java - OIOSAML : Service endpoint settings issue

Question

我基于 OIOSAML 编写了一个简单的系统，具有 SP 发起的 Web SSO 场景。为了测试系统，我将其部署在远程主机上。

但是 AssertionConsumerServiceURL，我在其中指定了 URL，其中 Shibboleth idP(基于Shibboleth的idP)应该返回未调用的答案。

SAMLAssertionConsumer - 只是一个简单的 servlet，如下所示:

@WebServlet("/saml/consumer")
public class SAMLAssertionConsumer extends HttpServlet {
    @Override
    protected void doPost(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {

        System.out.println(new Date() + " incoming AuthResponse");
    }

    @Override
    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        response.setContentType("text/html");
        PrintWriter out = response.getWriter();
        out.println("Yes, it worked");

        System.out.println(new Date() + " incoming AuthResponse");
    }
}

首先，我只需要确保得到响应。

我的 web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="3.0"
    metadata-complete="false"     
    xmlns="http://java.sun.com/xml/ns/j2ee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" >

    <display-name>OIOSAML-J</display-name>

    <listener>
        <listener-class>dk.itst.oiosaml.sp.service.session.SessionDestroyListener</listener-class>
    </listener>

    <servlet>
        <servlet-name>SAMLDispatcherServlet</servlet-name>
        <servlet-class>dk.itst.oiosaml.sp.service.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>SAMLDispatcherServlet</servlet-name>
        <url-pattern>/saml/*</url-pattern>
    </servlet-mapping>

    <filter>
        <filter-name>LoginFilter</filter-name>
        <filter-class>dk.itst.oiosaml.sp.service.SPFilter</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>LoginFilter</filter-name>
        <url-pattern>/sp/*</url-pattern>
    </filter-mapping>

    <welcome-file-list>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>

</web-app>

我的 oiosaml-sp.properties:

# Properties used by oiosaml-j

# Reference to the location of the certificate used for signing SAML documents with - relative to ${oiosaml.home}
oiosaml-sp.certificate.location=./certificate/keystore

# Opaque/encrypted password to the certificate used for signing SAML documents
oiosaml-sp.certificate.password=some_password

# Required authentication level. 2=password, 3=certificate
oiosaml-sp.assurancelevel=2

# Name of the meta data file for the current service provider - overrides setting in brs-common.properties
common.saml2.metadata.sp.filename=SPMetadata.xml

# URI References to the current service provider
oiosaml-sp.uri.home=

# Whether to validate server certificates. Set to false in production.
# Used for artifact resolution.
oiosaml-sp.resolve.ignorecert=true

# Artifact resolution username and password. Only used the artifact profile is active.
oiosaml-sp.resolve.username=rolf.trifork.com
oiosaml-sp.resolve.password=rolf.trifork.com

生成的AuthnRequest:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                     AssertionConsumerServiceURL="http://ip-of-remote-system-here:8080/saml/consumer"
                     Destination="http://ip-of-identity-provider-here/idp/profile/SAML2/Redirect/SSO" ForceAuthn="false"
                     ID="_31e...341d322d1d" IsPassive="false"
                     IssueInstant="2014-07-11T10:24:43.852Z"
                     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://ip-of-remote-system-here:8080</saml2:Issuer>
</saml2p:AuthnRequest> 

有一些JSP页面private.jsp，我向它发出请求:

http://ip-of-remote-system-here:8080/sp/private.jsp

在此请求之后，我重定向到身份提供商的登录页面:

http://ip-of-identity-provider-here/idp/Authn/CommonLogin

输入几个登录名/密码，然后......什么都没有。打开包含一些常见错误描述的页面:

http://ip-of-identity-provider-here/idp/Authn/UsernamePasswordLogin

error

An error occurred while request processing.

不起作用，我的servlet SAMLAssertionConsumer，控制台很清晰。但如果我直接向我的 servlet SAMLAssertionConsumer 发出请求:

http://ip-of-remote-system-here:8080/saml/consumer

然后就可以了。当然。

我想知道如何正确配置断言消费者服务。这是 SP 元数据的一部分，我在其中指定断言使用者。

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:esia="urn:esia:shibboleth:2.0:mdext" entityID="http://ip-of-remote-system-here:8080">
...
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"  Location="http://ip-of-remote-system-here:8080/saml/consumer" ResponseLocation="http://ip-of-remote-system-here:8080/saml/consumer"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://ip-of-remote-system-here:8080/saml/consumer" index="0" isDefault="true"/>

Answer 1

问题是不同的。使用了不正确的 keystore 。现在一切都OK了。

最初，我假设 entityID 属性必须引用属性 Location 中指定的域名。然而，事实并非如此。它必须是唯一的，最好使用域名。

UnderstandingShibboleth, EntityNaming:

Shibboleth identity and service providers are used in SAML deployments, and as such, they are assigned a unique name known as an "entityID".

Metadata for the OASIS Security Assertion Markup Language (SAML)V2.0, 2.3.2 Element :

entityID [Required] -

 Specifies the unique identifier of the SAML entity whose metadata is 
 described by the element's contents.

UnderstandingShibboleth, EntityNaming:

Strongly recommended NOT to use the physical hostname of a server running Shibboleth as the entityID. As time passes, things get moved and that deployment may not always live on the same box.

Additionally there may be multiple logical deployments of Shibboleth on a single physical server, each requiring their own unique entityID, so using the server's name doesn't scale beyond a single one.

沙箱中可以使用物理地址。