问题描述

我查看了许多问题，包括 https://stackoverflow.com/a/25384924/1317559 .我拥有IdP元数据和证书，但似乎无法获得Spring，因此请参见.

I have looked at many questions including https://stackoverflow.com/a/25384924/1317559. I have the IdP metadata and certificate, but can't seem to get Spring so see it.

• 将证书添加到密钥库中:keytool -importcert -alias adfssigning -keystore samlKeystore.jks -file certificate.crt
• 元数据中有多个证书(2个不同的证书)和一个SignatureValue.
• 我尝试使用相同的keytool命令添加签名值，但这不是证书.
• 我也尝试添加在元数据中找到的2个证书.

我启用了调试日志，这就是我得到的:

I enabled debugging log and this is what I get:

• 使用KeyInfo派生的凭据成功验证了签名
• 尝试建立对KeyInfo派生的凭据的信任
• 提供的受信任名称为空或为空，跳过名称评估
• 尝试对不受信任的凭证进行PKIX路径验证:[subjectName ='O = novell，OU = accessManager，CN = test-signing']
• PKIX路径构建因不受信任的凭据而失败:[subjectName ='O = novell，OU = accessManager，CN = test-signing']:无法找到到请求目标的有效证书路径
• 无法通过签名证书的PKIX验证建立签名信任
• 无法建立对KeyInfo派生的凭据的信任
• 无法使用任何KeyInfo派生的凭据来验证签名和/或建立信任
• PKIX签名验证失败，无法解析有效且受信任的签名密钥
• 元数据条目 http://idp.ppd.com/nidp/的签名信任建立失败saml2/metadata
• 从 http://idp.ppd.com/nidp/saml2/metadata org.opensaml.saml2.metadata.provider.FilterException:元数据输入的签名信任建立失败在org.opensaml.saml2.metadata.provider.SignatureValidationFilter.verifySignature(SignatureValidationFilter.java:312)

• Successfully verified signature using KeyInfo-derived credential
• Attempting to establish trust of KeyInfo-derived credential
• Supplied trusted names are null or empty, skipping name evaluation
• Attempting PKIX path validation on untrusted credential: [subjectName='O=novell,OU=accessManager,CN=test-signing']
• PKIX path construction failed for untrusted credential: [subjectName='O=novell,OU=accessManager,CN=test-signing']: unable to find valid certification path to requested target
• Signature trust could not be established via PKIX validation of signing credential
• Failed to establish trust of KeyInfo-derived credential
• Failed to verify signature and/or establish trust using any KeyInfo-derived credentials
• PKIX validation of signature failed, unable to resolve valid and trusted signing key
• Signature trust establishment failed for metadata entry http://idp.ppd.com/nidp/saml2/metadata
• Error filtering metadata from http://idp.ppd.com/nidp/saml2/metadataorg.opensaml.saml2.metadata.provider.FilterException: Signature trust establishment failed for metadata entryat org.opensaml.saml2.metadata.provider.SignatureValidationFilter.verifySignature(SignatureValidationFilter.java:312)

推荐答案

Spring SAML手册在第7.2.4章.一种选择是禁用信任检查，或从元数据中手动删除签名XML.就像您发现的一样，要导入到samlKeystore.jks的证书是用于生成元数据签名的证书，而不是用于特定SP或IDP实体的签名/加密证书.

The Spring SAML manual describes metadata trust verification in chapter 7.2.4. One option is to disable the trust check, or manually remove the signature XML from metadata. Just like you found out, the certificate to import to samlKeystore.jks is the one used to produce the metadata signature, not the signing/encryption certificates for specific SP or IDP entities.

这篇关于Spring Security SAML IdP元数据证书和签名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！