问题描述
我是护照和护照 - saml的新手,我正在尝试构建一个Node.js服务器,它使用我们大学的Shibboleth身份提供商进行单点登录。我非常接近让它一切正常,但是我在/ login / callback期间遇到一个陷阱,我认为这与加密配置有关。
I'm new to passport and passport-saml, and I'm trying to build a Node.js server that uses our University's Shibboleth identity provider for single sign-on. I'm pretty close to getting it all working, but I'm hitting a snag during the /login/callback that I think is related to the encryption configuration.
我能够将客户端重定向到登录页面,登录成功后,IdP将POST返回到我的/ login / callback路由。然后我得到这个错误:
I am able to redirect the client to the sign-in page, and after a successful sign-in, the IdP does a POST back to my /login/callback route. Then I get this error:
错误:SAML.validatePostResponse(... / node_modules / passport-saml / lib / passport-saml / saml.js中的无效签名: 357:21)在...等...中的Strategy.authenticate(... / node_modules / passport-saml / lib / passport-saml / strategy.js:68:18)...
Error: Invalid signature at SAML.validatePostResponse (.../node_modules/passport-saml/lib/passport-saml/saml.js:357:21) at Strategy.authenticate (.../node_modules/passport-saml/lib/passport-saml/strategy.js:68:18) at ...etc...
这听起来可能是我传递给证书的证书配置设置是不正确的?我假设 decryptPvk 和 cert 配置设置应该是我用来创建我的服务器的证书的私钥,以及身份提供者的HTTPS证书?或者他们应该是别的吗?
This sounds like maybe the certificate I'm passing to the cert config setting isn't correct? I'm assuming that the decryptionPvk and cert config settings supposed to be the private key I used to create my server's cert, and the Identity Provider's HTTPS certificate, respectively? Or should they be something else?
我正在使用最新版本的节点和所有各种模块(快递,护照,护照等) )
I'm using up-to-date versions of node and all the various modules (express, passport, passport-saml, etc.)
为了参考,这里是我用来测试所有这些的服务器脚本:
And for reference, here's the server script I'm using to test all of this:
"use strict;"
var https = require('https');
var fs = require('fs');
var express = require("express");
var morgan = require('morgan');
var bodyParser = require('body-parser');
var cookieParser = require('cookie-parser');
var session = require('express-session');
var passport = require('passport');
var saml = require('passport-saml');
var cert = fs.readFileSync('./certs/my-server-https-cert.crt', 'utf-8');
var pvk = fs.readFileSync('./certs/my-server-private.key', 'utf-8');
var uwIdpCert = fs.readFileSync('./certs/our-idp-server-https-cert.pem', 'utf-8');
passport.serializeUser(function(user, done){
done(null, user);
});
passport.deserializeUser(function(user, done){
done(null, user);
});
var samlStrategy = new saml.Strategy({
callbackUrl: 'https://my-domain-name.whatever.edu/login/callback',
entryPoint: 'https://my-university/idp/entry/point',
issuer: 'my-entity-id (domain name registered with university IdP)',
decryptionPvk: pvk,
cert: uwIdpCert
}, function(profile, done){
console.log('Profile: %j', profile);
return done(null, profile);
});
passport.use(samlStrategy);
var app = express();
app.use(morgan('dev'));
app.use(bodyParser.urlencoded({extended: true}));
app.use(cookieParser());
app.use(session({secret: fs.readFileSync('./certs/session-secret.txt', 'utf-8')}));
app.use(passport.initialize());
app.use(passport.session());
app.get('/',
passport.authenticate('saml', {failureRedirect: '/login/fail'}),
function(req, res) {
res.send('Hello World!');
}
);
app.post('/login/callback',
passport.authenticate('saml', { failureRedirect: '/login/fail', failureFlash: true }),
function(req, res) {
res.redirect('/');
}
);
app.get('/login/fail',
function(req, res) {
res.send(401, 'Login failed');
}
);
app.get('/Shibboleth.sso/Metadata',
function(req, res) {
res.type('application/xml');
res.send(200, samlStrategy.generateServiceProviderMetadata(cert));
}
);
//general error handler
app.use(function(err, req, res, next){
console.log('Express error!');
console.error(err.stack);
next(err);
});
var server = https.createServer({
key: pvk,
cert: cert
}, app);
server.listen(process.argv[2] || 44300, function(){
console.log('Listening on port %d', server.address().port)
});
任何帮助或建议将不胜感激!
Any help or advice would be most appreciated!
推荐答案
是的, cert 是身份提供者的证书 - 不一定是其HTTPS证书。
Yes, the cert is the certificate of the identity provider -- not necessarily its HTTPS certificate though.
您的shibboleth身份提供者应该有一个提供者元数据文档。如果您还没有,您可能需要确保 uwIdpCert 的内容与< ds:X509Certificate> 阻止该文件。 (是元数据文档应该是什么样的示例)
Your shibboleth identity provider should have a provider metadata document. If you haven't already, you probably want to make sure the contents of uwIdpCert matches the <ds:X509Certificate> block in that document. (here is an example of what that metadata document should look like)
如果你确定证书是正确的,我会很好奇地看到中的xml变量的内容SAML.prototype.validatePostResponse 。 (即,只要输入console.log语句,看看它的样子)。最近护照 - saml的签名验证逻辑已经有一些变化,您的提供商可能会做出一些意想不到的事情。
If you're pretty sure that the certificates are correct, I'd be curious to see the contents of the xml variable in SAML.prototype.validatePostResponse. (i.e., just throw in a console.log statement and see what it looks like). There have been some changes to the signature validation logic in passport-saml recently and it's possible your provider is doing something unexpected.
这篇关于护照和SAML加密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!