[英]Hard time with SAML and Identity Provider (IdP)
I'm not sure how to state this question since I don't know exactly what the problem is. 我不知道如何陈述这个问题,因为我不知道到底是什么问题。
There is a third party company that functions as the SP of a SSO structure. 有第三方公司充当SSO结构的SP。
They have little documentation on setting up a IdP to make SSO work with them, and I have never done anything like this before. 他们很少有文档来设置IdP以使其与SSO一起工作,而且我以前从未做过这样的事情。
I set up a certificate that I'm using to generate the digital signature for the SAML, and uploaded the very same key to this company's website so that they can understand the response from my IdP. 我设置了用于生成SAML的数字签名的证书,并将相同的密钥上传到该公司的网站,以便他们可以了解我的IdP的响应。
When I send the SAML response to them though, I'm getting a generic error saying that the SSO response was invalid. 但是,当我向他们发送SAML响应时,我收到一个通用错误,说SSO响应无效。 Looking at their documentation, the description for this error is:
查看他们的文档,此错误的描述是:
We were unable to validate the SAML response.
我们无法验证SAML响应。 This can be caused by an invalid digital signature, possibly due to non-matching public/private keys between the IdP and SP.
这可能是由无效的数字签名引起的,可能是由于IdP和SP之间的公钥/私钥不匹配。 It can also be caused by an invalid Audience or Valid Time Window (NotBefore and NotOnOrAfter) specified in the response.
也可能是由响应中指定的无效的“受众”或“有效时间窗口”(NotBefore和NotOnOrAfter)引起的。
What I'm more concerned about is the "invalid digital signature", because looking at the SAML response I'm sending, the audience is what they require it to be, the time window is fine, and I'm sure I'm using the same key for generating the SAML and also for the one I sent them. 我更担心的是“无效的数字签名”,因为查看我发送的SAML响应,听众是他们所要求的,时间范围还可以,而且我敢肯定,使用相同的密钥生成SAML,以及我发送给他们的密钥。
I might be wrong about a bunch of things, but my question is, how do I make sure my digital signature is valid and properly formatted and formed? 我可能在很多事情上都错了,但是我的问题是,如何确保我的数字签名有效且格式正确且格式正确?
If you are an SAML expert, see if my SAML looks reasonable: 如果您是SAML专家,请查看我的SAML看起来是否合理:
Tried to post SAML here, didn't work, but if you think that looking at it would be useful let me know.
I'm using WIF to generate the SAML, and I was wondering if the digest and signature algorithms would affect this error. 我正在使用WIF生成SAML,我想知道摘要和签名算法是否会影响此错误。
Well, any help and thoughts are welcome! 好吧,任何帮助和想法都欢迎!
您不应该使用SP的公钥来加密发送到SP的信息吗?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.