java 使用 SAML 和 Spring Security 进行单点登录 (SSO)
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/28436434/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
提示:将鼠标放在中文语句上可以显示对应的英文。显示中英文
时间:2020-11-02 13:35:37 来源:igfitidea点击:
Single Sign On(SSO) using SAML with Spring Security
提问by
I done my 2 projects(i.e web portals) using spring mvc + hibernate with JAVA. MySQL as db and Apache as server. Now my requirement is to get SSO(Single Sign On) for these two Portals. i previously posted about this but only one person responded. Again i google and got SAML extension. And i got some sample https://github.com/spring-projects/spring-security-saml. And followed this https://docs.secureauth.com/display/docs/Spring+Security+Instructionsto get SSO for my portals.
我使用 spring mvc + hibernate 和 JAVA 完成了我的 2 个项目(即 Web 门户)。MySQL 作为数据库,Apache 作为服务器。现在我的要求是为这两个门户获得 SSO(单点登录)。我之前发布过这个,但只有一个人回复了。我再次谷歌并获得了 SAML 扩展。我得到了一些示例https://github.com/spring-projects/spring-security-saml。并按照此https://docs.secureauth.com/display/docs/Spring+Security+Instructions为我的门户获取 SSO。
I just integrated only one portal with the procedure given in above link. In the above link of process i didn't understood secureAuth20.xml and Post auth.
我只是将一个门户与上述链接中给出的程序集成在一起。 在上面的流程链接中,我不理解 secureAuth20.xml 和 Post auth。
But i stuck getting the error on web page when i run on server. ERROR:
但是当我在服务器上运行时,我在网页上遇到了错误。错误:
Error
错误
An error occurred. Message: Metadata for entity localhost and role {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor wasn't found StackTrace:
发生错误。消息:未找到实体 localhost 和角色 {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor 的元数据 StackTrace:
org.opensaml.saml2.metadata.provider.MetadataProviderException: Metadata for entity http://localhost:6060/AxisCustomer/and role {urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor wasn't found
org.opensaml.saml2.metadata.provider.MetadataProviderException:未找到实体http://localhost:6060/AxisCustomer/和角色 {urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor 的元数据
in Consloe of my STS :
在我的 STS 的 Consloe 中:
- Refreshing Root WebApplicationContext: startup date [Wed Feb 11 14:10:34 IST 2015]; root of context hierarchy
- Loading XML bean definitions from ServletContext resource [/WEB-INF/securityContext.xml]
- 刷新根 WebApplicationContext:启动日期 [2015 年 2 月 11 日星期三 14:10:34 IST];上下文层次结构的根
- 从 ServletContext 资源加载 XML bean 定义 [/WEB-INF/securityContext.xml]
securityContext.xml
安全上下文.xml
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.1.xsd">
<!-- Enable auto-wiring -->
<context:annotation-config/>
<!-- Scan for auto-wiring classes in spring saml packages -->
<context:component-scan
base-package="org.springframework.security.saml"/>
<!-- Unsecured pages -->
<security:http security="none" pattern="/favicon.ico"/>
<security:http security="none" pattern="/images/**"/>
<security:http security="none" pattern="/css/**"/>
<security:http security="none" pattern="/logout.jsp"/>
<!-- Security for the administration UI -->
<security:http pattern="/saml/web/**"
access-denied-page="/saml/web/metadata/login">
<security:form-login login-processing-url="/saml/web/login" login-
page="/saml/web/metadata/login"
default-target-url="/saml/web/metadata"/>
<security:intercept-url pattern="/saml/web/metadata/login"
access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-url pattern="/saml/web/**" access="ROLE_ADMIN"/>
<security:custom-filter before="FIRST"
ref="metadataGeneratorFilter"/>
</security:http>
<!-- Secured pages with SAML as entry point -->
<security:http entry-point-ref="samlEntryPoint">
<security:intercept-url pattern="/**"
access="IS_AUTHENTICATED_FULLY"/>
<security:custom-filter before="FIRST"
ref="metadataGeneratorFilter"/>
<security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
</security:http>
<!-- Filters for processing of SAML messages -->
<bean id="samlFilter"
class="org.springframework.security.web.FilterChainProxy">
<security:filter-chain-map request-matcher="ant">
<security:filter-chain pattern="/saml/login/**"
filters="samlEntryPoint"/>
<security:filter-chain pattern="/saml/logout/**"
filters="samlLogoutFilter"/>
<security:filter-chain pattern="/saml/metadata/**"
filters="metadataDisplayFilter"/>
<security:filter-chain pattern="/saml/SSO/**"
filters="samlWebSSOProcessingFilter"/>
<security:filter-chain pattern="/saml/SSOHoK/**"
filters="samlWebSSOHoKProcessingFilter"/>
<security:filter-chain pattern="/saml/SingleLogout/**"
filters="samlLogoutProcessingFilter"/>
<security:filter-chain pattern="/saml/discovery/**"
filters="samlIDPDiscovery"/>
</security:filter-chain-map>
</bean>
<!-- Handler deciding where to redirect user after successful login -->
<bean id="successRedirectHandler"
class= "org.springframework.security.web.authentication.
SavedRequestAwareAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/"/>
</bean>
<!-- Handler deciding where to redirect user after failed login -->
<bean id="failureRedirectHandler"
class= "org.springframework.security.web.authentication.
SimpleUrlAuthenticationFailureHandler">
<property name="useForward" value="true"/>
<property name="defaultFailureUrl" value="/error.jsp"/>
</bean>
<!-- Handler for successful logout -->
<bean id="successLogoutHandler" class=
"org.springframework.security.web.authentication.logout.
SimpleUrlLogoutSuccessHandler">
<property name="defaultTargetUrl" value="/logout.jsp"/>
</bean>
<security:authentication-manager alias="authenticationManager">
<!-- Register authentication manager for SAML provider -->
<security:authentication-provider ref="samlAuthenticationProvider"/>
<!-- Register authentication manager for administration UI -->
<security:authentication-provider>
<security:user-service id="adminInterfaceService">
<security:user name="admin" password="admin" authorities
="ROLE_ADMIN"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
<!-- Logger for SAML messages and events -->
<bean id="samlLogger" class=
"org.springframework.security.saml.log.SAMLDefaultLogger"/>
<!-- Central storage of cryptographic keys -->
<bean id="keyManager" class=
"org.springframework.security.saml.key.JKSKeyManager">
<constructor-arg value="classpath:security/samlKeystore.jks"/>
<constructor-arg type="java.lang.String" value="nalle123"/>
<constructor-arg>
<map>
<entry key="apollo" value="nalle123"/>
</map>
</constructor-arg>
<constructor-arg type="java.lang.String" value="apollo"/>
</bean>
<!-- Entry point to initialize authentication, default values taken
from properties file -->
<bean id="samlEntryPoint" class=
"org.springframework.security.saml.SAMLEntryPoint">
<property name="defaultProfileOptions">
<bean class=
"org.springframework.security.saml.websso.WebSSOProfileOptions">
<property name="includeScoping" value="false"/>
</bean>
</property>
</bean>
<!-- IDP Discovery Service -->
<bean id="samlIDPDiscovery"
class="org.springframework.security.saml.SAMLDiscovery">
<property name="idpSelectionPath" value="/WEB-INF/security
/idpSelection.jsp"/>
</bean>
<!-- Filter automatically generates default SP metadata -->
<bean id="metadataGeneratorFilter" class=
"org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
<bean class=
"org.springframework.security.saml.metadata.MetadataGenerator">
<property name="extendedMetadata">
<bean class="
org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="idpDiscoveryEnabled" value="true"/>
</bean>
</property>
</bean>
</constructor-arg>
</bean>
<!-- The filter is waiting for connections on URL suffixed with
filterSuffix and presents SP metadata there -->
<bean id="metadataDisplayFilter" class=
"org.springframework.security.saml.metadata.MetadataDisplayFilter"/>
<!-- IDP Metadata configuration - paths to metadata of IDPs in circle
of trust is here -->
<bean id="metadata" class=
"org.springframework.security.saml.metadata.CachingMetadataManager">
<constructor-arg>
<list>
<!-- IDP metadata -->
<bean class="
org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
<constructor-arg>
<bean class="java.util.Timer"/>
</constructor-arg>
<constructor-arg>
<bean class="
org.opensaml.util.resource.ClasspathResource">
<constructor-arg value="/metadata/idp.xml"/>
</bean>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
<!-- SP metadata -->
<bean class="
org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="
org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
<constructor-arg>
<bean class="java.util.Timer"/>
</constructor-arg>
<constructor-arg>
<bean class="
org.opensaml.util.resource.ClasspathResource">
<constructor-arg value="/metadata
/localhost_sp.xml"/>
</bean>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="
org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="local" value="true"/>
<property name="alias" value="localhost"/>
<property name="securityProfile" value="metaiop"/>
<property name="sslSecurityProfile" value="metaiop"/>
<property name="sslHostnameVerification"
value="allowAll"/>
<property name="signMetadata" value="true"/>
<property name="signingKey" value="apollo"/>
<property name="encryptionKey" value="apollo"/>
<property name="requireArtifactResolveSigned"
value="false"/>
<property name="requireLogoutRequestSigned"
value="false"/>
<property name="requireLogoutResponseSigned"
value="false"/>
<property name="idpDiscoveryEnabled" value="false"/>
</bean>
</constructor-arg>
</bean>
</list>
</constructor-arg>
<!-- OPTIONAL used when one of the metadata files contains
information about this service provider -->
<property name="hostedSPName" value="localhost"/>
<!-- OPTIONAL property: can tell the system which IDP should be used
for authenticating user by default. -->
<property name="defaultIDP" value="http://localhost:6060
/AxisCustomer/"/>
</bean>
<bean id="samlAuthenticationProvider" class=
"org.springframework.security.saml.SAMLAuthenticationProvider">
<!-- OPTIONAL property: can be used to store/load user data after
login -->
<!--
<property name="userDetails" ref="bean" />
-->
</bean>
<!-- Provider of default SAML Context -->
<bean id="contextProvider" class=
"org.springframework.security.saml.context.SAMLContextProviderImpl"/>
<!-- Processing filter for WebSSO profile messages -->
<bean id="samlWebSSOProcessingFilter"
class="org.springframework.security.saml.SAMLProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationSuccessHandler"
ref="successRedirectHandler"/>
<property name="authenticationFailureHandler"
ref="failureRedirectHandler"/>
</bean>
<!-- Processing filter for WebSSO Holder-of-Key profile -->
<bean id="samlWebSSOHoKProcessingFilter" class=
"org.springframework.security.saml.SAMLWebSSOHoKProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationSuccessHandler"
ref="successRedirectHandler"/>
<property name="authenticationFailureHandler"
ref="failureRedirectHandler"/>
</bean>
<!-- Logout handler terminating local session -->
<bean id="logoutHandler"
class= "org.springframework.security.web.authentication.logout.
SecurityContextLogoutHandler">
<property name="invalidateHttpSession" value="false"/>
</bean>
<!-- Override default logout processing filter with the one processing
SAML messages -->
<bean id="samlLogoutFilter" class=
"org.springframework.security.saml.SAMLLogoutFilter">
<constructor-arg index="0" ref="successLogoutHandler"/>
<constructor-arg index="1" ref="logoutHandler"/>
<constructor-arg index="2" ref="logoutHandler"/>
</bean>
<!-- Filter processing incoming logout messages -->
<!-- First argument determines URL user will be redirected toafter
successful global logout -->
<bean id="samlLogoutProcessingFilter" class=
"org.springframework.security.saml.SAMLLogoutProcessingFilter">
<constructor-arg index="0" ref="successLogoutHandler"/>
<constructor-arg index="1" ref="logoutHandler"/>
</bean>
<!-- Class loading incoming SAML messages from httpRequest stream -->
<bean id="processor" class=
"org.springframework.security.saml.processor.SAMLProcessorImpl">
<constructor-arg>
<list>
<ref bean="redirectBinding"/>
<ref bean="postBinding"/>
<ref bean="artifactBinding"/>
<ref bean="soapBinding"/>
<ref bean="paosBinding"/>
</list>
</constructor-arg>
</bean>
<!-- SAML 2.0 WebSSO Assertion Consumer -->
<bean id="webSSOprofileConsumer" class=
"org.springframework.security.saml.websso.WebSSOProfileConsumerImpl"/>
<!-- SAML 2.0 Holder-of-Key WebSSO Assertion Consumer -->
<bean id="hokWebSSOprofileConsumer" class=
"org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>
<!-- SAML 2.0 Web SSO profile -->
<bean id="webSSOprofile" class=
"org.springframework.security.saml.websso.WebSSOProfileImpl"/>
<!-- SAML 2.0 Holder-of-Key Web SSO profile -->
<bean id="hokWebSSOProfile" class=
"org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>
<!-- SAML 2.0 ECP profile -->
<bean id="ecpprofile"
class="org.springframework.security.saml.websso.WebSSOProfileECPImpl"/>
<!-- SAML 2.0 Logout Profile -->
<bean id="logoutprofile" class
="org.springframework.security.saml.websso.SingleLogoutProfileImpl"/>
<bean id="postBinding" class
="org.springframework.security.saml.processor.HTTPPostBinding">
<constructor-arg ref="parserPool"/>
<constructor-arg ref="velocityEngine"/>
</bean>
<bean id="redirectBinding" class
="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding
">
<constructor-arg ref="parserPool"/>
</bean>
<bean id="artifactBinding"
class="org.springframework.security.saml.processor.HTTPArtifactBinding">
<constructor-arg ref="parserPool"/>
<constructor-arg ref="velocityEngine"/>
<constructor-arg>
<bean class ="
org.springframework.security.saml.websso.ArtifactResolutionProfileImpl
">
<constructor-arg>
<bean class="org.apache.commons.httpclient.HttpClient">
<constructor-arg>
<bean class
="org.apache.commons.httpclient.MultiThreadedHttpConnectionManager"/>
</constructor-arg>
</bean>
</constructor-arg>
<property name="processor">
<bean
class="org.springframework.security.saml.processor.SAMLProcessorImpl">
<constructor-arg ref="soapBinding"/>
</bean>
</property>
</bean>
</constructor-arg>
</bean>
<bean id="soapBinding"
class="org.springframework.security.saml.processor.HTTPSOAP11Binding">
<constructor-arg ref="parserPool"/>
</bean>
<bean id="paosBinding"
class="org.springframework.security.saml.processor.HTTPPAOS11Binding">
<constructor-arg ref="parserPool"/>
</bean>
<!-- Initialization of OpenSAML library-->
<bean class="org.springframework.security.saml.SAMLBootstrap"/>
<!-- Initialization of the velocity engine -->
<bean id="velocityEngine"
class="org.springframework.security.saml.util.VelocityFactory"
factory-method="getEngine"/>
<!-- XML parser pool needed for OpenSAML parsing -->
<bean id="parserPool"
class="org.opensaml.xml.parse.StaticBasicParserPool"
init-method="initialize">
<property name="builderFeatures">
<map>
<entry key="http://apache.org/xml/features/dom/defer-
node-expansion" value="false"/>
</map>
</property>
</bean>
<bean id="parserPoolHolder"
class="org.springframework.security.saml.parser.ParserPoolHolder"/>
</beans>
idp.xml
idp.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor entityID=
"http://localhost:6060/AxisCustomer/"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<IDPSSODescriptor WantAuthnRequestsSigned="true"
protocolSupportEnumeration=
"urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzEL
MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJh
MQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MT
kxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZv
cm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzE
NMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5pii
LkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+
RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhs
YF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8
CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNS
ZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/
r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
/FfwWigmrW0Y0Q==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<ArtifactResolutionService index="0" isDefault="true" Binding=
"urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location=
"http://localhost:8080/opensso/ArtifactResolver/metaAlias/idp"/>
<SingleLogoutService Binding=
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location=
"http://localhost:8080/opensso/IDPSloRedirect/metaAlias/idp"
ResponseLocation=
"http://localhost:8080/opensso/IDPSloRedirect/metaAlias/idp"/>
<SingleLogoutService Binding=
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=
"http://localhost:8080/opensso/IDPSloPOST/metaAlias/idp"
ResponseLocation=
"http://localhost:8080/opensso/IDPSloPOST/metaAlias/idp"/>
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="http://localhost:8080/opensso/IDPSloSoap/metaAlias/idp"/>
<ManageNameIDService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="http://localhost:8080/opensso/IDPMniRedirect/metaAlias/idp"
ResponseLocation=
"http://localhost:8080/opensso/IDPMniRedirect/metaAlias/idp"/>
<ManageNameIDService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=
"http://localhost:8080/opensso/IDPMniPOST/metaAlias/idp"
ResponseLocation=
"http://localhost:8080/opensso/IDPMniPOST/metaAlias/idp"/>
<ManageNameIDService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="http://localhost:8080/opensso/IDPMniSoap/metaAlias/idp"/>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-
format:persistent</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-
format:transient</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-
format:emailAddress</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-
format:unspecified</NameIDFormat>
<SingleSignOnService Binding=
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location=
"http://localhost:8080/opensso/SSORedirect/metaAlias/idp"/>
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location=
"http://localhost:8080/opensso/SSOSoap/metaAlias/idp"/>
<NameIDMappingService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location=
"http://localhost:8080/opensso/NIMSoap/metaAlias/idp"/>
<AssertionIDRequestService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location=
"http://localhost:8080/opensso/AIDReqSoap/IDPRole/metaAlias/idp"/>
<AssertionIDRequestService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI"
Location=
"http://localhost:8080/opensso/AIDReqUri/IDPRole/metaAlias/idp"/>
</IDPSSODescriptor>
</EntityDescriptor>
localhost_sp.xml(downloaded entity)
localhost_sp.xml(下载的实体)
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md=
"urn:oasis:names:tc:SAML:2.0:metadata" ID="localhost"
entityID="localhost">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm=
"http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod
Algorithm=
"http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference
URI="#localhost"><ds:Transforms>
<ds:Transform Algorithm=
"http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm=
"http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>AvF5jq5CC2Hj8GIoGUZ5DYcVcoE=</ds:DigestValue>
</ds:Reference></ds:SignedInfo>
<ds:SignatureValue>Jfn6P9Hqp/SKHOQE5MCrjY4Fp7kbJsSZOafCVS5beB
VOuyCvSyTyrMFD5Xx5x0qw6TZSQuG9OFZPEC
T4Sv9fU5cPTQIrxNv7jx88ie8GCjllypaYIaGPn
3YxY819aiilGL/1x4TgSkWsVJUIH8i1iBjYIPnU6rXr0uEO1J
nft2T6uz8tUc01QCliscnNsOhU0ffYcjR
\ApI3tzZxgjR8A5vSDJHphbOScizR
IyXVD8sZfW1d0shtVkFjVYjl6ek4H
9Znlb7J0iHUqT3dqwaB+Y6IMFM8zA+aQGHVoT
36UVyTuifq7IDqGZzQVPYEmOl1jy/3dYeLIcPiGCW+rgmhZ1w==
</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>
MIIDUjCCAjqgAwIBAgIEUOLIQTANBgkqhkiG9w0BAQUFADBrMQswCQYDV
QTANBgkqhkiG9w0BAQUFADBrMQswCQYDV
QQGEwJGSTEQMA4GA1UE
CBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua
2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEM
MAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9s
bG8wHhcNMTMwMTAxMTEyODAxWhcNMjIxMjMwMTEy
ODAxWjBrMQswCQYDVQQGEwJGSTEQMA4GA1UECB
MHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kx
GDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEMMAoGA1
UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBA
QCXqP0wqL2Ai1haeTj0alwsLafhrDtUt00E
5xc7kdD7PISRA270ZmpYMB4W24Uk2QkuwaBp6dI/
yRdUvPfOT45YZrqIxMe2451PAQWtEKWF5Z13
F0J4/lB71TtrzyH94RnqSHXFfvRN8EY/
rzuEzrpZrHdtNs9LRyLqcRTXMMO4z7QghBuxh3K5gu7K
qxpHx6No83WNZj4B3gvWLRWv05nbXh/F9YMe
QClTX1iBNAhLQxWhwXMKB4u1iPQ/KSaal3R26pON
UUmu1qVtU1quQozSTPD8HvsDqGG19v2+/
N3uf5dRYtvEPfwXN3wIY+/R93vBA6lnl5nTctZIRsyg
0Gv5AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAFQwAAY
Ujso1VwjDc2kypK/RRcB8bMAUUIG0hLGL
82IvnKouGixGqAcULwQKIvTs6uGmlgbSG6Gn5ROb2ml
BztXqQ49zRvi5qWNRttir6eyqwRFGOM6A
8rxj3Jhxi2Vb/MJn7XzeVHHLzA1sV5hwl/
2PLnaL2h9WyG9QwBbwtmkMEqUt/dgixKb1Rvby/tBu
RogWgPONNSACiW+Z5o8UdAOqNMZQozD/
i1gOjBXoF0F5OksjQN7xoQZLj9xXefxCFQ69FPcFDeEW
bHwSoBy5hLPNALaEUoa5zPDwlixwRjFQTc5XXaRpgIjy/2gsL8+Y5QRhyXnLqgO67BlLYW
/GuHE=
</ds:X509Certificate>
</ds:X509Data></ds:KeyInfo></md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds=
"http://www.w3.org/2000/09/xmldsig#"><ds:X509Data>
<ds:X509Certificate>MIIDUjCCAjqgAwIBAgIEUOLI
QTANBgkqhkiG9w0BAQUFADBrMQswCQYDV
QQGEwJGSTEQMA4GA1UE
CBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua
2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEM
MAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9s
bG8wHhcNMTMwMTAxMTEyODAxWhcNMjIxMjMwMTEy
ODAxWjBrMQswCQYDVQQGEwJGSTEQMA4GA1UECB
MHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kx
GDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEMMAoGA1
UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBA
QCXqP0wqL2Ai1haeTj0alwsLafhrDtUt00E
5xc7kdD7PISRA270ZmpYMB4W24Uk2QkuwaBp6dI/
yRdUvPfOT45YZrqIxMe2451PAQWtEKWF5Z13
F0J4/lB71TtrzyH94RnqSHXFfvRN8EY/
rzuEzrpZrHdtNs9LRyLqcRTXMMO4z7QghBuxh3K5gu7K
qxpHx6No83WNZj4B3gvWLRWv05nbXh/F9YMe
QClTX1iBNAhLQxWhwXMKB4u1iPQ/KSaal3R26pON
UUmu1qVtU1quQozSTPD8HvsDqGG19v2+/
N3uf5dRYtvEPfwXN3wIY+/R93vBA6lnl5nTctZIRsyg
0Gv5AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAFQwAAY
Ujso1VwjDc2kypK/RRcB8bMAUUIG0hLGL
82IvnKouGixGqAcULwQKIvTs6uGmlgbSG6Gn5ROb2ml
BztXqQ49zRvi5qWNRttir6eyqwRFGOM6A
8rxj3Jhxi2Vb/MJn7XzeVHHLzA1sV5hwl/
2PLnaL2h9WyG9QwBbwtmkMEqUt/dgixKb1Rvby/tBu
RogWgPONNSACiW+Z5o8UdAOqNMZQozD/
i1gOjBXoF0F5OksjQN7xoQZLj9xXefxCFQ69FPcFDeEW
bHwSoBy5hLPNALaEUoa5zPDwlixwRjFQTc5XXaRpgIjy/2gsL8+Y5QRhyXnLqgO67BlLYW
/GuHE=
</ds:X509Certificate>
</ds:X509Data></ds:KeyInfo></md:KeyDescriptor>
<md:SingleLogoutService Binding=
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=
"http://localhost/saml/SingleLogout/alias/localhost"/>
<md:SingleLogoutService Binding=
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-
Redirect" Location=
"http://localhost/saml/SingleLogout/alias/localhost"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-
format:emailAddress</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-
format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-
format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-
format:unspecified</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-
format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://localhost/saml/SSO/alias/localhost" index="0"
isDefault="true"/></md:SPSSODescriptor></md:EntityDescriptor>
Please suggest your suggestions to resolve .
请提出您的解决建议。
Thanks in Advance
提前致谢
回答by Vladimír Sch?fer
The error means that Spring SAML has received a SAML message issued by IDP with entity ID "http://localhost:6060/AxisCustomer/", but it can't find any such entity in your available metadata. Make sure that your metadata bean contains an entity with this ID. Or just attach all your metadata documents and I can have a look.
该错误表示 Spring SAML 已收到 IDP 发出的实体 ID 为“ http://localhost:6060/AxisCustomer/”的 SAML 消息,但在您的可用元数据中找不到任何此类实体。确保您的元数据 bean 包含具有此 ID 的实体。或者只是附上你所有的元数据文件,我可以看看。
I suggest you use the following metadata definition:
我建议您使用以下元数据定义:
<!-- IDP Metadata configuration - paths to metadata of IDPs in circle of trust is here -->
<bean id="metadata" class=
"org.springframework.security.saml.metadata.CachingMetadataManager">
<constructor-arg>
<list>
<!-- IDP metadata -->
<bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
<constructor-arg>
<bean class="java.util.Timer"/>
</constructor-arg>
<constructor-arg>
<bean class="org.opensaml.util.resource.ClasspathResource">
<constructor-arg value="/metadata/idp.xml"/>
</bean>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
<!-- SP metadata -->
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
<constructor-arg>
<bean class="java.util.Timer"/>
</constructor-arg>
<constructor-arg>
<bean class="org.opensaml.util.resource.ClasspathResource">
<constructor-arg value="/metadata/localhost_sp.xml"/>
</bean>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="local" value="true"/>
<property name="alias" value="localhost"/>
<property name="securityProfile" value="metaiop"/>
<property name="sslSecurityProfile" value="metaiop"/>
<property name="sslHostnameVerification" value="allowAll"/>
<property name="signMetadata" value="true"/>
<property name="signingKey" value="apollo"/>
<property name="encryptionKey" value="apollo"/>
<property name="requireArtifactResolveSigned" value="false"/>
<property name="requireLogoutRequestSigned" value="false"/>
<property name="requireLogoutResponseSigned" value="false"/>
<property name="idpDiscoveryEnabled" value="false"/>
</bean>
</constructor-arg>
</bean>
</list>
</constructor-arg>
<!-- OPTIONAL used when one of the metadata files contains
information about this service provider -->
<property name="hostedSPName" value="localhost"/>
<!-- OPTIONAL property: can tell the system which IDP should be used
for authenticating user by default. -->
<property name="defaultIDP" value="http://localhost:6060/AxisCustomer/"/>
</bean>
Make sure that the referenced idp.xml file is in the /metadata/idp.xml in your project (you should already have a file named localhost_sp.xml there) and that the entity ID in your idp.xml is http://localhost:6060/AxisCustomer/
确保引用的 idp.xml 文件位于您项目的 /metadata/idp.xml 中(您应该已经有一个名为 localhost_sp.xml 的文件)并且您的 idp.xml 中的实体 ID 为http://localhost :6060/轴客户/
回答by animo3991
I was also facing this issue with my java8 and tomcat 8 setup . Upon checking i found out that i was missing a jar in tomcat libs folder "bcprov-jdk16-1.46.jar" . Upon adding this jar , i didn't get this error any more
我的 java8 和 tomcat 8 setup 也遇到了这个问题。检查后我发现我在 tomcat libs 文件夹“bcprov-jdk16-1.46.jar”中丢失了一个 jar。添加此 jar 后,我不再收到此错误
