我正在接触所有这些安全问题,我无法使用WSO2 Carbon Server和公司软件(CS)配置SSO .
我已经使用自己的密钥库和信任库设置了WSO2,它具有客户端的自签名证书,启用了响应签名和断言加密
我使用WSO2 Server Samlsso URL和客户端证书构建了一个metadaIDP XML文件 .
我已经附加了CS的客户端密钥库和IDPmetadata.xml以与WSO2服务器通信 .
当我将登录凭据用于访问应用程序时,WSO2将设置的回调URL发布到允许登录时附加客户端证书的authenticathion,但公司软件将其视为不受信任,并且他们启动无限循环的身份验证请求 - 响应 .
任何想法或帮助请?
IDP Metadata File:
<?xml version="1.0" encoding="UTF-8"?>
<md:EntitiesDescriptor Name="urn:mace:shibboleth:testshib:two" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" >
<md:EntityDescriptor entityID="https://localhost:9443/samlsso">
<md:IDPSSODescriptor WantAuthnRequestsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">">
<ds:X509Data>
<ds:X509Certificate>
<ServerCertificate>
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">">
<ds:X509Data>
<ds:X509Certificate>
<Server.certificate>
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">">
<ds:X509Data>
<ds:X509Certificate>
<ServerCertificate>
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
Location="https://localhost:9443/samlsso" />
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://localhost:9443/samlsso" />
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://localhost:9443/samlsso" />
</md:IDPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en">Docucom AG</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en">Docucom AG</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en">http://www.docucom.ch</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="technical">
<md:GivenName>Its</md:GivenName>
<md:SurName>Me</md:SurName>
<md:EmailAddress>its.me@docucom.ch</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
</md:EntitiesDescriptor>
CS SSO Connection Class:
private Client createSAML2Client(AuthenticationDTO authentication)
throws ServiceBeanException, GeneralSecurityException {
if(authentication.getKeyStore() == null) {
throw new NullPointerException(TM.encode("Error.null.s", "App.key.store"));
}
AccessKeyStore keyStore = accessKeyDTOService.getAccessKeyStore(authentication.getKeyStore().getName());
if(keyStore == null) {
throw new KeyException(TM.encode("Error.record.s.not.found.in.s",
authentication.getKeyStore().getName(), "App.access.keys"));
}
SAML2ClientConfiguration saml2Configuration = new SAML2ClientConfiguration(
":" + keyStore.getKeyFile().getAbsolutePath(),
new String(keyStore.getKeyFilePassword()), new String(keyStore.getKeyPassword()),
":" + authentication.getIdpMetadataFileName());
saml2Configuration.setServiceProviderEntityId(authentication.getEntityId());
saml2Configuration.setWantsAssertionsSigned(authentication.getAssertionsSigned());
saml2Configuration.setServiceProviderMetadataPath("resource:temp-sp-metadata.xml");
saml2Configuration.setMaximumAuthenticationLifetime(authentication.getLifetime().intValue());
SAML2Client saml2Client = new SAML2Client(saml2Configuration);
saml2Client.setName(authentication.getDomainName());
return saml2Client;
}