douli1872 2015-10-08 03:33
浏览 109

针对Google Apps IdP响应的Golang SAML身份验证

I've used gosaml and go-saml packages from github to build an IdP in revel. Both packages use xmlsec to take the private key to fill in the signed SAML but when trying to authenticate with Google I get the following error: "Google Apps - This account cannot be accessed because we could not parse the login request." I've used two different servers, windows and linux to verify that it wasn't an issue with the xmlsec, modified variations of the response from bitium, and okta. Built keys from openSSL and OneLogin test tools. Here is the rendered SAML after being extracted from SAML Trace on Firefox that results in the error:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
            xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
            xmlns:samlsig="http://www.w3.org/2000/09/xmldsig#"
            Destination="https://www.google.com/a/wikiplays.org/acs"
            ID="_b521e7bc-9917-4c18-7e89-25032fb49278"
            Version="2.0"
            IssueInstant="2015-10-14T05:42:57.6982498Z"
            InResponseTo="ncgobkpepepgfjhanlpafamijhhpklilagehhfee"
            >
<saml:Issuer>http://104.175.190.209</saml:Issuer>
<samlsig:Signature Id="Signature1">
    <samlsig:SignedInfo>
        <samlsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        <samlsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
        <samlsig:Reference URI="#_b521e7bc-9917-4c18-7e89-25032fb49278">
            <samlsig:Transforms>
                <samlsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
            </samlsig:Transforms>
            <samlsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <samlsig:DigestValue>n9fNsHr4zU9oR6Ycjx1jAdzzb64=</samlsig:DigestValue>
        </samlsig:Reference>
    </samlsig:SignedInfo>
    <samlsig:SignatureValue>YG9ZHBkr5NMm4b5N0NOnasgiLR5U17o9jMTrx6wXtklqx8DxV1uiI7siFRFlsnLy
wk+htqAOhMmTX/pSye6gbIO0xVBNlcRGuMF9uf4CE8dunbQx6cy3nVTKI0MKQtBq
Wpsu6y/v/z/xa+Xg4DDaEprgxi2NwlDOedZ+deUnA54=</samlsig:SignatureValue>
    <samlsig:KeyInfo>
        <samlsig:X509Data>
            <samlsig:X509Certificate>MIICZjCCAc+gAwIBAgIBADANBgkqhkiG9w0BAQ0FADBQMQswCQYDVQQ    GEwJ1czET
MBEGA1UECAwKQ0FMSUZPUk5JQTEPMA0GA1UECgwGWmVhbG90MRswGQYDVQQDDBJ6
ZWFsb3RuZXR3b3Jrcy5jb20wHhcNMTUxMDEzMDMyMDAxWhcNMjUxMDEwMDMyMDAx
WjBQMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ0FMSUZPUk5JQTEPMA0GA1UECgwG
WmVhbG90MRswGQYDVQQDDBJ6ZWFsb3RuZXR3b3Jrcy5jb20wgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAMZJ+2Yg2hg0gBI+O9eglZ5pwvC7CXjaN+R4ZCpOm9w3
82iidvdeWzHxEXpkmEgSPSbot9AO9LhiL0io5vJ9ro6Xh87x/5zuB9IxnFtSAH9S
K4LA4A7lhpA5HrhDUYBIUksqyIc+TBUXA+Blpexs9b5fcjkzN2iVFyBWR2xn17Hl
AgMBAAGjUDBOMB0GA1UdDgQWBBQ7o5RDaoy91nhHgLt8L2YilDlCkjAfBgNVHSME
GDAWgBQ7o5RDaoy91nhHgLt8L2YilDlCkjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
DQEBDQUAA4GBAEFxqDwc2X/cP6YX8neW1AgBxZ4AOAlJ9YgRKQKDuHzOJX22s2ah
65XCA16Tnw8xG0AdZUU5dn07Y05EYgYW+cktvitT9fNTdpJ9JDnGB1KAlVqGlB7d
 oIn8BV7bDA+YkeAgH98UE6OOEkNYnygkg2eT9H0FoyXkMyiizixeH8BO</samlsig:X509Certificate>
        </samlsig:X509Data>
    </samlsig:KeyInfo>
</samlsig:Signature>
<samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion xmlns:xs="http://www.w3.org/2001/XMLSchema"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                ID="_f7437494-03ce-4eb1-483c-169f43f6e1f7"
                Version="2.0"
                IssueInstant="2015-10-14T05:42:57.6982498Z"
                >
    <saml:Issuer>http://104.175.190.209</saml:Issuer>
    <saml:Subject>
        <saml:NameID SPNameQualifier="google.com/a/wikiplays.org"
                     Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email"
                     >vince@wikiplays.org</saml:NameID>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData InResponseTo="ncgobkpepepgfjhanlpafamijhhpklilagehhfee"
                                          NotOnOrAfter="2015-10-14T05:47:57.6982498Z"
                                          Recipient="https://www.google.com/a/wikiplays.org/acs"
                                          />
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2015-10-14T05:37:57.6982498Z"
                     NotOnOrAfter="2015-10-14T05:47:57.6982498Z"
                     />
    <saml:AttributeStatement>
        <saml:Attribute Name="Email"
                        FriendlyName="Email Address"
                        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                        >
            <saml:AttributeValue xsi:type="xs:string">vince@wikiplays.org</saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
</saml:Assertion>

  • 写回答

0条回答 默认 最新

    报告相同问题?

    悬赏问题

    • ¥15 R语言Rstudio突然无法启动
    • ¥15 关于#matlab#的问题:提取2个图像的变量作为另外一个图像像元的移动量,计算新的位置创建新的图像并提取第二个图像的变量到新的图像
    • ¥15 改算法,照着压缩包里边,参考其他代码封装的格式 写到main函数里
    • ¥15 用windows做服务的同志有吗
    • ¥60 求一个简单的网页(标签-安全|关键词-上传)
    • ¥35 lstm时间序列共享单车预测,loss值优化,参数优化算法
    • ¥15 Python中的request,如何使用ssr节点,通过代理requests网页。本人在泰国,需要用大陆ip才能玩网页游戏,合法合规。
    • ¥100 为什么这个恒流源电路不能恒流?
    • ¥15 有偿求跨组件数据流路径图
    • ¥15 写一个方法checkPerson,入参实体类Person,出参布尔值