问题
I´m trying to configure a webapp in PHP for SSO with the WSO2 Identity Server. I can configure a webapp in java and it work ok but php.
For PHP I use this: http://support.onelogin.com/entries/268420-saml-toolkit-for-php
I´m facing the followig error [IS console]:
[2014-03-04 14:58:26,891] DEBUG {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} - Query string : SAMLRequest=fVPLbtswELznKwLeZVGyYieEJUB1%2BjDg2oKt9NAbQ
65rARSpcqnG%2FftSDzdO0XgvBIazw9kHF8hr1bC8dUe9g58toLu59XGqlUbWX6aktZoZjhUyzWtA5gTb51%2FXLJ5Q1ljjjDCK%2FJN2PYsjgnWV0UPa6jEl283H9fbzaiPo7E7OHzg9zO%2BnMBPJLJJ0SiGR8TymQj7HCQcZw
ZD5DSx6mZR41VELsYWVRse18zCNkoBOA5qU0QO7u2fx7PvAK0bjHyotK%2F3jut%2FngYTsS1kWQbHdl4NIfq5jaTS2Ndg92F%2BVgKfdOiVH5xoWhsoIro4GXdgcm6DrTSgG9sQDJOuFFh3Oeu82O%2FMW4SX6ymvYxjtcPRZGV
eJ3j3fxydiau%2FcLiSZRj1QyOPRUBjWvVC6lBUTyVydXyrwsLXAHKXG2BZINTt6%2B%2B8bQuDsg%2B03y3XBwcrdLUzfcVtgNCE5cuLHa14ov6Uvl12IHh%2Bzq5ggmOp6HC3%2B8GCu7SYLwb5eWa2yMdWPj%2Fis%2BuA6v2
M5uzteX3yL7Aw%3D%3D
[2014-03-04 14:58:26,893] DEBUG {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} - Request message <samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ONELOGINc065d79a0f783e6c461d030e4d2720cdb24aed1e"
Version="2.0"
IssueInstant="2014-03-04T19:58:26Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="http://localhost/php-saml/consume.php">
<saml:Issuer>php-saml</saml:Issuer>
<samlp:NameIDPolicy
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
AllowCreate="true"></samlp:NameIDPolicy>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
[2014-03-04 14:58:26,898] DEBUG {org.wso2.carbon.identity.sso.saml.validators.SPInitSSOAuthnRequestValidator} - Authentication Request Validation is successful..
[2014-03-04 14:58:26,903] DEBUG {org.wso2.carbon.identity.application.authentication.framework.CommonApplicationAuthenticationServlet} - CommonApplicationAuthenticationSer
vlet sessionDataKey: a0eef9ff-73cc-4862-87f3-afe17c21c2fc
[2014-03-04 14:58:26,905] DEBUG {org.wso2.carbon.identity.application.authentication.framework.CommonApplicationAuthenticationServlet} - The query-string sent by the calli
ng servlet is: SAMLRequest=fVPLbtswELznKwLeZVGyYieEJUB1+jDg2oKt9NAbQ65rARSpcqnG/ftSDzdO0XgvBIazw9kHF8hr1bC8dUe9g58toLu59XGqlUbWX6aktZoZjhUyzWtA5gTb51/XLJ5Q1ljjjDCK/JN2PYsjg
nWV0UPa6jEl283H9fbzaiPo7E7OHzg9zO+nMBPJLJJ0SiGR8TymQj7HCQcZwZD5DSx6mZR41VELsYWVRse18zCNkoBOA5qU0QO7u2fx7PvAK0bjHyotK/3jut/ngYTsS1kWQbHdl4NIfq5jaTS2Ndg92F+VgKfdOiVH5xoWhsoIr
o4GXdgcm6DrTSgG9sQDJOuFFh3Oeu82O/MW4SX6ymvYxjtcPRZGVeJ3j3fxydiau/cLiSZRj1QyOPRUBjWvVC6lBUTyVydXyrwsLXAHKXG2BZINTt6++8bQuDsg+03y3XBwcrdLUzfcVtgNCE5cuLHa14ov6Uvl12IHh+zq5ggmO
p6HC3+8GCu7SYLwb5eWa2yMdWPj/is+uA6v2M5uzteX3yL7Aw==&issuer=php-saml&sessionDataKey=77a7f01b-1fd1-4637-a0d8-7ffdb8094163&type=samlsso&commonAuthCallerPath=..%2F..%2Fsamlsso&
forceAuthenticate=true
[2014-03-04 14:58:26,908] DEBUG {org.wso2.carbon.identity.application.authentication.framework.CommonApplicationAuthenticationServlet} - BasicAuthenticator has set custom
status code: 11
[2014-03-04 14:58:30,660] DEBUG {org.wso2.carbon.identity.application.authenticator.basicauth.BasicAuthenticator} - User is successfully authenticated.
[2014-03-04 14:58:30,663] INFO {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - 'admin@carbon.super [-1234]' logged in at [2014-03-04 14:58:30,663-0500]
[2014-03-04 14:58:30,665] DEBUG {org.wso2.carbon.identity.application.authentication.framework.CommonApplicationAuthenticationServlet} - Authenticaticated by BasicAuthenti
cator in single-factor mode
[2014-03-04 14:58:30,666] DEBUG {org.wso2.carbon.identity.application.authentication.framework.CommonApplicationAuthenticationServlet} - Sending response back to: ../../sa
mlsso
[2014-03-04 14:58:30,669] DEBUG {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} - Query string : null
[2014-03-04 14:58:30,672] WARN {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor} - Destination validation for Authentication Request failed. R
eceived: [null]. Expected: [https://localhost:9443/samlsso]
As you can see this is the issue:
[2014-03-04 14:58:30,672] WARN {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor} - Destination validation for Authentication Request failed. R
eceived: [null]. Expected: [https://localhost:9443/samlsso]
And in the Identity Server i see this message in the web console:
SAML 2.0 based Single Sign-On Error when processing the authentication request! Please try login again.
UPDATE 1: searching inside IS source code I found this fragment:
if (authnReqDTO.getCertAlias() != null) {
// Validate 'Destination'
String idpUrl = IdentityUtil.getProperty(IdentityConstants.ServerConfig.SSO_IDP_URL);
if (authnReqDTO.getDestination() == null
|| !idpUrl.equals(authnReqDTO.getDestination())) {
String msg = "Destination validation for Authentication Request failed. " +
"Received: [" + authnReqDTO.getDestination() + "]." +
" Expected: [" + idpUrl + "]";
log.warn(msg);
return buildErrorResponse(authnReqDTO.getId(),
SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, msg);
}
// validate the signature
boolean isSignatureValid = SAMLSSOUtil.validateAuthnRequestSignature(authnReqDTO);
if (!isSignatureValid) {
String msg = "Signature validation for Authentication Request failed.";
log.warn(msg);
return buildErrorResponse(authnReqDTO.getId(),
SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, msg);
}
}
UPDATE2: I start to compare the AuthnRequest send from the PHP app and from the JAVA app. PHP app:
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ONELOGIN7a1cbb4a8d17af21129b185b43801b84481658f9"
Version="2.0"
IssueInstant="2014-03-04T21:09:14Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="http://localhost/php-saml/consume.php">
<saml:Issuer>php-saml</saml:Issuer>
<samlp:NameIDPolicy
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
AllowCreate="true"></samlp:NameIDPolicy>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
JAVA app:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="http://localhost:8080/travelocity.com/samlsso-home.jsp"
AttributeConsumingServiceIndex="1701087467"
Destination="https://localhost:9443/samlsso"
ForceAuthn="false"
ID="0"
IsPassive="true"
IssueInstant="2014-03-04T21:10:49.696Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
<samlp:Issuer xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">travelocity.com</samlp:Issuer>
<saml2p:NameIDPolicy xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="Issuer"/>
<saml2p:RequestedAuthnContext xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact">
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
</samlp:AuthnRequest>
As I see I need to configure the Destination parameter in my webapp in PHP.
回答1:
Finally I have this scenario working.
In the AuthRequest.php file of OneLogin I change this fragment of code to include the Destination attribute:
$request = <<<AUTHNREQUEST
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="$id"
Version="2.0"
IssueInstant="$issueInstant"
Destination="{$this->_settings->idpSingleSignOnUrl}"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="{$this->_settings->spReturnUrl}">
<saml:Issuer>{$this->_settings->spIssuer}</saml:Issuer>
<samlp:NameIDPolicy
Format="{$this->_settings->requestedNameIdFormat}"
AllowCreate="true"></samlp:NameIDPolicy>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
AUTHNREQUEST;
and in the WSO2 IS I check Enable Response Signing and Enable Assertion Signing options.
To make it work I have to uncheck the Enable Signature Validation in Authentication Requests and Logout Requests option due to this error in the WSO2 IS:
[2014-03-04 19:12:10,914] ERROR {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} - Error validating deflate signature
org.opensaml.ws.security.SecurityPolicyException: Could not extract the Signature from query string
at org.wso2.carbon.identity.sso.saml.validators.SAML2HTTPRedirectDeflateSignatureValidator.getSignature(SAML2HTTPRedirectDeflateSignatureValidator.java:139)
at org.wso2.carbon.identity.sso.saml.validators.SAML2HTTPRedirectDeflateSignatureValidator.validateSignature(SAML2HTTPRedirectDeflateSignatureValidator.java:63)
at org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil.validateDeflateSignature(SAMLSSOUtil.java:625)
at org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil.validateAuthnRequestSignature(SAMLSSOUtil.java:578)
at org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor.process(SPInitSSOAuthnRequestProcessor.java:108)
at org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor.process(SPInitSSOAuthnRequestProcessor.java:301)
at org.wso2.carbon.identity.sso.saml.SAMLSSOService.validateSPInitSSORequest(SAMLSSOService.java:102)
at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleSPInitSSO(SAMLSSOProviderServlet.java:236)
at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleRequest(SAMLSSOProviderServlet.java:132)
at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.doGet(SAMLSSOProviderServlet.java:75)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)
at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:178)
at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:56)
at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:141)
at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:52)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1653)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:722)
[2014-03-04 19:12:11,012] WARN {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor} - Signature validation for Authentication Request failed.
[2014-03-04 19:12:11,048] DEBUG {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} - Invalid SAML SSO Request
[2014-03-04 19:12:11,054] ERROR {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} - Error when processing the authentication request!
org.wso2.carbon.identity.base.IdentityException: Invalid SAML SSO Request
at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleSPInitSSO(SAMLSSOProviderServlet.java:262)
at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleRequest(SAMLSSOProviderServlet.java:132)
at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.doGet(SAMLSSOProviderServlet.java:75)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)
at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:178)
at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:56)
at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:141)
at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:52)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1653)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:722)
[2014-03-04 19:12:31,348] DEBUG {org.wso2.carbon.identity.core.dao.SAMLSSOServiceProviderDAO} - Service Provider php-saml is added successfully.
来源:https://stackoverflow.com/questions/22182354/sso-for-php-webapp-with-wso2-identity-server-authentication-request-failed