问题
I've made an implementation based on this with a FilesystemMetadataProvider: https://github.com/vdenotaris/spring-boot-security-saml-sample
To make the SSL handshake work for the artifact binding I had to put/trust the CA certificate for the IDP in the java keystore used by the keyManager.
I would rather have used the cacerts on the jre in case the IDP changed CA, but I haven't been able to find any property to set so that Spring SAML looks inside that instead.
Also this answer suggest that the cacert is ignored altogheter: Spring Security SAML - HTTPS connections
Why is the cacert ignored in Spring SAML? This seems like a deficiency for me.
I have checked that the CA for the IDP is in the cacert file for my jre. If i remove the beans related to TLS/socket factory from the config it still fails.
回答1:
Yes, cacerts is ignored. Spring SAML uses custom implementations for handling of trust, with an intention of providing more control over the system's security. You can always quite easily copy over all certificates from cacerts to samlKeystore.
回答2:
Your custom certificate/JDK default certificate must have IDPs certicate imported as trust .
Your custom certificate used in JKS manager must have at-least one private key.
Please import your trust in JDK_PATH/jre/lib/securitycacerts and try the command wget <your_idp_descriptor_url>
来源:https://stackoverflow.com/questions/36884997/why-is-cacerts-ignored-in-spring-saml