javax.xml.crypto.dsig.XMLSignatureException : the keyselector did not find a validation key

标签 java ssl saml-2.0 adfs2.0 opensaml

我正在使用 SAML 身份验证机制来验证我的应用程序。我将 IDP 服务器用作 ADFS,将 SP 用作 JBoss EAP 7.1.4。我已经添加了与 IDP 和 sp 服务器相关的所有配置,但是在验证 saml 响应时给出了下面提到的异常。

它在另一个 ADFS 服务器上运行良好,但 ADFS 服务器已更改,因此在添加所有添加的配置后,

  1. 已验证证书是否正确。唯一的区别是新的 ADFS 使用通配符证书 *.dev.adfs.com 链接。
  2. 已验证 SP 服务器端证书,使用 windows 相关证书。
  3. 已接受的 claim 已得到验证。

突出显示的日志:

2019-01-09 14:11:35,435 TRACE [org.keycloak.saml.common] (default task-9) [] Assertion: _67562aca-0e81-4df1-a8db-3579e3b786e3 ::Now=2019-01-09T08:41:35.435Z ::notBefore=2019-01-09T10:25:48.084Z
2019-01-09 14:11:35,435 TRACE [org.keycloak.saml.common] (default task-9) [] Assertion: _67562aca-0e81-4df1-a8db-3579e3b786e3 ::Now=2019-01-09T08:41:35.435Z ::notOnOrAfter=2019-01-09T11:25:48.084Z
2019-01-09 14:11:35,435 INFO  [org.keycloak.saml.common] (default task-9) [] Assertion has expired with id=_67562aca-0e81-4df1-a8db-3579e3b786e3

请求和响应相关:

2019-01-09 14:11:35,435 TRACE [org.keycloak.saml.common] (default task-9) [] Document to be signed=<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceURL="https://cslk-cl-ix-1.myapp.co:8443/auth/login/saml" Destination="https://adfs.devops.myapp.co/adfs/ls/" ForceAuthn="false" ID="ID_9ec9cec9-725c-485a-9d1e-e8204ae5caaf" IsPassive="false" IssueInstant="2019-01-09T08:41:35.435Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:cslk-cl-ix-1.myapp.co:adfs.devops.myapp.co</saml:Issuer><samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/></samlp:AuthnRequest>
2019-01-09 14:11:35,685 DEBUG [org.keycloak.adapters.saml.SamlAuthenticator] (default task-23) [] SamlAuthenticator is using handler [org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint@6dfd19e]
2019-01-09 14:11:35,685 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-23) [] <samlp:Response ID="_3c8ba3f7-240d-4de5-9f81-a1ee1ba9b9ad" Version="2.0" IssueInstant="2019-01-09T10:25:48.352Z" Destination="https://cslk-cl-ix-1.myapp.co:8443/auth/login/saml" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="ID_9ec9cec9-725c-485a-9d1e-e8204ae5caaf" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.devops.myapp.co/adfs/services/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_3c8ba3f7-240d-4de5-9f81-a1ee1ba9b9ad"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>ZGooIpoucxJm2hHqZ8ENYCHV1aUQ+rjnCJZb3aYi794=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>UQvi9POISqTJriLE4Cnp/oS8qiEzbSCstRQ2Yk2Cz1NW2ZJa5rSLk/+Vrn/2oaj+dm/GB/5ymHGbj8vLh8mR6KpEJUwpZGSVt2fQqG8t4+b0/YiB4OXHoxBdLlTs4/1yJ3gBw6CWfAK+0oOBMbMt/RDQ85YHqIAjra8knQkJDZW0RDRkzZD7fIQnMBAEAGlqGRXmZ/Y2XoVWijAr088DKFDMPLkxAJlFsDgvuZ55JLUmRo2DK3XrAS9ilg43hym8PxvGascdc33d5oicpvOIG/8ymzDDZEQzIYhIHO5E+NT1bU+1k+AuCBj48L7/oIvGSN5nBuOHFJ6AGlr0Z0+dvw==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIGQzCCBSugAwIBAgIQCoRLTdpfWPYhb+4+0jJ8nzANBgkqhkiG9w0BAQsFADBNMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5EaWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTgwMTMwMDAwMDAwWhcNMTkwMjA0MTIwMDAwWjB2MQswCQYDVQQGEwJTRTESMBAGA1UEBxMJTGlua29waW5nMSUwIwYDVQQKExxDYW1iaW8gSGVhbHRoY2FyZSBTeXN0ZW1zIEFCMQ8wDQYDVQQLEwZEZXZPcHMxGzAZBgNVBAMMEiouZGV2b3BzLmNhbWJpby5zZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMhVmc1fY7uIoJRptyErVxZIylGFS7YTSM7hXbu/jLoNdybSPaSEuIaBeZM8CF3YPYOw4HjPUPSwm0mS+nHVcHLWq0L+YvlRDQPEfvLtbNp9qPlBWy+lQUde2mUEAclazGvv9JcUBWQZ2adw/tX8aUreR1WwsXCE06/kmlwWuaHT9f6uyiARLN9yjxCBJpv2H9qvMOYL3ddtZVigu+5BpD0b6jBceWtJf2vtfhMx7W/3csH7bmPD5/Zk8o/iDt86clhRCpvC6HG/Rp1wiPVxTfBnsdNGbZ/rL3NpNIFISOzMlFyrTRrYOd0IoV7h+N87LPv2V4ehF1Gojsp3PRbsCGECAwEAAaOCAvQwggLwMB8GA1UdIwQYMBaAFA+AYRyCMWHVLyjnjUY4tCzhxtniMB0GA1UdDgQWBBQa16XymyMUbzBg50nZEnKYoyDXgzAvBgNVHREEKDAmghIqLmRldm9wcy5jYW1iaW8uc2WCEGRldm9wcy5jYW1iaW8uc2UwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBrBgNVHR8EZDBiMC+gLaArhilodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc3NjYS1zaGEyLWc2LmNybDAvoC2gK4YpaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NzY2Etc2hhMi1nNi5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBAgIwfAYIKwYBBQUHAQEEcDBuMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRgYIKwYBBQUHMAKGOmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJTZWN1cmVTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABYUhNaOYAAAQDAEcwRQIhAJfqhCeN/+ctydVvdHDA+ob+Oi8BdddU/JR/MXULemKrAiASdWjbsZgjdZnOP0D6X6lcFCpW04tEcFUlVxOur4Y45gB3AId1v+dZfPiMQ5lfvfNu/1aNR1Y2/0q1YMG06v9eoIMPAAABYUhNaYUAAAQDAEgwRgIhAMntoPH1spXuNV33QLzmNlrWY8+jFJoF13roGaFP41QvAiEA5uwsRrp+LZ9enPjoP9Va1xjrqUHvgnO5DnoA/fsY7q0wDQYJKoZIhvcNAQELBQADggEBADPG0CvUPA4mLSnTWVrKmDnfAUTnf1XOwKxlEq/EFmzp+oZ+IzYke/JlhJsgKP9QAUUkgwErpXdfbQThAF7c8NqzKPwu4b0U5jsnsp+Ay1KtEz/iXM40T7QWDQmb3fN/U1a8t+Z2MViORR2SDesY5hE56VbKBBKeojJ6ek21Iri6D39lwoMZcaZ/o6ZlAKJF/hslhyHaOmhW0z0yZhnGllJ2rqn+kPeTgDx75ddiPJumX1Pwo48q3q8QtZH98HbxZk1wa5H3IFLRI8PwVXvzlcDrzP1guHBhwpO1jp7UDTyyP0CmIZgCc1Ye1QQIiSXXNGJay6/uV0GKMyvyKfGZnlU=</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" /></samlp:Status></samlp:Response>

整个异常抛出是:

2019-01-09 14:11:35,435 TRACE [org.keycloak.saml.common] (default task-9) [] Could not validate signature using ds:KeyInfo/ds:KeyName hint.
2019-01-09 14:11:35,435 TRACE [org.keycloak.saml.common] (default task-9) [] Trying hard to validate XML signature using all available keys.
2019-01-09 14:11:35,435 TRACE [org.keycloak.saml.common] (default task-9) [] Assertion: _67562aca-0e81-4df1-a8db-3579e3b786e3 ::Now=2019-01-09T08:41:35.435Z ::notBefore=2019-01-09T10:25:48.084Z
2019-01-09 14:11:35,435 TRACE [org.keycloak.saml.common] (default task-9) [] Assertion: _67562aca-0e81-4df1-a8db-3579e3b786e3 ::Now=2019-01-09T08:41:35.435Z ::notOnOrAfter=2019-01-09T11:25:48.084Z
2019-01-09 14:11:35,435 INFO  [org.keycloak.saml.common] (default task-9) [] Assertion has expired with id=_67562aca-0e81-4df1-a8db-3579e3b786e3
2019-01-09 14:11:35,435 TRACE [org.keycloak.saml.common] (default task-9) [] Document to be signed=<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceURL="https://cslk-cl-ix-1.myapp.co:8443/auth/login/saml" Destination="https://adfs.devops.myapp.co/adfs/ls/" ForceAuthn="false" ID="ID_9ec9cec9-725c-485a-9d1e-e8204ae5caaf" IsPassive="false" IssueInstant="2019-01-09T08:41:35.435Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:cslk-cl-ix-1.myapp.co:adfs.devops.myapp.co</saml:Issuer><samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/></samlp:AuthnRequest>
2019-01-09 14:11:35,685 DEBUG [org.keycloak.adapters.saml.SamlAuthenticator] (default task-23) [] SamlAuthenticator is using handler [org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint@6dfd19e]
2019-01-09 14:11:35,685 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-23) [] <samlp:Response ID="_3c8ba3f7-240d-4de5-9f81-a1ee1ba9b9ad" Version="2.0" IssueInstant="2019-01-09T10:25:48.352Z" Destination="https://cslk-cl-ix-1.myapp.co:8443/auth/login/saml" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="ID_9ec9cec9-725c-485a-9d1e-e8204ae5caaf" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.devops.myapp.co/adfs/services/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_3c8ba3f7-240d-4de5-9f81-a1ee1ba9b9ad"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>ZGooIpoucxJm2hHqZ8ENYCHV1aUQ+rjnCJZb3aYi794=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>UQvi9POISqTJriLE4Cnp/oS8qiEzbSCstRQ2Yk2Cz1NW2ZJa5rSLk/+Vrn/2oaj+dm/GB/5ymHGbj8vLh8mR6KpEJUwpZGSVt2fQqG8t4+b0/YiB4OXHoxBdLlTs4/1yJ3gBw6CWfAK+0oOBMbMt/RDQ85YHqIAjra8knQkJDZW0RDRkzZD7fIQnMBAEAGlqGRXmZ/Y2XoVWijAr088DKFDMPLkxAJlFsDgvuZ55JLUmRo2DK3XrAS9ilg43hym8PxvGascdc33d5oicpvOIG/8ymzDDZEQzIYhIHO5E+NT1bU+1k+AuCBj48L7/oIvGSN5nBuOHFJ6AGlr0Z0+dvw==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIGQzCCBSugAwIBAgIQCoRLTdpfWPYhb+4+0jJ8nzANBgkqhkiG9w0BAQsFADBNMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5EaWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTgwMTMwMDAwMDAwWhcNMTkwMjA0MTIwMDAwWjB2MQswCQYDVQQGEwJTRTESMBAGA1UEBxMJTGlua29waW5nMSUwIwYDVQQKExxDYW1iaW8gSGVhbHRoY2FyZSBTeXN0ZW1zIEFCMQ8wDQYDVQQLEwZEZXZPcHMxGzAZBgNVBAMMEiouZGV2b3BzLmNhbWJpby5zZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMhVmc1fY7uIoJRptyErVxZIylGFS7YTSM7hXbu/jLoNdybSPaSEuIaBeZM8CF3YPYOw4HjPUPSwm0mS+nHVcHLWq0L+YvlRDQPEfvLtbNp9qPlBWy+lQUde2mUEAclazGvv9JcUBWQZ2adw/tX8aUreR1WwsXCE06/kmlwWuaHT9f6uyiARLN9yjxCBJpv2H9qvMOYL3ddtZVigu+5BpD0b6jBceWtJf2vtfhMx7W/3csH7bmPD5/Zk8o/iDt86clhRCpvC6HG/Rp1wiPVxTfBnsdNGbZ/rL3NpNIFISOzMlFyrTRrYOd0IoV7h+N87LPv2V4ehF1Gojsp3PRbsCGECAwEAAaOCAvQwggLwMB8GA1UdIwQYMBaAFA+AYRyCMWHVLyjnjUY4tCzhxtniMB0GA1UdDgQWBBQa16XymyMUbzBg50nZEnKYoyDXgzAvBgNVHREEKDAmghIqLmRldm9wcy5jYW1iaW8uc2WCEGRldm9wcy5jYW1iaW8uc2UwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBrBgNVHR8EZDBiMC+gLaArhilodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc3NjYS1zaGEyLWc2LmNybDAvoC2gK4YpaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NzY2Etc2hhMi1nNi5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBAgIwfAYIKwYBBQUHAQEEcDBuMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRgYIKwYBBQUHMAKGOmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJTZWN1cmVTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABYUhNaOYAAAQDAEcwRQIhAJfqhCeN/+ctydVvdHDA+ob+Oi8BdddU/JR/MXULemKrAiASdWjbsZgjdZnOP0D6X6lcFCpW04tEcFUlVxOur4Y45gB3AId1v+dZfPiMQ5lfvfNu/1aNR1Y2/0q1YMG06v9eoIMPAAABYUhNaYUAAAQDAEgwRgIhAMntoPH1spXuNV33QLzmNlrWY8+jFJoF13roGaFP41QvAiEA5uwsRrp+LZ9enPjoP9Va1xjrqUHvgnO5DnoA/fsY7q0wDQYJKoZIhvcNAQELBQADggEBADPG0CvUPA4mLSnTWVrKmDnfAUTnf1XOwKxlEq/EFmzp+oZ+IzYke/JlhJsgKP9QAUUkgwErpXdfbQThAF7c8NqzKPwu4b0U5jsnsp+Ay1KtEz/iXM40T7QWDQmb3fN/U1a8t+Z2MViORR2SDesY5hE56VbKBBKeojJ6ek21Iri6D39lwoMZcaZ/o6ZlAKJF/hslhyHaOmhW0z0yZhnGllJ2rqn+kPeTgDx75ddiPJumX1Pwo48q3q8QtZH98HbxZk1wa5H3IFLRI8PwVXvzlcDrzP1guHBhwpO1jp7UDTyyP0CmIZgCc1Ye1QQIiSXXNGJay6/uV0GKMyvyKfGZnlU=</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" /></samlp:Status></samlp:Response>
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] SAML Response Document: <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://cslk-cl-ix-1.myapp.co:8443/auth/login/saml" ID="_3c8ba3f7-240d-4de5-9f81-a1ee1ba9b9ad" InResponseTo="ID_9ec9cec9-725c-485a-9d1e-e8204ae5caaf" IssueInstant="2019-01-09T10:25:48.352Z" Version="2.0"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.devops.myapp.co/adfs/services/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_3c8ba3f7-240d-4de5-9f81-a1ee1ba9b9ad"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>ZGooIpoucxJm2hHqZ8ENYCHV1aUQ+rjnCJZb3aYi794=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>UQvi9POISqTJriLE4Cnp/oS8qiEzbSCstRQ2Yk2Cz1NW2ZJa5rSLk/+Vrn/2oaj+dm/GB/5ymHGbj8vLh8mR6KpEJUwpZGSVt2fQqG8t4+b0/YiB4OXHoxBdLlTs4/1yJ3gBw6CWfAK+0oOBMbMt/RDQ85YHqIAjra8knQkJDZW0RDRkzZD7fIQnMBAEAGlqGRXmZ/Y2XoVWijAr088DKFDMPLkxAJlFsDgvuZ55JLUmRo2DK3XrAS9ilg43hym8PxvGascdc33d5oicpvOIG/8ymzDDZEQzIYhIHO5E+NT1bU+1k+AuCBj48L7/oIvGSN5nBuOHFJ6AGlr0Z0+dvw==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIGQzCCBSugAwIBAgIQCoRLTdpfWPYhb+4+0jJ8nzANBgkqhkiG9w0BAQsFADBNMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5EaWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTgwMTMwMDAwMDAwWhcNMTkwMjA0MTIwMDAwWjB2MQswCQYDVQQGEwJTRTESMBAGA1UEBxMJTGlua29waW5nMSUwIwYDVQQKExxDYW1iaW8gSGVhbHRoY2FyZSBTeXN0ZW1zIEFCMQ8wDQYDVQQLEwZEZXZPcHMxGzAZBgNVBAMMEiouZGV2b3BzLmNhbWJpby5zZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMhVmc1fY7uIoJRptyErVxZIylGFS7YTSM7hXbu/jLoNdybSPaSEuIaBeZM8CF3YPYOw4HjPUPSwm0mS+nHVcHLWq0L+YvlRDQPEfvLtbNp9qPlBWy+lQUde2mUEAclazGvv9JcUBWQZ2adw/tX8aUreR1WwsXCE06/kmlwWuaHT9f6uyiARLN9yjxCBJpv2H9qvMOYL3ddtZVigu+5BpD0b6jBceWtJf2vtfhMx7W/3csH7bmPD5/Zk8o/iDt86clhRCpvC6HG/Rp1wiPVxTfBnsdNGbZ/rL3NpNIFISOzMlFyrTRrYOd0IoV7h+N87LPv2V4ehF1Gojsp3PRbsCGECAwEAAaOCAvQwggLwMB8GA1UdIwQYMBaAFA+AYRyCMWHVLyjnjUY4tCzhxtniMB0GA1UdDgQWBBQa16XymyMUbzBg50nZEnKYoyDXgzAvBgNVHREEKDAmghIqLmRldm9wcy5jYW1iaW8uc2WCEGRldm9wcy5jYW1iaW8uc2UwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBrBgNVHR8EZDBiMC+gLaArhilodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc3NjYS1zaGEyLWc2LmNybDAvoC2gK4YpaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NzY2Etc2hhMi1nNi5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBAgIwfAYIKwYBBQUHAQEEcDBuMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRgYIKwYBBQUHMAKGOmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJTZWN1cmVTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABYUhNaOYAAAQDAEcwRQIhAJfqhCeN/+ctydVvdHDA+ob+Oi8BdddU/JR/MXULemKrAiASdWjbsZgjdZnOP0D6X6lcFCpW04tEcFUlVxOur4Y45gB3AId1v+dZfPiMQ5lfvfNu/1aNR1Y2/0q1YMG06v9eoIMPAAABYUhNaYUAAAQDAEgwRgIhAMntoPH1spXuNV33QLzmNlrWY8+jFJoF13roGaFP41QvAiEA5uwsRrp+LZ9enPjoP9Va1xjrqUHvgnO5DnoA/fsY7q0wDQYJKoZIhvcNAQELBQADggEBADPG0CvUPA4mLSnTWVrKmDnfAUTnf1XOwKxlEq/EFmzp+oZ+IzYke/JlhJsgKP9QAUUkgwErpXdfbQThAF7c8NqzKPwu4b0U5jsnsp+Ay1KtEz/iXM40T7QWDQmb3fN/U1a8t+Z2MViORR2SDesY5hE56VbKBBKeojJ6ek21Iri6D39lwoMZcaZ/o6ZlAKJF/hslhyHaOmhW0z0yZhnGllJ2rqn+kPeTgDx75ddiPJumX1Pwo48q3q8QtZH98HbxZk1wa5H3IFLRI8PwVXvzlcDrzP1guHBhwpO1jp7UDTyyP0CmIZgCc1Ye1QQIiSXXNGJay6/uV0GKMyvyKfGZnlU=</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/></samlp:Status></samlp:Response>
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Set Attribute Namespace=http://www.w3.org/2000/xmlns/::Qual=:xmlns:ds::Value=http://www.w3.org/2000/09/xmldsig#
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Creating an Attribute Namespace=:Algorithm
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Creating an Attribute Namespace=:Algorithm
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Creating an Attribute Namespace=:URI
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Creating an Attribute Namespace=:Algorithm
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Creating an Attribute Namespace=:Algorithm
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Creating an Attribute Namespace=:Algorithm
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Set Attribute Namespace=http://www.w3.org/2000/xmlns/::Qual=:KeyInfo::Value=http://www.w3.org/2000/09/xmldsig#
2019-01-09 14:11:35,685 DEBUG [org.keycloak.saml.common] (default task-23) [] Verification failed for key null: javax.xml.crypto.dsig.XMLSignatureException: the keyselector did not find a validation key
2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] the keyselector did not find a validation key: javax.xml.crypto.dsig.XMLSignatureException: the keyselector did not find a validation key
    at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:552) [xmlsec-2.0.5.jar:2.0.5]
    at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:254) [xmlsec-2.0.5.jar:2.0.5]
    at org.keycloak.saml.processing.core.util.XMLSignatureUtil.validateUsingKeySelector(XMLSignatureUtil.java:510)
    at org.keycloak.saml.processing.core.util.XMLSignatureUtil.validateSingleNode(XMLSignatureUtil.java:474)
    at org.keycloak.saml.processing.core.util.XMLSignatureUtil.validate(XMLSignatureUtil.java:455)
    at org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature.validate(SAML2Signature.java:180)
    at org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.verifyPostBindingSignature(AbstractSamlAuthenticationHandler.java:543) [keycloak-saml-adapter-core-2.5.7.Final-redhat-2.jar:2.5.7.Final-redhat-2]
    at org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.validateSamlSignature(AbstractSamlAuthenticationHandler.java:269) [keycloak-saml-adapter-core-2.5.7.Final-redhat-2.jar:2.5.7.Final-redhat-2]
    at org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.handleSamlResponse(AbstractSamlAuthenticationHandler.java:190) [keycloak-saml-adapter-core-2.5.7.Final-redhat-2.jar:2.5.7.Final-redhat-2]
    at org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint.handle(SamlEndpoint.java:44) [keycloak-saml-adapter-core-2.5.7.Final-redhat-2.jar:2.5.7.Final-redhat-2]
    at org.keycloak.adapters.saml.SamlAuthenticator.authenticate(SamlAuthenticator.java:48) [keycloak-saml-adapter-core-2.5.7.Final-redhat-2.jar:2.5.7.Final-redhat-2]
    at org.keycloak.adapters.saml.undertow.AbstractSamlAuthMech.authenticate(AbstractSamlAuthMech.java:115) [keycloak-saml-undertow-adapter-2.5.7.Final-redhat-2.jar:2.5.7.Final-redhat-2]
    at io.undertow.cocurity.impl.cocurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:245) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.cocurity.impl.cocurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:263) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.cocurity.impl.cocurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:231) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.cocurity.impl.cocurityContextImpl.attemptAuthentication(SecurityContextImpl.java:125) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.cocurity.impl.cocurityContextImpl.authTransition(SecurityContextImpl.java:99) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.cocurity.impl.cocurityContextImpl.authenticate(SecurityContextImpl.java:92) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.corvlet.handlers.cocurity.corvletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.corver.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.corver.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.cocurity.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.cocurity.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.corvlet.handlers.cocurity.corvletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.corvlet.handlers.cocurity.corvletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.cocurity.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.corvlet.handlers.cocurity.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.cocurity.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.cocurity.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.corver.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at org.wildfly.extension.undertow.cocurity.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
    at io.undertow.corver.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
    at io.undertow.corver.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.corvlet.handlers.corvletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.corvlet.handlers.corvletInitialHandler.access$100(ServletInitialHandler.java:81) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.corvlet.handlers.corvletInitialHandler$2.call(ServletInitialHandler.java:138) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.corvlet.handlers.corvletInitialHandler$2.call(ServletInitialHandler.java:135) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.corvlet.core.corvletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.corvlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at org.wildfly.extension.undertow.cocurity.cocurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
    at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1501)
    at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1501)
    at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1501)
    at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1501)
    at io.undertow.corvlet.handlers.corvletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.corvlet.handlers.corvletInitialHandler.access$000(ServletInitialHandler.java:81) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.corvlet.handlers.corvletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) [undertow-servlet-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.corver.Connectors.executeRootHandler(Connectors.java:330) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at io.undertow.corver.HttpServerExchange$1.run(HttpServerExchange.java:812) [undertow-core-1.4.18.SP8-redhat-1.jar:1.4.18.SP8-redhat-1]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [rt.jar:1.8.0_181]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [rt.jar:1.8.0_181]
    at java.lang.Thread.run(Thread.java:748) [rt.jar:1.8.0_181]

2019-01-09 14:11:35,685 TRACE [org.keycloak.saml.common] (default task-23) [] Could not validate signature using ds:KeyInfo/ds:KeyName hint.
2019-01-09 14:11:35,825 TRACE [org.keycloak.saml.common] (default task-23) [] Trying hard to validate XML signature using all available keys.

最佳答案

发现问题的根本原因主要是 ADFS 证书未通过即时更新更新到服务提供商端。将正确的证书更新到 ADFS 并重新启动 ADFS 服务器后。问题已解决。 但是,您必须遵循以下答案中提到的正确 PKI。

How to resolve org.springframework.web.util.NestedServletException: Request processing failed; with SAML

关于javax.xml.crypto.dsig.XMLSignatureException : the keyselector did not find a validation key,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/54108966/

上一篇:ssl - 如何使用服务器端配置(Nginx)强制浏览器获取新的 SSL 证书而不是旧证书?

下一篇:ssl - 从 openssl s_server 查看 pem 格式的客户端证书

相关文章:

ssl - 启用 SSL 后 Apache 不会重新启动

single-sign-on - SAML 2.0 是否允许将 SP 数据发送到 IdP?

java - Spring saml 演示构建问题

c# - 如何为 Kentor idprovider 添加自定义元数据?

java - 我的斐波那契算法的 Java 实现无法正常工作。

java - 如何隐藏 SWT 组合,使其不占用空间?

java - JOptionPane.showMessageDialog 无效 AnnotationName

curl: (60) Peer's certificate issuer 已被标记为不被用户信任

java - MapReduce 从 Redis 读取输入

php - 使用 PHP 通过 SSL 将 AWS EC2 实例连接到 RDS MySQL

©2024 IT工具网  联系我们