1. 首頁
  2. 問答
  3. SAML響應和斷言是否已簽名/未簽名?

SAML響應和斷言是否已簽名/未簽名?

2016-07-22 185 views
0

我已經成功部署並運行了spring saml示例。從SAML響應者(IdP - > SP)如下所示,可以將其識別是否:SAML響應和斷言是否已簽名/未簽名?

  1. SAML響應是符號或無符號?
  2. 斷言是否加密? (我猜是加密的)
  3. 斷言是有符號還是無符號?
 

    <?xml version="1.0" encoding="UTF-8"?><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://MY_SP/spring-security-saml2-sample/saml/SSO" ID="_22bf0c00-9cfa-5dbb-7af7-d34eec7d9b6f" InResponseTo="we3977191e5g4try1b3g52j4f84e43f" IssueInstant="2016-07-22T08:22:41.568Z" Version="2.0"> 
     <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://MY_ADFS_SERVER/adfs/services/trust</Issuer> 
     <samlp:Status> 
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> 
     </samlp:Status> 
     <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> 
      <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element"> 
      <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/> 
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> 
       <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#"> 
        <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"> 
         <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> 
        </e:EncryptionMethod> 
        <KeyInfo> 
         <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
         <ds:X509IssuerSerial> 
          <ds:X509IssuerName>CN=apollo, OU=R&amp;D, O=RM5 Software Oy, L=Helsinki, S=Uusimaa, C=FI</ds:X509IssuerName> 
          <ds:X509SerialNumber>2343092425</ds:X509SerialNumber> 
         </ds:X509IssuerSerial> 
         </ds:X509Data> 
        </KeyInfo> 
        <e:CipherData> 
         <e:CipherValue>Mpz3raT40LBmwUfzz+a52+ryijTMqVqtnk8T2YOJ27Xs/dS 
    jMZHShDfMGsD1wwXb2a2jGjpjCLgLWsZ1t8LWgxevSbmTZuGGSfAMhfdOwmJMijRYdKrHdiyn+syFUof 
    0MDMykI135ulCL9MGWVUvR1pNz+W+tZzQKcQ+is6USH4OGnUKiMSaow==</e:CipherValue> 
        </e:CipherData> 
       </e:EncryptedKey> 
      </KeyInfo> 
      <xenc:CipherData> 
       <xenc:CipherValue>iefcMnnYFLtb 
    EObkQpItoZk4tRuMDX9dqt1DucK91ZZRigHeQ2DuUYe2FZpGtQ2vFVtS2ycXSnVR2V4wx4Vd2VeR/G3I 
    GHkqQ9GtOxv8RvkRtEbJTptmjoMT1t7ZNE4tn+hDmzMMK7Xy9f+xkk/z5IHvNKlscnsG/wXoRuMykKnJ 
    tODd0ILiVF/ygQqY477lxVFDlaa4HH/rcx+DZOcDFiFjiuLj41dF1rdG90XCmWvr2BfUTzYl3SHakoyK 
    AmmgesyCJQcHN54ckFiO/wvLttw09wdvC4sg92xlhhfGtQqMuvfT7YESOvHnC1FOEsf4CjoMaByZjwN2 
    QBRHPRJTBPjwmfVgTk+g==</xenc:CipherValue> 
      </xenc:CipherData> 
      </xenc:EncryptedData> 
     </EncryptedAssertion> 
    </samlp:Response>

我從SP服務器的調試日誌,上面的SAML響應被解析之後,如下所示。這使我很困惑,消息和/或斷言是否沒有被簽名。

- Evaluating security policy of type 'org.opensaml.ws.security.provider.BasicSecurityPolicy' for decoded message 
- Evaluating simple signature rule of type: org.opensaml.saml2.binding.security.SAML2HTTPPostSimpleSignRule 
- HTTP request was not signed via simple signature mechanism, skipping 
- SAML protocol message was not signed, skipping XML signature processing 
- Successfully decoded message.

來源

2016-07-22 cole

回答

0
  1. SAML迴應未簽名。
  2. SAML聲明已加密。 (你可以看到「EncryptedAssertion」)
  3. SAML斷言沒有被簽名。

嘗試在您的SP元數據中設置WantAssertionsSigned =「true」,與IdP交換並檢查您是否收到簽名的SAML響應。

參見:http://docs.spring.io/spring-security-saml/docs/current/reference/html/configuration-metadata.html

來源

2016-07-25 22:23:35 Zeigeist

+0

上IDP改變的配置,現在後的後的反應溶液。但是,這個簽名是否適用於響應和斷言或者只是響應?我如何知道與消息的這種不同? – cole

+0

當設置WantAssertionsSigned =「true」時,收到的簽名對應於斷言部分。嘗試僅簽署收到的斷言部分,並檢查收到的簽名,它必須相同。 – Zeigeist

相關問題

 相關問題