另一个文件,然后再次发送。Base64在连接之前先对其进行编码也很好。
您也可以尝试--trusted-pem/path/to/cert.pem选项
更新:
使用新的base64
使用https://samltool.io/显示响应是签名的,而不是断言,因此以下操作将起作用:
xmlsec1--verify--受信任的pem证书.pem--启用的引用uri为空,相同的文档--启用的密钥数据raw-x509-cert--pubkey证书pem证书.em--id attr:id响应--输出.xml tmp.xml
这也适用于XML::Sig和https://tools.chilkat.io/xmlDsigVerify.cshtml
我没有使用PySaml2,所以它可能有一个错误,但如果没有,它现在应该使用正确的证书来验证