我使用spring-security-saml2-core (1.0.0.RC2)使用SAML的ADFS 2.0。我使用HTTP-POST绑定。但是我对SingleLogout有个问题。
应用程序收到LogoutRequest
<samlp:LogoutRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
Destination="https://myhost:8443/my/saml/SingleLogout/alias/defaultAlias"
ID="_438dcef8-cd64-4e04-8e11-e87705f26b6c"
IssueInstant="2014-08-01T10:53:14.641Z"
NotOnOrAfter="2014-08-01T10:58:14.641Z"
Version="2.0">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://adfs-server.local/adfs/services/trust</Issuer>
<NameID xmlns="urn:oasis:names:tc:SAML:2.0:assertion">nata</NameID>
<samlp:SessionIndex>_34e48828-a6b5-47c2-96fd-595f9d0a88b7</samlp:SessionIndex>
</samlp:LogoutRequest>
发送LogoutResponse
<saml2p:LogoutResponse
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://adfs-server.local/adfs/ls/"
ID="a2ddb014h7d7558f3cd5hfge981bicf"
InResponseTo="_438dcef8-cd64-4e04-8e11-e87705f26b6c"
IssueInstant="2014-08-01T10:53:43.808Z"
Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://myhost:8443/my/saml/metadata/alias/defaultAlias</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
</saml2p:LogoutResponse>
但是ADFS抛出关闭SAML-endpoint的错误:
MSIS7074: WebSSO配置文件的SAML身份验证请求必须指定一个没有NameQualifier、SPNameQualifier或SPProvidedId属性的发行者。
我的SingleLogout配置:
<bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
<security:filter-chain-map request-matcher="ant">
<security:filter-chain pattern="/saml/login/**" filters="samlEntryPoint"/>
<security:filter-chain pattern="/saml/logout/**" filters="samlLogoutFilter"/>
<security:filter-chain pattern="/saml/metadata/**" filters="metadataDisplayFilter"/>
<security:filter-chain pattern="/saml/SSO/**" filters="samlWebSSOProcessingFilter"/>
<security:filter-chain pattern="/saml/SingleLogout/**" filters="samlLogoutProcessingFilter"/>
</security:filter-chain-map>
</bean>
<!-- Filter processing incoming logout messages -->
<!-- First argument determines URL user will be redirected to after successful global logout -->
<bean id="samlLogoutProcessingFilter" class="org.springframework.security.saml.SAMLLogoutProcessingFilter">
<constructor-arg type="org.springframework.security.web.authentication.logout.LogoutSuccessHandler" ref="successLogoutHandler"/>
<constructor-arg>
<array value-type="org.springframework.security.web.authentication.logout.LogoutHandler">
<ref bean="logoutHandler"/>
</array>
</constructor-arg>
</bean>
<bean id="successLogoutHandler" class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler">
<property name="defaultTargetUrl" value="/"/>
</bean>
<!-- Logout handler terminating local session -->
<bean id="logoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
<property name="invalidateHttpSession" value="false"/>
</bean>
:-)哎呀,这是令人困惑.....和重发? ?
首先:我的ADFS服务器2。x,在S2008(R2)和S2012上没有该消息。所以我认为它不可能是ADFS 2.0。我假设您正在Windows server 2012R2(从未标识为2.0)上的ADFS服务器上工作。: - (
消息(关于AuthnRequest与LogoutResponse)似乎完全不合适。看起来你在S2012R2上遇到了ADFS的一个小(超级混乱)错误。因为在这种情况下,ADFS 2.0会说一些别的东西。它会说[在validatesignaturerrequirements (SamlMessage)方法中]:"MSIS1014:当使用SAML HTTP重定向或HTTP POST绑定时,SAML LogoutRequest和LogoutResponse消息必须签名。"
所以你有一个bug要提交给Microsoft(参考这个描述可以帮助你)。同时,您应该要求服务提供商签署LogoutResponse。我有点惊讶ADFS没有签署退出请求。它通常会签署LogoutRequest。
paullem是对的。我们的Windows服务器是2012 R2, ADFS 3.0。
SAML LogoutRequest消息必须签名。错误已修复。我们在ExtendedMetadata中设置requirelogoutresponsessigned参数为"true"。
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="local" value="false" />
<property name="idpDiscoveryEnabled" value="false" />
<property name="requireLogoutResponseSigned" value="true"/>
</bean>