OneloginPHPSAMLSdk :: processResponse()无法处理加密的消息
[英]OneloginPHPSAMLSdk::processResponse() fails processing encrypted messages
问题描述
Problem 
问题
OneloginPHPSAMLSdk::processResponse() fails processing encrypted message. OneloginPHPSAMLSdk::processResponse()无法处理加密的消息。
A signed SAML Response that contains a signed SAML Assertion is successfully processed by OneloginPHPSAMLSdk::processResponse() . OneloginPHPSAMLSdk::processResponse()成功处理了包含已签名SAML声明的已签名SAML响应。
However, if the same signed SAML Response that contains a signed SAML Assertion is encrypted, then OneloginPHPSAMLSdk::processResponse() fails processing the encrypted SAML Response. 但是,如果包含签名SAML声明的相同签名SAML响应被加密,则OneloginPHPSAMLSdk::processResponse()无法处理加密的SAML响应。 In this case decryption is successful but the XML fails saml-schema-protocol-2.0.xsd validation. 在这种情况下,解密成功,但是XML无法通过saml-schema-protocol-2.0.xsd验证。
Summary: 摘要:
Un-encrypted message succeeds: 未加密的消息成功:
- SAML Assertion in SAML Response message is signed SAML响应消息中的SAML声明已签名
- SAML Response message is signed SAML响应消息已签名
- Full signed SAML Response (un-encrypted) is processed by
OneloginPHPSAMLSdk::processResponse()successfully完整签名的SAML响应(未加密)已由OneloginPHPSAMLSdk::processResponse()成功处理
Encrypted message fails: 加密的消息失败:
- Same full signed SAML Response is Encrypted (using Onelogin online tool) and processed by
OneloginPHPSAMLSdk::processResponse()相同的完整签名SAML响应(使用Onelogin在线工具)被加密并由OneloginPHPSAMLSdk::processResponse() - Decryption of full signed SAML Response is successful 完整签名的SAML响应解密成功
-
OneloginPHPSAMLSdk::processResponse()processing of decrypted full signed SAML Response failsOneloginPHPSAMLSdk::processResponse()处理已解密的完整签名的SAML响应失败
Error returned by OneloginPHPSAMLSdk::processResponse() and libxml_get_errors() : OneloginPHPSAMLSdk::processResponse() 和 libxml_get_errors() 返回的错误 :
invalid_response - Invalid SAML Response.
The un-encrypted version of this message passes saml-schema-protocol-2.0.xsd validation and is processes successfully. 此消息的未加密版本通过saml-schema-protocol-2.0.xsd验证,并且已成功处理。
Below are all of the settings that were used: 以下是使用的所有设置:
x.509 Certs x.509证书
For testing purposes the the Onelogin online Self Signed Cert tool ( https://developers.onelogin.com/saml/online-tools/x509-certs/obtain-self-signed-certs ) was used to generate Service Provider and Identity Provider x509 certificates: 为了进行测试,使用了Onelogin在线自签名证书工具( https://developers.onelogin.com/saml/online-tools/x509-certs/obtain-self-signed-certs )来生成服务提供者和身份提供者x509证书:
Identity Provider Certs Used 使用的身份提供者证书
-----BEGIN CERTIFICATE-----
MIIC6DCCAlGgAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBkDELMAkGA1UEBhMCdXMx
EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAoMDU9uZWxvZ2luIFRlc3QxIjAg
BgNVBAMMGXRyaW5ldC1jbG91ZC5vbmVsb2dpbi5jb20xMDAuBgkqhkiG9w0BCQEW
IXN1cHBvcnRAdHJpbmV0LWNsb3VkLm9uZWxvZ2luLmNvbTAeFw0xNjEwMzEyMzA4
NTNaFw0xNzEwMjIyMzA4NTNaMIGQMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2Fs
aWZvcm5pYTEWMBQGA1UECgwNT25lbG9naW4gVGVzdDEiMCAGA1UEAwwZdHJpbmV0
LWNsb3VkLm9uZWxvZ2luLmNvbTEwMC4GCSqGSIb3DQEJARYhc3VwcG9ydEB0cmlu
ZXQtY2xvdWQub25lbG9naW4uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDWKr8qxoBEMEb2PuLFVfeT9fM+OKp6IxlrFkewF6KJvTPlIyJDeY6baJ0lFahV
1zi14q67iqADIk1fRqe9oMq4ZJLHZpeFazUSxiY56+paC9Tf1WGu2HmDUyxWSh+S
g0SdQQfbEKO0189mYBkcHfrHGD/QBcivsK+Su7xhDzCvaQIDAQABo1AwTjAdBgNV
HQ4EFgQUsF7CyLKVc3TUFiRNO9Q6PB90zp4wHwYDVR0jBBgwFoAUsF7CyLKVc3TU
FiRNO9Q6PB90zp4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCNqPea
KS0nlUDDCPJExXp2ovCCiNyGA2lSUOYAoBDg1LZrhE44B/KlzO0g2O4bF2nYquGF
0xfGqf9M3wNsJIybCR/MrZMZE6AQgMLN8+02QjOX2TMavO8TdYXu/kYLUQGWx0bC
UraIIKzE2L7EQR0WLes/hayMx/za9wV4rVMnyA==
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBANYqvyrGgEQwRvY+
4sVV95P18z44qnojGWsWR7AXoom9M+UjIkN5jptonSUVqFXXOLXirruKoAMiTV9G
p72gyrhkksdml4VrNRLGJjnr6loL1N/VYa7YeYNTLFZKH5KDRJ1BB9sQo7TXz2Zg
GRwd+scYP9AFyK+wr5K7vGEPMK9pAgMBAAECgYAtJ9IquLOurOcpYFT7+oY64i6p
PdVj7yaa15XB4RnaJNReSawdwfF5fvMzMH/PqZNBdkwVKsNWJdNedU1ExDQ5jaBz
+eY/2Rtyyv5wgkMBQdeR3mxrJ6e92KdkYoF31+SMVHg2/eTo5V8MZLLpKYGAd/Gz
wK0iDzUcAPYTKzi6aQJBAP0v5LXWabmJm7+S2c1ILPAMzOBVr5aEhzA+1Nwigq44
QhRfDiwdi8qbL2WRFs2o1PZ7rlgLXf8SJ3peuhalbYMCQQDYi9+lQ4C2dnGblJuA
uNyTjxd6UlTsT4PRUFgUi4ZNiapphw4RLMYKWhZgZzs348mRqdRXgCF7PICrtPJs
jyejAkEA57gJjhJqOJCkprRz+djwp9JPP5GsXgl04MbgcYh0KZb7g0Fr6xwvcIKO
4lnjkN3P6rZPXe0pXeTzlJ9VmJxWmQJBAJ6v0dJv5zDPF23ltxbbYXkY0SGol+cc
VgLbl9BmdqL3kVQHzn0zjGUlo2Q+Ah1w5dPC2oLMuLxwl/I8hbKcLXUCQQDTkA5n
9vNjtkNC+vAz6BEAG0OdPt602iyImHkDKj/fbJuHw8D3lhu3XV44jY7REMYP2rk0
2qzCuQBQ2T5oFCS5
-----END PRIVATE KEY-----
Service Provider Certs Used: 使用的服务提供商证书:
-----BEGIN CERTIFICATE-----
MIIDKjCCApOgAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBsTELMAkGA1UEBhMCdXMx
EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAoMC1RyaU5ldCwgSW5jMSEwHwYD
VQQDDBhzc28udHJpbmV0Y2xvdWQuY29tbG9jYWwxFTATBgNVBAcMDFNhbnRhIE1v
bmljYTEVMBMGA1UECwwMVHJpTmV0IENsb3VkMSYwJAYJKoZIhvcNAQkBFhdzdXBw
b3J0QHRyaW5ldGNsb3VkLmNvbTAeFw0xNjEwMzEyMzAyMTFaFw0xNzEwMjIyMzAy
MTFaMIGxMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UE
CgwLVHJpTmV0LCBJbmMxITAfBgNVBAMMGHNzby50cmluZXRjbG91ZC5jb21sb2Nh
bDEVMBMGA1UEBwwMU2FudGEgTW9uaWNhMRUwEwYDVQQLDAxUcmlOZXQgQ2xvdWQx
JjAkBgkqhkiG9w0BCQEWF3N1cHBvcnRAdHJpbmV0Y2xvdWQuY29tMIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQDNoMEfS6J8nYZzt6v/Zjc13A7jPZp+rDulJ6Hv
SYZ8nvoySbAyyAVO5A07Q1KOMJDciYGiNgkctx36uJtsJwb6SQr9sAddXDDV0hvl
HPk/I+ZPIi1l81jD7uUr+xVIVT5nIejAVlyqapbWm3YFywO9MVLuPDbaGXoQX0B1
U2USVwIDAQABo1AwTjAdBgNVHQ4EFgQUjc/p6B8r/hMXKeAVCKmaunvgJmYwHwYD
VR0jBBgwFoAUjc/p6B8r/hMXKeAVCKmaunvgJmYwDAYDVR0TBAUwAwEB/zANBgkq
hkiG9w0BAQ0FAAOBgQCj7Lakk9vK7PSVnP8uooKN2xU0e9Tbt9Mz6iO0F0h0ebFO
spTnju01i00KOvEdXb61Xpe8Qjex7RS94mnSunRFbXvtFecc8in2WtFcXXzLwIEr
bm3pDAD9vhhF/ilaoHkWmOAEGgc0fyFnKL32oyxbGlhpd87PGQtcCXEhHaS4Mw==
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAM2gwR9LonydhnO3
q/9mNzXcDuM9mn6sO6Unoe9Jhnye+jJJsDLIBU7kDTtDUo4wkNyJgaI2CRy3Hfq4
m2wnBvpJCv2wB11cMNXSG+Uc+T8j5k8iLWXzWMPu5Sv7FUhVPmch6MBWXKpqltab
dgXLA70xUu48NtoZehBfQHVTZRJXAgMBAAECgYA1agzAlGUg+cpzRMLpFSRCWWeE
n/wB67uSqzjlb7P/q0xSw9GBX3QBijvlqRdI2FTI9O83s9GqI+cluc6lyX2GDxWs
2Gzkl6Rb7bxWsXZDNRJEipZHAJTuiPDWpZKyA1q4Erc8UeZt/AIljF31yLiYBf+L
bjegYqrtSiHGtq6QAQJBAPHk2/gP1k/E+0DHlosdCZWar+04IPBkj188Q3NCJ7qJ
8pfYgsQmVUqCbdbG+dzF2FtZe884dwUVYMKTeddzNXECQQDZnn5g9pwnO+uecCZs
Iaw+F79+qPmZobE5iKyGPZmJMKyjVkUiDPNniVFzyfYtECsc1onMOdYsSIlHwebn
5UBHAkEArHiJfq2MGQRSQTYN2NKzasAIgBNtKPoKX9UQIrYgrZh+KFZvpnvOhHnK
50CoFwnZ4ghDhtSzyCQeAZ41WbEDgQJAMc/Gi7lHCu/7QbvX/55Bh8D10y8oWtMY
9tti6iNFdpKOoaCImH+wYz2aSE+tKqltxN8SkY2XiXFdAvDOQrxF1wJAFrzpMLQs
rqOZKRf9uakwDscTwwYauzPfrcikiN9Qd8MA64xG9Z3RUxOq2UkDLZSSKzYMEKMk
Te3+629HzIPTjg==
-----END PRIVATE KEY-----
Loaded OneloginPHPSAMLSdk settings: 加载的OneloginPHPSAMLSdk设置:
Array
(
[strict] => 1
[debug] => 1
[sp] => Array
(
[entityId] => https://sso.serviceprovider.com/metadata
[assertionConsumerService] => Array
(
[url] => https://sso.serviceprovider.com/saml/consume
[binding] => urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
)
[singleLogoutService] => Array
(
[url] => https://sso.serviceprovider.com/saml/logout
[binding] => urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
)
[NameIDFormat] => urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
[x509cert] => -----BEGIN CERTIFICATE-----
MIIDKjCCApOgAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBsTELMAkGA1UEBhMCdXMx
EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAoMC1RyaU5ldCwgSW5jMSEwHwYD
VQQDDBhzc28udHJpbmV0Y2xvdWQuY29tbG9jYWwxFTATBgNVBAcMDFNhbnRhIE1v
bmljYTEVMBMGA1UECwwMVHJpTmV0IENsb3VkMSYwJAYJKoZIhvcNAQkBFhdzdXBw
b3J0QHRyaW5ldGNsb3VkLmNvbTAeFw0xNjEwMzEyMzAyMTFaFw0xNzEwMjIyMzAy
MTFaMIGxMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UE
CgwLVHJpTmV0LCBJbmMxITAfBgNVBAMMGHNzby50cmluZXRjbG91ZC5jb21sb2Nh
bDEVMBMGA1UEBwwMU2FudGEgTW9uaWNhMRUwEwYDVQQLDAxUcmlOZXQgQ2xvdWQx
JjAkBgkqhkiG9w0BCQEWF3N1cHBvcnRAdHJpbmV0Y2xvdWQuY29tMIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQDNoMEfS6J8nYZzt6v/Zjc13A7jPZp+rDulJ6Hv
SYZ8nvoySbAyyAVO5A07Q1KOMJDciYGiNgkctx36uJtsJwb6SQr9sAddXDDV0hvl
HPk/I+ZPIi1l81jD7uUr+xVIVT5nIejAVlyqapbWm3YFywO9MVLuPDbaGXoQX0B1
U2USVwIDAQABo1AwTjAdBgNVHQ4EFgQUjc/p6B8r/hMXKeAVCKmaunvgJmYwHwYD
VR0jBBgwFoAUjc/p6B8r/hMXKeAVCKmaunvgJmYwDAYDVR0TBAUwAwEB/zANBgkq
hkiG9w0BAQ0FAAOBgQCj7Lakk9vK7PSVnP8uooKN2xU0e9Tbt9Mz6iO0F0h0ebFO
spTnju01i00KOvEdXb61Xpe8Qjex7RS94mnSunRFbXvtFecc8in2WtFcXXzLwIEr
bm3pDAD9vhhF/ilaoHkWmOAEGgc0fyFnKL32oyxbGlhpd87PGQtcCXEhHaS4Mw==
-----END CERTIFICATE-----
[privateKey] => -----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAM2gwR9LonydhnO3
q/9mNzXcDuM9mn6sO6Unoe9Jhnye+jJJsDLIBU7kDTtDUo4wkNyJgaI2CRy3Hfq4
m2wnBvpJCv2wB11cMNXSG+Uc+T8j5k8iLWXzWMPu5Sv7FUhVPmch6MBWXKpqltab
dgXLA70xUu48NtoZehBfQHVTZRJXAgMBAAECgYA1agzAlGUg+cpzRMLpFSRCWWeE
n/wB67uSqzjlb7P/q0xSw9GBX3QBijvlqRdI2FTI9O83s9GqI+cluc6lyX2GDxWs
2Gzkl6Rb7bxWsXZDNRJEipZHAJTuiPDWpZKyA1q4Erc8UeZt/AIljF31yLiYBf+L
bjegYqrtSiHGtq6QAQJBAPHk2/gP1k/E+0DHlosdCZWar+04IPBkj188Q3NCJ7qJ
8pfYgsQmVUqCbdbG+dzF2FtZe884dwUVYMKTeddzNXECQQDZnn5g9pwnO+uecCZs
Iaw+F79+qPmZobE5iKyGPZmJMKyjVkUiDPNniVFzyfYtECsc1onMOdYsSIlHwebn
5UBHAkEArHiJfq2MGQRSQTYN2NKzasAIgBNtKPoKX9UQIrYgrZh+KFZvpnvOhHnK
50CoFwnZ4ghDhtSzyCQeAZ41WbEDgQJAMc/Gi7lHCu/7QbvX/55Bh8D10y8oWtMY
9tti6iNFdpKOoaCImH+wYz2aSE+tKqltxN8SkY2XiXFdAvDOQrxF1wJAFrzpMLQs
rqOZKRf9uakwDscTwwYauzPfrcikiN9Qd8MA64xG9Z3RUxOq2UkDLZSSKzYMEKMk
Te3+629HzIPTjg==
-----END PRIVATE KEY-----
)
[idp] => Array
(
[entityId] => https://app.onelogin.com/saml/metadata/123456
[singleSignOnService] => Array
(
[url] => https://app.onelogin.com/trust/saml2/http-post/sso/123456
[binding] => urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
)
[singleLogoutService] => Array
(
[url] => https://app.onelogin.com/trust/saml2/http-redirect/slo/123456
[binding] => urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
)
[x509cert] => -----BEGIN CERTIFICATE-----
MIIC6DCCAlGgAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBkDELMAkGA1UEBhMCdXMx
EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAoMDU9uZWxvZ2luIFRlc3QxIjAg
BgNVBAMMGXRyaW5ldC1jbG91ZC5vbmVsb2dpbi5jb20xMDAuBgkqhkiG9w0BCQEW
IXN1cHBvcnRAdHJpbmV0LWNsb3VkLm9uZWxvZ2luLmNvbTAeFw0xNjEwMzEyMzA4
NTNaFw0xNzEwMjIyMzA4NTNaMIGQMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2Fs
aWZvcm5pYTEWMBQGA1UECgwNT25lbG9naW4gVGVzdDEiMCAGA1UEAwwZdHJpbmV0
LWNsb3VkLm9uZWxvZ2luLmNvbTEwMC4GCSqGSIb3DQEJARYhc3VwcG9ydEB0cmlu
ZXQtY2xvdWQub25lbG9naW4uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDWKr8qxoBEMEb2PuLFVfeT9fM+OKp6IxlrFkewF6KJvTPlIyJDeY6baJ0lFahV
1zi14q67iqADIk1fRqe9oMq4ZJLHZpeFazUSxiY56+paC9Tf1WGu2HmDUyxWSh+S
g0SdQQfbEKO0189mYBkcHfrHGD/QBcivsK+Su7xhDzCvaQIDAQABo1AwTjAdBgNV
HQ4EFgQUsF7CyLKVc3TUFiRNO9Q6PB90zp4wHwYDVR0jBBgwFoAUsF7CyLKVc3TU
FiRNO9Q6PB90zp4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCNqPea
KS0nlUDDCPJExXp2ovCCiNyGA2lSUOYAoBDg1LZrhE44B/KlzO0g2O4bF2nYquGF
0xfGqf9M3wNsJIybCR/MrZMZE6AQgMLN8+02QjOX2TMavO8TdYXu/kYLUQGWx0bC
UraIIKzE2L7EQR0WLes/hayMx/za9wV4rVMnyA==
-----END CERTIFICATE-----
)
[compress] => Array
(
[requests] => 1
[responses] => 1
)
[security] => Array
(
[wantMessagesSigned] => 1
[wantAssertionsEncrypted] => 1
[wantAssertionsSigned] => 1
[wantNameId] => 1
[signatureAlgorithm] => http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
)
[contactPerson] => Array
(
[technical] => Array
(
[givenName] => Support
[emailAddress] => support@serviceprovider.com
)
[support] => Array
(
[givenName] => Support
[emailAddress] => support@serviceprovider.com
)
)
[organization] => Array
(
[en-US] => Array
(
[name] => Service Provider
[displayname] => Service Provider
[url] => https://serviceprovider.com
)
)
)
Signed SAML Response that contains the signed SAML Assertion that was used ( successfully processed by OneloginPHPSAMLSdk::processResponse() ) 包含已使用的已签名SAML声明的已签名SAML响应(已由OneloginPHPSAMLSdk :: processResponse()成功处理)
Signed using https://developers.onelogin.com/saml/online-tools/sign/response with the above certs. 使用上述证书使用https://developers.onelogin.com/saml/online-tools/sign/response签名。
<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfxa414281f-8c20-d4b9-6cd5-f713aca895e9" Version="2.0" IssueInstant="2020-06-17T14:54:07Z" Destination="https://sso.serviceprovider.com/saml/consume" InResponseTo="_57bcbf70-7b1f-012e-c821-782bcb13bb38">
<saml:Issuer>https://app.onelogin.com/saml/metadata/123456</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#pfxa414281f-8c20-d4b9-6cd5-f713aca895e9"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>OH53i4NTaUj8M29kPGDQEZimvGE=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>edMuHtgqaRJiAGBUdGCSJiWxQ2CDXi3THKotbgkDhU1uMrD3vxRnopFlaUGFW/3GCt9Q9CScMmkamS2s6JZqo0iGuuzsaIl7NPhM502iHp6BIjinrGARtjOjfamLahVrIGBggvgNbbfzwPKSNCf+T9PNtnWNBwKVNIIHZeNNJ3I=</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIC6DCCAlGgAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBkDELMAkGA1UEBhMCdXMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAoMDU9uZWxvZ2luIFRlc3QxIjAgBgNVBAMMGXRyaW5ldC1jbG91ZC5vbmVsb2dpbi5jb20xMDAuBgkqhkiG9w0BCQEWIXN1cHBvcnRAdHJpbmV0LWNsb3VkLm9uZWxvZ2luLmNvbTAeFw0xNjEwMzEyMzA4NTNaFw0xNzEwMjIyMzA4NTNaMIGQMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UECgwNT25lbG9naW4gVGVzdDEiMCAGA1UEAwwZdHJpbmV0LWNsb3VkLm9uZWxvZ2luLmNvbTEwMC4GCSqGSIb3DQEJARYhc3VwcG9ydEB0cmluZXQtY2xvdWQub25lbG9naW4uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWKr8qxoBEMEb2PuLFVfeT9fM+OKp6IxlrFkewF6KJvTPlIyJDeY6baJ0lFahV1zi14q67iqADIk1fRqe9oMq4ZJLHZpeFazUSxiY56+paC9Tf1WGu2HmDUyxWSh+Sg0SdQQfbEKO0189mYBkcHfrHGD/QBcivsK+Su7xhDzCvaQIDAQABo1AwTjAdBgNVHQ4EFgQUsF7CyLKVc3TUFiRNO9Q6PB90zp4wHwYDVR0jBBgwFoAUsF7CyLKVc3TUFiRNO9Q6PB90zp4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCNqPeaKS0nlUDDCPJExXp2ovCCiNyGA2lSUOYAoBDg1LZrhE44B/KlzO0g2O4bF2nYquGF0xfGqf9M3wNsJIybCR/MrZMZE6AQgMLN8+02QjOX2TMavO8TdYXu/kYLUQGWx0bCUraIIKzE2L7EQR0WLes/hayMx/za9wV4rVMnyA==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="pfx11d47ee6-6b2f-0ccb-2ad8-045666918aca" Version="2.0" IssueInstant="2020-06-17T14:54:14Z">
<saml:Issuer>https://app.onelogin.com/saml/metadata/123456</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#pfx11d47ee6-6b2f-0ccb-2ad8-045666918aca"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>hRtng2jDhJfDGYAkp6W89Ei96Jc=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>fgNDg7BAHZgqtA67png8JVeAciUt9Bfopf/UaFvTN+vOpeK/NsCh6YQ06RBqDOGKpA7X9SiK4olXy8wqUV2wNguP77Q/48DoYoWoG8InlzL2nEFg7tjp5Fp60Ywc+zmiFPD9Xahhvjpo8QVHQbbPAnJFKMa3SFP5zS905BXOOUY=</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIC6DCCAlGgAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBkDELMAkGA1UEBhMCdXMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAoMDU9uZWxvZ2luIFRlc3QxIjAgBgNVBAMMGXRyaW5ldC1jbG91ZC5vbmVsb2dpbi5jb20xMDAuBgkqhkiG9w0BCQEWIXN1cHBvcnRAdHJpbmV0LWNsb3VkLm9uZWxvZ2luLmNvbTAeFw0xNjEwMzEyMzA4NTNaFw0xNzEwMjIyMzA4NTNaMIGQMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UECgwNT25lbG9naW4gVGVzdDEiMCAGA1UEAwwZdHJpbmV0LWNsb3VkLm9uZWxvZ2luLmNvbTEwMC4GCSqGSIb3DQEJARYhc3VwcG9ydEB0cmluZXQtY2xvdWQub25lbG9naW4uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWKr8qxoBEMEb2PuLFVfeT9fM+OKp6IxlrFkewF6KJvTPlIyJDeY6baJ0lFahV1zi14q67iqADIk1fRqe9oMq4ZJLHZpeFazUSxiY56+paC9Tf1WGu2HmDUyxWSh+Sg0SdQQfbEKO0189mYBkcHfrHGD/QBcivsK+Su7xhDzCvaQIDAQABo1AwTjAdBgNVHQ4EFgQUsF7CyLKVc3TUFiRNO9Q6PB90zp4wHwYDVR0jBBgwFoAUsF7CyLKVc3TUFiRNO9Q6PB90zp4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCNqPeaKS0nlUDDCPJExXp2ovCCiNyGA2lSUOYAoBDg1LZrhE44B/KlzO0g2O4bF2nYquGF0xfGqf9M3wNsJIybCR/MrZMZE6AQgMLN8+02QjOX2TMavO8TdYXu/kYLUQGWx0bCUraIIKzE2L7EQR0WLes/hayMx/za9wV4rVMnyA==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
<saml:Subject>
<saml:NameID SPNameQualifier="https://sso.serviceprovider.com/metadata" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">test@testmail.com</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2040-06-17T14:59:14Z" Recipient="https://sso.serviceprovider.com/saml/consume" InResponseTo="_57bcbf70-7b1f-012e-c821-782bcb13bb38"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2011-06-17T14:53:44Z" NotOnOrAfter="2040-06-17T14:59:14Z">
<saml:AudienceRestriction>
<saml:Audience>https://sso.serviceprovider.com/metadata</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2020-06-17T14:54:07Z" SessionNotOnOrAfter="2040-06-17T22:54:14Z" SessionIndex="_51be37965feb5579d803141076936dc2e9d1d98ebf">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">test@testmail.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="cn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">Norin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="sn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">Radd</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
Encrypted Signed SAML Response that contains the signed SAML Assertion that was used ( caused OneloginPHPSAMLSdk::processResponse() to fail ) 包含已使用的已签名SAML声明的加密已签名SAML响应(导致OneloginPHPSAMLSdk :: processResponse()失败)
Encrypted using https://developers.onelogin.com/saml/online-tools/encrypt-decrypt/encrypt-xml , with the Service Provider public key. 使用https://developers.onelogin.com/saml/online-tools/encrypt-decrypt/encrypt-xml和服务提供商公共密钥进行加密。
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfx5f2c7a86-1714-916f-551a-07250ddd4edd" Version="2.0" IssueInstant="2020-06-17T14:54:07Z" Destination="https://sso.serviceprovider.com/saml/consume" InResponseTo="_57bcbf70-7b1f-012e-c821-782bcb13bb38">
<saml:Issuer>https://app.onelogin.com/saml/metadata/123456</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#pfx5f2c7a86-1714-916f-551a-07250ddd4edd"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>72IRpA9rPgadwFJ2UTi8nGQI/tM=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>buqEO/5rw/XqX8TLQ6FmejlxzdN6+DTlK+jRprQnCKOdq4vcykex5lsq1zfLS+SRfU8MYdmBbKSll04u737aMnLCvc1552MXeG55z8JtSVzfaUmNAyfl+QQDLeBSGipMTQm2Wya4VSNYt/SbDkJ1EgRNIla8VXjr3JYgbqh2RfI=</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIC6DCCAlGgAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBkDELMAkGA1UEBhMCdXMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAoMDU9uZWxvZ2luIFRlc3QxIjAgBgNVBAMMGXRyaW5ldC1jbG91ZC5vbmVsb2dpbi5jb20xMDAuBgkqhkiG9w0BCQEWIXN1cHBvcnRAdHJpbmV0LWNsb3VkLm9uZWxvZ2luLmNvbTAeFw0xNjEwMzEyMzA4NTNaFw0xNzEwMjIyMzA4NTNaMIGQMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UECgwNT25lbG9naW4gVGVzdDEiMCAGA1UEAwwZdHJpbmV0LWNsb3VkLm9uZWxvZ2luLmNvbTEwMC4GCSqGSIb3DQEJARYhc3VwcG9ydEB0cmluZXQtY2xvdWQub25lbG9naW4uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWKr8qxoBEMEb2PuLFVfeT9fM+OKp6IxlrFkewF6KJvTPlIyJDeY6baJ0lFahV1zi14q67iqADIk1fRqe9oMq4ZJLHZpeFazUSxiY56+paC9Tf1WGu2HmDUyxWSh+Sg0SdQQfbEKO0189mYBkcHfrHGD/QBcivsK+Su7xhDzCvaQIDAQABo1AwTjAdBgNVHQ4EFgQUsF7CyLKVc3TUFiRNO9Q6PB90zp4wHwYDVR0jBBgwFoAUsF7CyLKVc3TUFiRNO9Q6PB90zp4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCNqPeaKS0nlUDDCPJExXp2ovCCiNyGA2lSUOYAoBDg1LZrhE44B/KlzO0g2O4bF2nYquGF0xfGqf9M3wNsJIybCR/MrZMZE6AQgMLN8+02QjOX2TMavO8TdYXu/kYLUQGWx0bCUraIIKzE2L7EQR0WLes/hayMx/za9wV4rVMnyA==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:EncryptedAssertion><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><xenc:CipherData><xenc:CipherValue>ke/VijNVVwAgMIRK3jz6jQ/fBMKsVOzbIKtrtoP7bQCm2iZi1UHtZ5rZzdSJgpYP8EEHddqxdv51RCQheBuCpfFjI1GRlk18sbxUkvAQ0qxV45AdBcUecvHRsRFBOl3G9QGEHr3aYD1QqQx+1CBiA+t2RYHKVaJdlX+sVRFBR/Q=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></dsig:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>p0e4GbSLMp+CsEfj9k1aHGK4p65JmHu/wof+GTCFtIFkr8pShqAH/6Rtnxbhcyph4rg1Hf97d5A/XArKjUfp0QCYyz/0EQTFjs1WuZFS0NuUN9lgO98exbkhCQHgxx2TkYoAY4/0hkfERMc4yWbA11K74utCqVq8o8z7QsShpzoyC+10xmbXqy1mnV1XnpkkoqWDClvTCUQvzeCo42ps4hac6l5dk+qH2jcMPNIZh92scLV3OG/A0l5zvtd67rgRQgMOOZeCX8+FJ29BYb+APAL7YPmS5ybVzzhVHY7oB1KWyy8eRW9vNfY7mVHIeIWBuZZ19cY9wNtVpOrzlebDVrygbOUl8XbT4KDW2hIcPdKcU67hixH+jc0SNq4cEr2fxM9+E8CUdkygtxa9keI6k7ipOTXTtpx1gS5U0mUdIHCC2rh/1rjwHL0MmRD8q5wKOKcXuqCvAZIsMKOWAgI43q23xD9z5zZuExWQIv38zsBkxYtLLiI1b3Jcv02NRC9Vm7FJCEUMyCM9cYaqzKv/0miXSex50VqIMj8BciC43GN/shEVJmxqJ0SFEBEzTALdGDLIU+6c7uxf5oi4ss0k1lPzsb/CoBerErtWTSucX0gLdPE32H/8FlWcr/AWujgVQYVrZdn9BxaXXmk25vyZbdI4APqHgOWzs04YcNsCLgTDpRZPSXGWByaUzfdsbYQ6eSiKfVIWVmcfA2zHjVKdLFirLiCr5OLBhzDBT/8T50PzCxFipMbPAhxuXFfYMHPiuOgDBOCdq3NdsC7G0vX74GTLZgtHbbIg2tyovsChOXfU1GmJqkWJf+hq2zUgP9cpoh8tEPycMP2fsC2pleWgw8qaJZ2q2L8BzkIkzbLVm8Rkywzf1YyyJ20m2h8ThITApth5YpOVSVaMON4HSxloKQNrxccrAt2jemXBJxRps5+WOMoQPBYjxprNsPi3AkOTfqa7G5yY4nXpdpLqXfhPdSQAvcvYNfsqimrsG+OGneCOTlQDmN6rjwHG+kj1RrK6eWafwHqMdF62ZyDc/8/t4Mmi/+U3YLh+FXS5hZ9gWXdgOImupj7fsIpeinVAUiTYtGuf9bNbhHmxjA1jV68boI2SHonwFEUYbzw+B3LpDOY++Wz2ILxclW77LE+TL1yGUS2nfMKPxGhIUlrXusZfojkziT2sGl+0NLeianUw2RwRdtPQVJn2cEEC58LtgZnTHdg17qN6/siAnWUZ9ZvPcLErz/Im5QLBM2nnEshHDGZkSXzbyTEEg4CddEjuoY8P2obuB6euqzZI+spAoguP+6+/+rAd0VKCcHsnVf828HlmLwS5X3K/YXMiFM2ArHN5ZKSnz2coge6zx8Z3AywrMbGOQHUcvgu71mDEnuP5yNjhFmhHvJ/yAaJ2Nv00zKoDsNciotLXm11tyJimHiFI0pCfQX87/ZqmkofpiF2L/dINZWbqN1iX6Wxx93/BzZ2JKvUZ4t+hjsSfFS3EK08oMCLcG2Cd1FJYQ2H3RXVx8EwPSkVDqP2cc8ful8sB3z0NatEQb7/HRFxFeQxF7QzAaBSVloag9xyaP0T6hUYh5LWPSK/qabgiYdCIl+XqvrVBCBPos3VU1OAFNkitAuZeotMONUK6X+sK7XQz4lS9zAr4szDzqFsm0QbhXDXeqYuXqwzAnb8pT+k+X1yS0p2plft9a5VSBJFo0EmSlhQ8qYItUnfBdxZ7lGfAw2tJQaOoJ2xp8ayBVew92n1H+mmvLFjOZwQ37rI9ibMrR5i59RIoMejWa2OSlTWcCSA8wR6uY2bHC6y8i3Bqky5Vv5DjSnpmXB8ssDcDZ66hMGZRNMdZch6cCqlrsEdgAw1K8Lr1oiqiqGe+Tx3UoADOibUS123tWsuUh5rmXEVJf4FFOw+o+itFvImDl7FepmDogRADUR53p01PTJ8i7QGdnensrgz16iP4TR4RpUzUP0RN5q5NhMTKEIM9XxMZ+h3M0sTpth86BedQdHSdeJWkT0PzGrA8qdxb/22/XMKzphbIP/JvjaaR4xkKx+n9LxxT5JhWEzt2UFI4LHSl6YkC9OHjr5Oed/fGJRaLuNCbZUkqq7lPJSyHwsOdOGM1kjHUvF1t66dsawaPIKdvUYdp2eIgwEGTQSzDf6bh4yZaNrdx17JkfViyWlG9I9e7A3iKEZMqmCl0kwthMjlZpjFIYZkQWIlgiGtz4OACTgnkk7MrIu+pwFu4z+wSADHuDF+dhq33epZ7yywq2ITEtEa2gQxYG4HaU4/z2AGlJi+ggeqVKK4rlN4k+Ss9Y9Rr5Grji66wh+UlDmMd8zF+rvpoSs3vf0Ck1eymWz4jkBLdTyd4+my9cM+Qg/CWc+zLKCsR8CK0YOuhUWMKY43oos20ekz55+JWZM6eIQbOy1quEFsLCZU2jJLhG6g2T8zOb28NBVxIqPl4Ea6fqQpk1lkJxg0d4AfIQBgO6b0qoOrAC7ZmB6QkpB5+kLRXiUsvRxgjQIrJZ8GRTPR02eW/QvyNdsgFlsLKf5MQ2gd4tlCwUjZEtlQS7J5UxbVpKF7WCfixG9qef3br+BXYXRges2ebWE4/DJPT0WM61AqQXXQ/MdGMxymB22JH6ZdXpe17MsE/mukrsZyILIM57yEilfENVRZzR7ebeq5VMvZYARjdhatE6C3nhpE+BoCul+DtKEFU5Yz9eve232vxqP9fmqrmxhouWzdjgCs+A8UgKpdRmYKfAbAknVxbIOmxBwfs66Sgx2C7+LfLK0uNKQMsA7M6O7m+CbTA9tfljbvR3fX/gKZC/5bpzNDt+xr+zdxE48sXcl5rflPxURu29HxFBme1qeo0fw==</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData></saml:EncryptedAssertion></samlp:Response>
1 个解决方案
解决方案1
1 2016-11-04 09:10:58
When you have a valid SAMLResponse that contains a signature for the whole message, and you encrypt the Assertion element, you modify the XML so the signature validation will fail. 当您具有包含整个消息签名的有效SAMLResponse并加密Assertion元素时,请修改XML,以使签名验证失败。
If you want to generate an encrypted unsigned assertion on a signed whole message the process is: 如果要对已签名的整个消息生成加密的未签名的断言,则过程为:
- Encrypt the assertion. 加密断言。
- Sign the whole message. 签名整个消息。
An alternative valid SAMLResponse with encrypted assertion element is the one where the signature is on the decrypted assertion. 另一种有效的具有加密断言元素的SAMLResponse是签名已解密断言中的元素。 In order to generate that: 为了生成:
- Sign the assertion 签署断言
- Encrypt the assertion 加密断言
- (Optional) You can also sign the whole message. (可选)您也可以在整个消息上签名。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
使用RFC 1847加密和签名的MIME消息 - Encrypted and signed MIME messages using RFC 1847
NSIS和PHP之间的河豚加密消息 - Blowfish-encrypted messages between NSIS and PHP
如何使用PHP解码加密的Soap消息 - How to decode encrypted soap messages with PHP
在php中处理数字输入失败 - Processing numeric input in php fails
Wordpress jigoshop端点不会调用processResponse() - Wordpress jigoshop endpoint wont call processResponse()
如何解密IRC Bot的河豚加密消息 - How to decrypt IRC Bot's blowfish encrypted messages
Chat-API获取在v3.2中加密的消息 - Chat-API get messages encrypted in v3.2
我应该使用哪种数据类型在MySQL上存储较长的加密消息? - What datatype should I use to store long encrypted messages on MySQL?
处理后从SQS队列中删除消息 - Deleting messages from SQS queue after processing
从PHP中的mysql表将加密记录导出到csv文件失败 - Exporting encrypted record to csv file from mysql table in PHP fails
相关标签