小贝子编程

未在此响应、laravel和saml2上找到有效的SubjectConfirmation



在过去的几天里,我一直在试图弄清楚为什么我从IdP得到的响应被我使用的包拒绝了。我在用这个https://github.com/aacotroneo/laravel-saml2这是我得到的回应:

xml: """
<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" ID="vDJfB_2Fr9fGfh9izuYf6pSoE6q" IssueInstant="2020-11-04T08:55:23.144Z" InResp ▶
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">idP</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="kle-id.i4AcYYOSNJEX0biJ1lhh" IssueInstant="2020-11-04T08:55:23.302Z" Version="2.0">
<saml:Issuer>idP</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#kle-id.i4AcYYOSNJEX0biJ1lhh">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>Bm0ARLP+duLFtM0UwVkXYr+W9PRSYYuW4sv0rzQsGlI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
RlvQm/VDU13e1oFU+y/0wr//bA6blrYBQER+57/hHq+SBRPDJl8hpEXnLaiv5AAEtzVteJrlhgc+
9YbTg8478l8hmBfVZVzlIa0POypWrNA8lwzhwDRAsQtbxypY3RPwKW0SSs6kq0K0EduxecG4grcl
1lWEpTRBtdv/NqVg6w8swSQzMXXf0GKjmqeagAqm3HeA6nSNc2T02ChwQ/78OZEbZjDaKj2Rqv2Y
1zqf/xyM2QZES3IlVfA5yekoJfG81sZYn5s+RiTsqFjAMvKrBsaPbEMZoT3ZcFQLY+/b08cTxCEM
RirLXRp86rAHhqps0+y1j9eFg0HWdvTO/3Ss0w==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
DELETED FOR PRIVACY REASONS
</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
DELETED
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">DELETED FOR PRIVACY REASONS</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData Recipient="DELETED FOR PRIVACY REASONS" NotOnOrAfter="2020-11-04T09:00:23.305Z" InResponseTo="ONELOGIN_6134c96d0e247a491cc1a83286b4226c2d30004a"
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2020-11-04T08:50:23.305Z" NotOnOrAfter="2020-11-04T09:00:23.305Z">
<saml:AudienceRestriction>
<saml:Audience>DELETED FOR PRIVACY REASONS</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement SessionIndex="kle-id.i4AcYYOSNJEX0biJ1lhh" AuthnInstant="2020-11-04T08:36:22.912Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
"""

我不确定发生了什么,但我一直在跟踪验证,在我看来,它在OneLogin\Saml2\response.php 的第359行检查NotBefore属性后拒绝了这个响应

有人能帮我弄清楚它到底是怎么回事吗?idp来自PingFederate

通过查看响应中的NotBefore和NotOnOrAfter时间戳,Ping被设置为5分钟的时钟偏移,这是正常/默认的。

如果没有更具体的错误消息,如果您的SP抱怨NotBefore,那么IDP服务器(PF(和SP应用程序之间似乎存在时钟漂移问题。确保两台服务器在操作系统设置中不仅有正确的时间,而且有正确的时区。您可能需要重新启动PF,以使其在系统时间内进行任何更改(如果您进行了更改(。

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium