我正在尝试使用ITfoxtec将元数据发送到IdP,但我收到了一个晦涩的错误。

huangapple go评论115阅读模式
英文:

I am trying to use ITfoxtec to send metadata to the IdP but I get an obscure error

问题

I am using ITfoxtec SAML library in a .Net Core web app that will be a service provider and it will be connecting to a SAML identity provider to initiate single-sign on.

我正在使用 ITfoxtec SAML 库在一个 .Net Core web 应用程序中,该应用程序将作为服务提供商,连接到 SAML 身份提供商以启动单点登录。

I am trying to setup my SP metadata that the IdP needs.

我正在尝试设置我的服务提供商元数据,这是身份提供商所需的。

Whenever I run the web app and try to test if it's working, it starts up fine, and I try to sign in via single sign on, I get this error:

每当我运行 web 应用程序并尝试测试其是否正常工作时,它都会启动正常,但当我尝试通过单点登录登录时,我会收到以下错误消息:

“Signature is invalid”
“签名无效”

I have the following in my appsettings.json file:

我在我的 appsettings.json 文件中有以下内容:

"Saml2": {
    "IdPMetadata": "https://zion.xyz.edu/idp",
    "Issuer": "Arizona State",
    "SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
    "SigningCertificateFile": "itfoxtec.identity.saml2.testwebappcore_Certificate.pfx",
    "SigningCertificatePassword": "!QAZ2wsx",
    "CertificateValidationMode": "None",
    "RevocationMode": "NoCheck",
    "samlMetadataUrl": "~/SP_webapp/Metadata"
}

That samlMetadataUrl is supposed to point to my MetadatController.cs which has this code:

samlMetadataUrl 应该指向我的 MetadatController.cs,其中包含以下代码:

public class MetadataController : Controller
{
    private readonly Saml2Configuration config;

    public MetadataController(IOptions<Saml2Configuration> configAccessor)
    {
        config = configAccessor.Value;
    }

    // ... (其他代码)

    return new Saml2Metadata(entityDescriptor).CreateMetadata().ToActionResult();
}

// ... (其他代码)

Is there anything specific you would like to know or do related to this code?

英文:

I am using ITfoxtec SAML library in a .Net Core web app that will be a service provider and it will be connecting to a SAML identity provider to initiate single-sign on.

I am trying to setup my SP metadata that the IdP needs.

Whenever I run the web app and try to test if it's working, it starts up fine, and I try to sign in via single sign on, I get this error:

> “Signature is invalid”

I have the following in my appsettings.json file:

 &quot;Saml2&quot;: {
    &quot;IdPMetadata&quot;: &quot;https://zion.xyz.edu/idp &quot;,
    &quot;Issuer&quot;: &quot;Arizona State&quot;,
    &quot;SignatureAlgorithm&quot;: &quot;http://www.w3.org/2001/04/xmldsig-more#rsa-sha256&quot;,
    &quot;SigningCertificateFile&quot;: &quot;itfoxtec.identity.saml2.testwebappcore_Certificate.pfx&quot;,
    &quot;SigningCertificatePassword&quot;: &quot;!QAZ2wsx&quot;,
    &quot;CertificateValidationMode&quot;: &quot;None&quot;,
    &quot;RevocationMode&quot;: &quot;NoCheck&quot;,
    &quot;samlMetadataUrl&quot;: &quot;~/SP_webapp/Metadata&quot;
  }

That samlMetadataUrl is supposed to point to my MetadatController.cs which has this code:

public class MetadataController : Controller
    {
        private readonly Saml2Configuration config;

        public MetadataController(IOptions&lt;Saml2Configuration&gt; configAccessor)
        {
            config = configAccessor.Value;
        }

        public IActionResult Index()
        {
            var defaultSite = new Uri($&quot;{Request.Scheme}://{Request.Host.ToUriComponent()}/&quot;);

            var entityDescriptor = new EntityDescriptor(config);
            entityDescriptor.ValidUntil = 365;
            entityDescriptor.SPSsoDescriptor = new SPSsoDescriptor
            {
                WantAssertionsSigned = true,
                SigningCertificates = new X509Certificate2[]
                {
                    config.SigningCertificate
                },
                //EncryptionCertificates = new X509Certificate2[]
                //{
                //    config.DecryptionCertificate
                //},
                SingleLogoutServices = new SingleLogoutService[]
                {
                    new SingleLogoutService { Binding = ProtocolBindings.HttpPost, Location = new Uri(defaultSite, &quot;Auth/SingleLogout&quot;), ResponseLocation = new Uri(defaultSite, &quot;Auth/LoggedOut&quot;) }
                },
                NameIDFormats = new Uri[] { NameIdentifierFormats.X509SubjectName },
                AssertionConsumerServices = new AssertionConsumerService[]
                {
                    new AssertionConsumerService { Binding = ProtocolBindings.HttpPost, Location = new Uri(defaultSite, &quot;Auth/AssertionConsumerService&quot;) },
                },
                AttributeConsumingServices = new AttributeConsumingService[]
                {
                    new AttributeConsumingService { ServiceName = new ServiceName(&quot;Some SP&quot;, &quot;en&quot;), RequestedAttributes = CreateRequestedAttributes() }
                },
            };
            entityDescriptor.ContactPersons = new[] {
                new ContactPerson(ContactTypes.Administrative)
                {
                    Company = &quot;Arizona State&quot;,
                    GivenName = &quot;Redding&quot;,
                    SurName = &quot;Smith&quot;,
                    EmailAddress = &quot;rs23@123.edu&quot;,
                    TelephoneNumber = &quot;xxx-214-3932&quot;,
                }
                //}
            };
            return new Saml2Metadata(entityDescriptor).CreateMetadata().ToActionResult();
        }

        private IEnumerable&lt;RequestedAttribute&gt; CreateRequestedAttributes()
        {
            yield return new RequestedAttribute(&quot;urn:oid:2.5.4.4&quot;);
            yield return new RequestedAttribute(&quot;urn:oid:2.5.4.3&quot;, false);
            yield return new RequestedAttribute(&quot;urn:xxx&quot;, true, &quot;test-value&quot;);
        }
    }

答案1

得分: 1

如果在调用IdP时出现错误,要求SAML身份验证进行签名,那么IdP的SP元数据可能不正确。

如果用户在IdP上登录后出现错误,那么IdP元数据中的"IdPMetadata": "https://zion.xyz.edu/idp",包含IdP证书的部分可能不正确。还有可能是IdP使用了其他签名算法,"SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"

英文:

If you get the error on the IdP when it is called you are requring the SAML Authn to be signed, the the IdP has an incorrect SP metadata.

If you get the error after the user has logged in at the IdP the IdP metadata &quot;IdPMetadata&quot;: &quot;https://zion.xyz.edu/idp&quot; containing the IdP certificate is incorrect. It is also possible that the IdP use another signature algorithm &quot;SignatureAlgorithm&quot;: &quot;http://www.w3.org/2001/04/xmldsig-more#rsa-sha256&quot;.

huangapple
  • 本文由 发表于 2023年6月6日 00:40:31
  • 转载请务必保留本文链接:https://go.coder-hub.com/76408439.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定