我正在尝试在我的 Dropbox 企业帐户中设置 SSO 登录。我开发了一个名为 Ianum 的自定义身份提供程序。在 Dropbox 控制台中,我设置了:
- 身份提供程序登录 URL:https://alpha-id.ianum.com/SSO/SAML2/Redirect?idSamlIdp=saml_idp_2ottgAnc2sWHmAkiy6Mh
- 身份提供程序注销 URL:空
- X.509 证书:
-----BEGIN CERTIFICATE-----
MIIDVTCCAj0CCB5f3a7UpFWQMA0GCSqGSIb3DQEBCwUAMG0xCzAJBgNVBAYTAlVT
MQ4wDAYDVQQIDAVUZXhhczEPMA0GA1UEBwwGQXVzdGluMRIwEAYDVQQKDAlJYW51
bSBJbmMxEjAQBgNVBAsMCUlhbnVjIEluYzEVMBMGA1UEAwwMaWQuaWFudW0uY29t
MB4XDTE5MTAwMTEzMjcwN1oXDTIzMDkzMDEzMjcwN1owbTELMAkGA1UEBhMCVVMx
DjAMBgNVBAgMBVRleGFzMQ8wDQYDVQQHDAZBdXN0aW4xEjAQBgNVBAoMCUlhbnVt
IEluYzESMBAGA1UECwwJSWFudWMgSW5jMRUwEwYDVQQDDAxpZC5pYW51bS5jb20w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKA0/7RBUZ+WR7NZvJu/hQ
KNIwheek29elh4jlzIk7of2ZmvOyYIz+5ualYf4SOlMopM3WpfYhZ+Vm2P07LnDQ
uxDxNX6lvq5l/vucpiNsbCbV/vLxPu6eswP7LdZ+Igt7beTyG8OUOlV5oXqjwVU6
iBSysNmyaOke48jn4rG8vSEBurKTnqBLLzuCXmZHnuU5tOVUrMLnQ9va7/yk8lWe
4SV0w/ncSDhAdtYHYiFee7wT4kOoiBHXeJKD+CoGTysw3lRjXfu9TuPE3TS3zj8f
ISHyYt1hVfqxaA84RIe7yqeRO+xYpMKGMtmXa/RHmFMBZJqc8WiLcfCuw+SsmIEj
AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAKkMLKqcMWP9XHC6sn6m5ec6wDz6QrFk
6SM0OmAn16PxMhH85vtWmyFESb7Tw3rQ4dwGjFGs2S27PEI0W+apzc+sX8vSSq4a
cVdQQBd/pm3YRgOiFilXgNQ4gyYDjuJVaq+AqbeBVA5kp0aYiwqeBKuPr6aHBR0y
Mqi2wpNKONEgM/hBK6UbcC9iJEIl9YUz+nCuPzyg1kPEZmEYQw+wNvAzrxACLg1m
a4wtuBKn81F+fSKyVuVx/Tn2V/u1qe2f8gMMtJO8lRgFuUNba4EI6Yz4jI6l2b8d
a4fj0/hWVOOG3AcGIrkVNAyatD4GnQPsz8AIauws14SIXuCHC+f/+DY=
-----END CERTIFICATE-----
因此,如果我转到 dropbox.com,单击Login并键入电子邮件,Dropbox 会识别出 SSO 已启用,我将被重定向到我的身份提供商。身份提供商对我进行身份验证,我被重定向回 Dropbox。生成的断言是:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<saml2p:Response
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" ID="_2169143f2dbb462d91ca75ef03326849" InResponseTo="id-5d8425907fc84102b167bbaf380d5dc5" IssueInstant="2019-10-07T13:40:45.611826+00:00" Version="2.0">
<saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://alpha-id.ianum.com/SSO/SAML2/Redirect?idSamlIdp=saml_idp_2ottgAnc2sWHmAkiy6Mh
</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></saml2p:StatusCode>
</saml2p:Status>
<saml2:Assertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_0a2e10fb4e6245499bdb82d1e61f0d2f" IssueInstant="2019-10-07T13:40:45.611826+00:00" Version="2.0">
<saml2:Issuer>https://alpha-id.ianum.com/SSO/SAML2/Redirect?idSamlIdp=saml_idp_2ottgAnc2sWHmAkiy6Mh</saml2:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#_0a2e10fb4e6245499bdb82d1e61f0d2f">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>8+OwpT3G8PO2JsuySxMlZ3cy/Dw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>c9pBr1NM6voJ+nCymw1T8qXgFYBdqXLoDGVDwg6KLuQYZCxFjrJ8t+d65uV0tR5lGa65RmlVzWt+xrTk8mhvPbE2lVgttLkUcjVfD7VkjyVsOwhf80XTCa4EUOeckiU+o8aCfJvxQH158cHOfjRP5NIHHIhbWvSn0IvDUnnAVI8PieWCVqL7p6dBff/gDosb/NurBxluboC6tbDZ1NU6t3GxnikhG8C3Dd47G8HRF+W1comoHyd7VtPkbgIUJ2RCOx4MZ2OTI5qHWdh9hXsrVK1DMvB0frqzNoYKGGgQTKo53gywkcs81cKPvCiYSOlLZwOOk9DZG2vG564tirgwWw==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDVTCCAj0CCB5f3a7UpFWQMA0GCSqGSIb3DQEBCwUAMG0xCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEPMA0GA1UEBwwGQXVzdGluMRIwEAYDVQQKDAlJYW51bSBJbmMxEjAQBgNVBAsMCUlhbnVjIEluYzEVMBMGA1UEAwwMaWQuaWFudW0uY29tMB4XDTE5MTAwMTEzMjcwN1oXDTIzMDkzMDEzMjcwN1owbTELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRleGFzMQ8wDQYDVQQHDAZBdXN0aW4xEjAQBgNVBAoMCUlhbnVtIEluYzESMBAGA1UECwwJSWFudWMgSW5jMRUwEwYDVQQDDAxpZC5pYW51bS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKA0/7RBUZ+WR7NZvJu/hQKNIwheek29elh4jlzIk7of2ZmvOyYIz+5ualYf4SOlMopM3WpfYhZ+Vm2P07LnDQuxDxNX6lvq5l/vucpiNsbCbV/vLxPu6eswP7LdZ+Igt7beTyG8OUOlV5oXqjwVU6iBSysNmyaOke48jn4rG8vSEBurKTnqBLLzuCXmZHnuU5tOVUrMLnQ9va7/yk8lWe4SV0w/ncSDhAdtYHYiFee7wT4kOoiBHXeJKD+CoGTysw3lRjXfu9TuPE3TS3zj8fISHyYt1hVfqxaA84RIe7yqeRO+xYpMKGMtmXa/RHmFMBZJqc8WiLcfCuw+SsmIEjAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAKkMLKqcMWP9XHC6sn6m5ec6wDz6QrFk6SM0OmAn16PxMhH85vtWmyFESb7Tw3rQ4dwGjFGs2S27PEI0W+apzc+sX8vSSq4acVdQQBd/pm3YRgOiFilXgNQ4gyYDjuJVaq+AqbeBVA5kp0aYiwqeBKuPr6aHBR0yMqi2wpNKONEgM/hBK6UbcC9iJEIl9YUz+nCuPzyg1kPEZmEYQw+wNvAzrxACLg1ma4wtuBKn81F+fSKyVuVx/Tn2V/u1qe2f8gMMtJO8lRgFuUNba4EI6Yz4jI6l2b8da4fj0/hWVOOG3AcGIrkVNAyatD4GnQPsz8AIauws14SIXuCHC+f/+DY=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">f.castelli@ianum.com</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="id-5d8425907fc84102b167bbaf380d5dc5" NotOnOrAfter="2019-10-07T13:55:45.611826+00:00" Recipient="https://www.dropbox.com/saml_login"></saml2:SubjectConfirmationData>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2019-10-07T13:37:45.611826+00:00" NotOnOrAfter="2019-10-07T13:55:45.611826+00:00">
<saml2:AudienceRestriction>
<saml2:Audience>Dropbox</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2019-10-07T13:40:45.611826+00:00">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>
我正在生成有关此内容的摘要:
<saml2:Assertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_0a2e10fb4e6245499bdb82d1e61f0d2f" IssueInstant="2019-10-07T13:40:45.611826+00:00" Version="2.0">
<saml2:Issuer>https://alpha-id.ianum.com/SSO/SAML2/Redirect?idSamlIdp=saml_idp_2ottgAnc2sWHmAkiy6Mh</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">f.castelli@ianum.com</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="id-5d8425907fc84102b167bbaf380d5dc5" NotOnOrAfter="2019-10-07T13:55:45.611826+00:00" Recipient="https://www.dropbox.com/saml_login"></saml2:SubjectConfirmationData>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2019-10-07T13:37:45.611826+00:00" NotOnOrAfter="2019-10-07T13:55:45.611826+00:00">
<saml2:AudienceRestriction>
<saml2:Audience>Dropbox</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2019-10-07T13:40:45.611826+00:00">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
然后我正在生成签名:
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#_0a2e10fb4e6245499bdb82d1e61f0d2f">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>8+OwpT3G8PO2JsuySxMlZ3cy/Dw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
断言中的签名是正确的,但 Dropbox 说:Could not validate SAML Assertion。我做错了什么?
此错误的标准原因通常是由于 X.509 证书已过期或接近到期日期。我建议您生成一个新的并检查日期。
如果仍然无法联系 Dropbox 支持,这可能是您实施 SSO 的独特之处。
这是您的登录 URL,但这也是您的 IdP 的实体 ID 吗?它是应该在<Issuer>元素中编码的实体 ID。
此外,rsa-sha1 官方对签名不安全已有一段时间了,Dropbox 可能不再支持它。我会把它翻转为使用 rsa-sha256。