php - 使用 WSO2 身份服务器的 PHP Web 应用程序的 SSO。身份验证请求失败

Question

我正在尝试使用 PHP 配置 Web 应用程序以使用 WSO2 身份服务器进行 SSO。我可以在 java 中配置一个 web 应用程序，它工作正常，但 php 除外。

对于 PHP，我使用这个:http://support.onelogin.com/entries/268420-saml-toolkit-for-php

我遇到以下错误 [IS 控制台]:

[2014-03-04 14:58:26,891] DEBUG {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} -  Query string : SAMLRequest=fVPLbtswELznKwLeZVGyYieEJUB1%2BjDg2oKt9NAbQ
65rARSpcqnG%2FftSDzdO0XgvBIazw9kHF8hr1bC8dUe9g58toLu59XGqlUbWX6aktZoZjhUyzWtA5gTb51%2FXLJ5Q1ljjjDCK%2FJN2PYsjgnWV0UPa6jEl283H9fbzaiPo7E7OHzg9zO%2BnMBPJLJJ0SiGR8TymQj7HCQcZw
ZD5DSx6mZR41VELsYWVRse18zCNkoBOA5qU0QO7u2fx7PvAK0bjHyotK%2F3jut%2FngYTsS1kWQbHdl4NIfq5jaTS2Ndg92F%2BVgKfdOiVH5xoWhsoIro4GXdgcm6DrTSgG9sQDJOuFFh3Oeu82O%2FMW4SX6ymvYxjtcPRZGV
eJ3j3fxydiau%2FcLiSZRj1QyOPRUBjWvVC6lBUTyVydXyrwsLXAHKXG2BZINTt6%2B%2B8bQuDsg%2B03y3XBwcrdLUzfcVtgNCE5cuLHa14ov6Uvl12IHh%2Bzq5ggmOp6HC3%2B8GCu7SYLwb5eWa2yMdWPj%2Fis%2BuA6v2
M5uzteX3yL7Aw%3D%3D
[2014-03-04 14:58:26,893] DEBUG {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} -  Request message <samlp:AuthnRequest
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="ONELOGINc065d79a0f783e6c461d030e4d2720cdb24aed1e"
    Version="2.0"
    IssueInstant="2014-03-04T19:58:26Z"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    AssertionConsumerServiceURL="http://localhost/php-saml/consume.php">
    <saml:Issuer>php-saml</saml:Issuer>
    <samlp:NameIDPolicy
        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
        AllowCreate="true"></samlp:NameIDPolicy>
    <samlp:RequestedAuthnContext Comparison="exact">
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
[2014-03-04 14:58:26,898] DEBUG {org.wso2.carbon.identity.sso.saml.validators.SPInitSSOAuthnRequestValidator} -  Authentication Request Validation is successful..
[2014-03-04 14:58:26,903] DEBUG {org.wso2.carbon.identity.application.authentication.framework.CommonApplicationAuthenticationServlet} -  CommonApplicationAuthenticationSer
vlet sessionDataKey: a0eef9ff-73cc-4862-87f3-afe17c21c2fc
[2014-03-04 14:58:26,905] DEBUG {org.wso2.carbon.identity.application.authentication.framework.CommonApplicationAuthenticationServlet} -  The query-string sent by the calli
ng servlet is: SAMLRequest=fVPLbtswELznKwLeZVGyYieEJUB1+jDg2oKt9NAbQ65rARSpcqnG/ftSDzdO0XgvBIazw9kHF8hr1bC8dUe9g58toLu59XGqlUbWX6aktZoZjhUyzWtA5gTb51/XLJ5Q1ljjjDCK/JN2PYsjg
nWV0UPa6jEl283H9fbzaiPo7E7OHzg9zO+nMBPJLJJ0SiGR8TymQj7HCQcZwZD5DSx6mZR41VELsYWVRse18zCNkoBOA5qU0QO7u2fx7PvAK0bjHyotK/3jut/ngYTsS1kWQbHdl4NIfq5jaTS2Ndg92F+VgKfdOiVH5xoWhsoIr
o4GXdgcm6DrTSgG9sQDJOuFFh3Oeu82O/MW4SX6ymvYxjtcPRZGVeJ3j3fxydiau/cLiSZRj1QyOPRUBjWvVC6lBUTyVydXyrwsLXAHKXG2BZINTt6++8bQuDsg+03y3XBwcrdLUzfcVtgNCE5cuLHa14ov6Uvl12IHh+zq5ggmO
p6HC3+8GCu7SYLwb5eWa2yMdWPj/is+uA6v2M5uzteX3yL7Aw==&issuer=php-saml&sessionDataKey=77a7f01b-1fd1-4637-a0d8-7ffdb8094163&type=samlsso&commonAuthCallerPath=..%2F..%2Fsamlsso&
forceAuthenticate=true
[2014-03-04 14:58:26,908] DEBUG {org.wso2.carbon.identity.application.authentication.framework.CommonApplicationAuthenticationServlet} -  BasicAuthenticator has set custom
status code: 11
[2014-03-04 14:58:30,660] DEBUG {org.wso2.carbon.identity.application.authenticator.basicauth.BasicAuthenticator} -  User is successfully authenticated.
[2014-03-04 14:58:30,663]  INFO {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} -  '<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="1071747d797e50737162727f7e3e6365607562" rel="noreferrer noopener nofollow">[email protected]</a> [-1234]' logged in at [2014-03-04 14:58:30,663-0500]
[2014-03-04 14:58:30,665] DEBUG {org.wso2.carbon.identity.application.authentication.framework.CommonApplicationAuthenticationServlet} -  Authenticaticated by BasicAuthenti
cator in single-factor mode
[2014-03-04 14:58:30,666] DEBUG {org.wso2.carbon.identity.application.authentication.framework.CommonApplicationAuthenticationServlet} -  Sending response back to: ../../sa
mlsso
[2014-03-04 14:58:30,669] DEBUG {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} -  Query string : null
[2014-03-04 14:58:30,672]  WARN {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor} -  Destination validation for Authentication Request failed. R
eceived: [null]. Expected: [https://localhost:9443/samlsso]

如您所见，这就是问题所在:

[2014-03-04 14:58:30,672]  WARN {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor} -  Destination validation for Authentication Request failed. R
eceived: [null]. Expected: [https://localhost:9443/samlsso]

在身份服务器中，我在 Web 控制台中看到此消息:

基于 SAML 2.0 的单点登录 处理身份验证请求时出错! 请尝试重新登录。

更新1:在IS源代码中搜索我发现了这个片段:

 if (authnReqDTO.getCertAlias() != null) {

                // Validate 'Destination'
                String idpUrl = IdentityUtil.getProperty(IdentityConstants.ServerConfig.SSO_IDP_URL);

                if (authnReqDTO.getDestination() == null
                        || !idpUrl.equals(authnReqDTO.getDestination())) {
                    String msg = "Destination validation for Authentication Request failed. " +
                            "Received: [" + authnReqDTO.getDestination() + "]." +
                            " Expected: [" + idpUrl + "]";
                    log.warn(msg);
                    return buildErrorResponse(authnReqDTO.getId(),
                            SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, msg);
                }

                // validate the signature
                boolean isSignatureValid = SAMLSSOUtil.validateAuthnRequestSignature(authnReqDTO);

                if (!isSignatureValid) {
                    String msg = "Signature validation for Authentication Request failed.";
                    log.warn(msg);
                    return buildErrorResponse(authnReqDTO.getId(),
                            SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, msg);
                }
            }

更新2: 我开始比较从 PHP 应用程序和 JAVA 应用程序发送的 AuthnRequest。 PHP 应用程序:

<samlp:AuthnRequest
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="ONELOGIN7a1cbb4a8d17af21129b185b43801b84481658f9"
    Version="2.0"
    IssueInstant="2014-03-04T21:09:14Z"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    AssertionConsumerServiceURL="http://localhost/php-saml/consume.php">
    <saml:Issuer>php-saml</saml:Issuer>
    <samlp:NameIDPolicy
        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
        AllowCreate="true"></samlp:NameIDPolicy>
    <samlp:RequestedAuthnContext Comparison="exact">
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

JAVA应用程序:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
AssertionConsumerServiceURL="http://localhost:8080/travelocity.com/samlsso-home.jsp" 
AttributeConsumingServiceIndex="1701087467" 
Destination="https://localhost:9443/samlsso" 
ForceAuthn="false" 
ID="0" 
IsPassive="true" 
IssueInstant="2014-03-04T21:10:49.696Z" 
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
<samlp:Issuer xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">travelocity.com</samlp:Issuer>
<saml2p:NameIDPolicy xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="Issuer"/>
<saml2p:RequestedAuthnContext xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact">
    <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
        urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
    </saml:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
</samlp:AuthnRequest>

据我所知，我需要在 PHP 的 web 应用程序中配置 Destination 参数。

Answer 1

我终于让这个场景发挥作用了。

在 OneLogin 的 AuthRequest.php 文件中，我更改了这段代码以包含 Destination 属性:

        $request = <<<AUTHNREQUEST
<samlp:AuthnRequest
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="$id"
    Version="2.0"
    IssueInstant="$issueInstant"
    Destination="{$this->_settings->idpSingleSignOnUrl}"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    AssertionConsumerServiceURL="{$this->_settings->spReturnUrl}">
    <saml:Issuer>{$this->_settings->spIssuer}</saml:Issuer>
    <samlp:NameIDPolicy
        Format="{$this->_settings->requestedNameIdFormat}"
        AllowCreate="true"></samlp:NameIDPolicy>
    <samlp:RequestedAuthnContext Comparison="exact">
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
AUTHNREQUEST;

在 WSO2 IS 中，我选中“启用响应签名”和“启用断言签名”选项。

为了使其正常工作，由于 WSO2 IS 中出现此错误，我必须取消选中“在身份验证请求和注销请求中启用签名验证”选项:

[2014-03-04 19:12:10,914] ERROR {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} -  Error validating deflate signature
org.opensaml.ws.security.SecurityPolicyException: Could not extract the Signature from query string
        at org.wso2.carbon.identity.sso.saml.validators.SAML2HTTPRedirectDeflateSignatureValidator.getSignature(SAML2HTTPRedirectDeflateSignatureValidator.java:139)
        at org.wso2.carbon.identity.sso.saml.validators.SAML2HTTPRedirectDeflateSignatureValidator.validateSignature(SAML2HTTPRedirectDeflateSignatureValidator.java:63)
        at org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil.validateDeflateSignature(SAMLSSOUtil.java:625)
        at org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil.validateAuthnRequestSignature(SAMLSSOUtil.java:578)
        at org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor.process(SPInitSSOAuthnRequestProcessor.java:108)
        at org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor.process(SPInitSSOAuthnRequestProcessor.java:301)
        at org.wso2.carbon.identity.sso.saml.SAMLSSOService.validateSPInitSSORequest(SAMLSSOService.java:102)
        at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleSPInitSSO(SAMLSSOProviderServlet.java:236)
        at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleRequest(SAMLSSOProviderServlet.java:132)
        at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.doGet(SAMLSSOProviderServlet.java:75)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
        at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)
        at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
        at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
        at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
        at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
        at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:178)
        at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
        at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:56)
        at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
        at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:141)
        at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
        at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:52)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1653)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
        at java.lang.Thread.run(Thread.java:722)
[2014-03-04 19:12:11,012]  WARN {org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor} -  Signature validation for Authentication Request failed.
[2014-03-04 19:12:11,048] DEBUG {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} -  Invalid SAML SSO Request
[2014-03-04 19:12:11,054] ERROR {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} -  Error when processing the authentication request!
org.wso2.carbon.identity.base.IdentityException: Invalid SAML SSO Request
        at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleSPInitSSO(SAMLSSOProviderServlet.java:262)
        at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleRequest(SAMLSSOProviderServlet.java:132)
        at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.doGet(SAMLSSOProviderServlet.java:75)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
        at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)
        at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
        at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
        at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
        at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
        at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:178)
        at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
        at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:56)
        at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
        at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:141)
        at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
        at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:52)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1653)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
        at java.lang.Thread.run(Thread.java:722)
[2014-03-04 19:12:31,348] DEBUG {org.wso2.carbon.identity.core.dao.SAMLSSOServiceProviderDAO} -  Service Provider php-saml is added successfully.