SAMLException: "Утверждение недействительно из-за отсутствия ограничения аудитории" при запуске из провайдера идентификации

SAMLException: со следующей ошибкой "Утверждение признано недействительным из-за отсутствия ограничения аудитории", когда я пытаюсь выполнить вход в систему saml и запустился с сайта провайдера идентификации без инициализации сайта провайдера формы запроса.

мои метаданные SP:

   <?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor ID="urn_test_system_stag_sp_test" entityID="urn:test:system:stag:sp:test"
                     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false"
                        protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                Location="https://mytestsite/samlSlo"/>
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                                Location="https://mytestsite/samlSlo"/>

        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                     Location="https://mytestsite/samlAcs?sp=test" index="0"
                                     isDefault="true"/>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
                                     Location="https://mytestsite/samlAcs?sp=test"
                                     index="1"/>
    </md:SPSSODescriptor>
</md:EntityDescriptor>

Исключение, которое у меня есть:

       2018-02-15 15:30:24,356 org.opensaml.common.SAMLException: Response doesn't have any valid assertion which would pass subject validation
2018-02-15 15:30:24,356     at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:229)
2018-02-15 15:30:24,356     at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:87)
2018-02-15 15:30:24,356     at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167)
2018-02-15 15:30:24,356     at com.test.marlin.action.sso.saml2.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:61)
2018-02-15 15:30:24,356     at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217)
2018-02-15 15:30:24,356     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
2018-02-15 15:30:24,356     at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
2018-02-15 15:30:24,356     at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:184)
2018-02-15 15:30:24,356     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
2018-02-15 15:30:24,356     at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
2018-02-15 15:30:24,356     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
2018-02-15 15:30:24,356     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
2018-02-15 15:30:24,356     at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
2018-02-15 15:30:24,356     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
2018-02-15 15:30:24,356     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
2018-02-15 15:30:24,356     at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
2018-02-15 15:30:24,356     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
2018-02-15 15:30:24,356     at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
2018-02-15 15:30:24,356     at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
2018-02-15 15:30:24,356     at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
2018-02-15 15:30:24,356     at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
2018-02-15 15:30:24,356     at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:24,356     at com.test.marlin.action.TstsFilter.doFilter(TstsFilter.java:79)
2018-02-15 15:30:24,356     at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:24,356     at com.test.mycode.access.InitSessionFilter.doFilter3(InitSessionFilter.java:226)
2018-02-15 15:30:24,356     at com.test.mycode.access.InitSessionFilter.doFilter2(InitSessionFilter.java:160)
2018-02-15 15:30:24,356     at com.test.mycode.access.InitSessionFilter.doFilter(InitSessionFilter.java:95)
2018-02-15 15:30:24,356     at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:24,356     at com.test.modules.servlet.ForwardFilter.doFilter(ForwardFilter.java:230)
2018-02-15 15:30:24,356     at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:24,356     at com.test.modules.servlet.FakeIpFilter.doFilter(FakeIpFilter.java:43)
2018-02-15 15:30:24,356     at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:24,356     at com.test.modules.servlet.ClientIpFilter.doFilter(ClientIpFilter.java:114)
2018-02-15 15:30:24,356     at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:24,356     at com.test.mycode.frontend.filter.HttpSecurityHeadersFilter.doFilter(HttpSecurityHeadersFilter.java:98)
2018-02-15 15:30:24,356     at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:24,356     at com.caucho.server.webapp.WebAppFilterChain.doFilter(WebAppFilterChain.java:156)
2018-02-15 15:30:24,356     at com.caucho.server.webapp.AccessLogFilterChain.doFilter(AccessLogFilterChain.java:95)
2018-02-15 15:30:24,356     at com.caucho.server.dispatch.ServletInvocation.service(ServletInvocation.java:289)
2018-02-15 15:30:24,356     at com.caucho.server.http.HttpRequest.handleRequest(HttpRequest.java:838)
2018-02-15 15:30:24,356     at com.caucho.network.listen.TcpSocketLink.dispatchRequest(TcpSocketLink.java:1349)
2018-02-15 15:30:24,356     at com.caucho.network.listen.TcpSocketLink.handleRequest(TcpSocketLink.java:1305)
2018-02-15 15:30:24,357     at com.caucho.network.listen.TcpSocketLink.handleRequestsImpl(TcpSocketLink.java:1289)
2018-02-15 15:30:24,357     at com.caucho.network.listen.TcpSocketLink.handleRequests(TcpSocketLink.java:1197)
2018-02-15 15:30:24,357     at com.caucho.network.listen.TcpSocketLink.handleAcceptTaskImpl(TcpSocketLink.java:993)
2018-02-15 15:30:24,357     at com.caucho.network.listen.ConnectionTask.runThread(ConnectionTask.java:117)
2018-02-15 15:30:24,357     at com.caucho.network.listen.ConnectionTask.run(ConnectionTask.java:93)
2018-02-15 15:30:24,357     at com.caucho.network.listen.SocketLinkThreadLauncher.handleTasks(SocketLinkThreadLauncher.java:169)
2018-02-15 15:30:24,357     at com.caucho.network.listen.TcpSocketAcceptThread.run(TcpSocketAcceptThread.java:61)
2018-02-15 15:30:24,357     at com.caucho.env.thread2.ResinThread2.runTasks(ResinThread2.java:173)
2018-02-15 15:30:24,357     at com.caucho.env.thread2.ResinThread2.run(ResinThread2.java:118)
2018-02-15 15:30:24,357 Caused by: org.opensaml.common.SAMLException: Assertion invalidated by missing Audience Restriction
2018-02-15 15:30:24,357     at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertionConditions(WebSSOProfileConsumerImpl.java:431)
2018-02-15 15:30:24,357     at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertion(WebSSOProfileConsumerImpl.java:303)
2018-02-15 15:30:24,357     at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:214)
2018-02-15 15:30:24,357     ... 50 more
2018-02-15 15:30:25,939 org.opensaml.common.SAMLException: Response doesn't have any valid assertion which would pass subject validation
2018-02-15 15:30:25,939     at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:229)
2018-02-15 15:30:25,939     at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:87)
2018-02-15 15:30:25,939     at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167)
2018-02-15 15:30:25,939     at com.test.marlin.action.sso.saml2.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:61)
2018-02-15 15:30:25,939     at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217)
2018-02-15 15:30:25,939     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
2018-02-15 15:30:25,939     at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
2018-02-15 15:30:25,939     at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:184)
2018-02-15 15:30:25,939     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
2018-02-15 15:30:25,939     at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
2018-02-15 15:30:25,939     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
2018-02-15 15:30:25,939     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
2018-02-15 15:30:25,939     at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
2018-02-15 15:30:25,939     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
2018-02-15 15:30:25,939     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
2018-02-15 15:30:25,939     at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
2018-02-15 15:30:25,939     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
2018-02-15 15:30:25,939     at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
2018-02-15 15:30:25,939     at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
2018-02-15 15:30:25,939     at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
2018-02-15 15:30:25,939     at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
2018-02-15 15:30:25,939     at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:25,939     at com.test.marlin.action.TstsFilter.doFilter(TstsFilter.java:79)
2018-02-15 15:30:25,939     at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:25,939     at com.test.mycode.access.InitSessionFilter.doFilter3(InitSessionFilter.java:226)
2018-02-15 15:30:25,939     at com.test.mycode.access.InitSessionFilter.doFilter2(InitSessionFilter.java:160)
2018-02-15 15:30:25,939     at com.test.mycode.access.InitSessionFilter.doFilter(InitSessionFilter.java:95)
2018-02-15 15:30:25,939     at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:25,939     at com.test.modules.servlet.ForwardFilter.doFilter(ForwardFilter.java:230)
2018-02-15 15:30:25,939     at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:25,939     at com.test.modules.servlet.FakeIpFilter.doFilter(FakeIpFilter.java:43)
2018-02-15 15:30:25,939     at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:25,939     at com.test.modules.servlet.ClientIpFilter.doFilter(ClientIpFilter.java:114)
2018-02-15 15:30:25,939     at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:25,939     at com.test.mycode.frontend.filter.HttpSecurityHeadersFilter.doFilter(HttpSecurityHeadersFilter.java:98)
2018-02-15 15:30:25,939     at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:89)
2018-02-15 15:30:25,939     at com.caucho.server.webapp.WebAppFilterChain.doFilter(WebAppFilterChain.java:156)
2018-02-15 15:30:25,939     at com.caucho.server.webapp.AccessLogFilterChain.doFilter(AccessLogFilterChain.java:95)
2018-02-15 15:30:25,939     at com.caucho.server.dispatch.ServletInvocation.service(ServletInvocation.java:289)
2018-02-15 15:30:25,939     at com.caucho.server.http.HttpRequest.handleRequest(HttpRequest.java:838)
2018-02-15 15:30:25,939     at com.caucho.network.listen.TcpSocketLink.dispatchRequest(TcpSocketLink.java:1349)
2018-02-15 15:30:25,939     at com.caucho.network.listen.TcpSocketLink.handleRequest(TcpSocketLink.java:1305)
2018-02-15 15:30:25,939     at com.caucho.network.listen.TcpSocketLink.handleRequestsImpl(TcpSocketLink.java:1289)
2018-02-15 15:30:25,939     at com.caucho.network.listen.TcpSocketLink.handleRequests(TcpSocketLink.java:1197)
2018-02-15 15:30:25,939     at com.caucho.network.listen.TcpSocketLink.handleAcceptTaskImpl(TcpSocketLink.java:993)
2018-02-15 15:30:25,939     at com.caucho.network.listen.ConnectionTask.runThread(ConnectionTask.java:117)
2018-02-15 15:30:25,939     at com.caucho.network.listen.ConnectionTask.run(ConnectionTask.java:93)
2018-02-15 15:30:25,939     at com.caucho.network.listen.SocketLinkThreadLauncher.handleTasks(SocketLinkThreadLauncher.java:169)
2018-02-15 15:30:25,939     at com.caucho.network.listen.TcpSocketAcceptThread.run(TcpSocketAcceptThread.java:61)
2018-02-15 15:30:25,939     at com.caucho.env.thread2.ResinThread2.runTasks(ResinThread2.java:173)
2018-02-15 15:30:25,939     at com.caucho.env.thread2.ResinThread2.run(ResinThread2.java:118)
2018-02-15 15:30:25,939 Caused by: org.opensaml.common.SAMLException: Assertion invalidated by missing Audience Restriction
2018-02-15 15:30:25,939     at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertionConditions(WebSSOProfileConsumerImpl.java:431)
2018-02-15 15:30:25,939     at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertion(WebSSOProfileConsumerImpl.java:303)
2018-02-15 15:30:25,939     at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:214)
    ... 50 more

Может ли кто-нибудь помочь мне в этом?

1 ответ

Решение

У меня возникла проблема, потому что я не запустил свой сайт поставщика услуг формы запроса (мой сайт) saml-запрос, который содержит "издателя saml2", поэтому сайт провайдера идентификации не будет знать об отправителе запроса и после успешного входа в систему на его стороне AudienceRestriction не будут включены в ответ, а SAMLException будет брошен

В качестве решения я попросил Idinety провайдера добавить следующее AudienceRestriction постоянно:

    <saml:Conditions NotBefore="2018-02-19T18:51:12.596Z" NotOnOrAfter="2018-02-19T19:51:12.596Z">
        <saml:AudienceRestriction>
            <saml:Audience>urn:test:system:stag:sp:test</saml:Audience>
        </saml:AudienceRestriction>
    </saml:Conditions>
Другие вопросы по тегам