ITfoxtec.Identity.Saml2.Saml2RequestException:“不完全是一个Assertion元素."

本文介绍了ITfoxtec.Identity.Saml2.Saml2RequestException:“不完全是一个Assertion元素."的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

美好的一天，

我们使用了ITfoxtec库1.2.2版.该解决方案正常工作.

We used ITfoxtec library version 1.2.2. This solution worked correctly.

我们现在正在集成4.0.5版库.我们需要使用SHA-256编码.我们使用了Nugets的4.0.5库.根据实现示例 github/ITfoxtec/ITfoxtec.Identity.Saml2.

We are now integrating the version 4.0.5 library. We need to use SHA-256 encoding. We used the 4.0.5 library from Nugets. According to the implementation example github/ITfoxtec/ITfoxtec.Identity.Saml2.

SAML请求已成功发送.到达SAML响应. binding.ReadSamlResponse(Request.ToGenericHttpRequest()，saml2AuthnResponse); 行中的方法 AssertionConsumerService()引发异常.

The SAML request was sent successfully. Arrived SAML response. Exception is throw on the method AssertionConsumerService() in line binding.ReadSamlResponse(Request.ToGenericHttpRequest(), saml2AuthnResponse);.

抛出异常: ITfoxtec.Identity.Saml2.Saml2RequestException:不完全是一个Assertion元素."

这是我的SAML响应:

This is my SAML response:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:dsig="www.w3/2000/09/xmldsig#" xmlns:enc="www.w3/2001/04/xmlenc#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" xmlns:xsi="www.w3/2001/XMLSchema-instance" Destination="xxx/saml/post/ac" ID="id-cefHM2F1RpCggtiERcLI-Z5AwyqM43zoVhtjSan0" InResponseTo="_99a2e207-8b49-46ab-85a8-7448f32b34e9" IssueInstant="2020-07-14T11:03:49Z" Version="2.0" > <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">yyy/oam/fed</saml:Issuer> <dsig:Signature> <dsig:SignedInfo> <dsig:CanonicalizationMethod Algorithm="www.w3/2001/10/xml-exc-c14n#" /> <dsig:SignatureMethod Algorithm="www.w3/2001/04/xmldsig-more#rsa-sha256" /> <dsig:Reference URI="#id-cefHM2F1RpCggtiERcLI-Z5AwyqM43zoVhtjSan0"> <dsig:Transforms> <dsig:Transform Algorithm="www.w3/2000/09/xmldsig#enveloped-signature" /> <dsig:Transform Algorithm="www.w3/2001/10/xml-exc-c14n#" /> </dsig:Transforms> <dsig:DigestMethod Algorithm="www.w3/2001/04/xmlenc#sha256" /> <dsig:DigestValue>/pQoLtuBTH/YNe4OKD4V6+qc2Rxf+na6pa8HonSRNeY=</dsig:DigestValue> </dsig:Reference> </dsig:SignedInfo> <dsig:SignatureValue>WW5g8Kzh3XMvohJKsYKebvO...</dsig:SignatureValue> <dsig:KeyInfo> <dsig:X509Data> <dsig:X509Certificate>MIIDUTCCAjmgAwIBAgIKTAxTewAAAAA...</dsig:X509Certificate> </dsig:X509Data> </dsig:KeyInfo> </dsig:Signature> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <saml20:EncryptedAssertion xmlns:saml20="urn:oasis:names:tc:SAML:2.0:assertion"> <xenc:EncryptedData xmlns:xenc="www.w3/2001/04/xmlenc#" Id="id-a7DCb68sppndtm1EJHGc7tGXeaybYZqovq6DSXUP" Type="www.w3/2001/04/xmlenc#Element" > <xenc:EncryptionMethod Algorithm="www.w3/2001/04/xmlenc#aes256-cbc" /> <KeyInfo xmlns="www.w3/2000/09/xmldsig#"> <dsig:RetrievalMethod Type="www.w3/2001/04/xmlenc#EncryptedKey" URI="#id-OlT01t8FNBO2pIuB8ba-IlZ10dYXJEIgkMyiSOiZ" /> </KeyInfo> <xenc:CipherData> <xenc:CipherValue>WNCrzgQXVzhAJ61coe4qClUi8hyZVUQ8Z...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> <xenc:EncryptedKey xmlns:xenc="www.w3/2001/04/xmlenc#" Id="id-OlT01t8FNBO2pIuB8ba-IlZ10dYXJEIgkMyiSOiZ" > <xenc:EncryptionMethod Algorithm="www.w3/2001/04/xmlenc#rsa-1_5" /> <dsig:KeyInfo> <dsig:X509Data> <dsig:X509Certificate>MIIDNDCCAhygAwIBAgIQhNtIL...</dsig:X509Certificate> </dsig:X509Data> </dsig:KeyInfo> <xenc:CipherData> <xenc:CipherValue>R5usMrow6yS8ulpX0HApH/ExWk...</xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI="#id-a7DCb68sppndtm1EJHGc7tGXeaybYZqovq6DSXUP" /> </xenc:ReferenceList> </xenc:EncryptedKey> </saml20:EncryptedAssertion> </samlp:Response>

此SAML响应不是正确的SAML吗?使用库1.2.2，可以接受相同的SAML响应.为什么在使用4.0.5库时不接受它?

This SAML response is not correct SAML? Using library 1.2.2, the same SAML response was accepted. Why is it not accepted when using the 4.0.5 library?

请帮助.好，谢谢.DM

Please help. Well thank you. DM

推荐答案

通常是新的 ITfoxtec身份SAML 图书馆比旧图书馆更具限制性和安全性.

Generally the new ITfoxtec Identity SAML library is much more restrictive and secure then the old library.

解密后的SAML身份验证响应看起来正确.

The decrypted SAML Authn Response looks correct.

要进行故障排除:

• 使用私有密钥在 config.DecryptionCertificate 中配置解密证书吗?
• 发生异常后，是否要对 AuthController.AssertionConsumerService 方法中的 binding.XmlDocument.OuterXml 进行解密?

• Is the decryption certificate configured in config.DecryptionCertificate with the private key?
• After the Exception, is the binding.XmlDocument.OuterXml in the AuthController.AssertionConsumerService method then decrypted?

如果 binding.XmlDocument.OuterXml 中的XML应该在抛出异常的那一刻解密，否则存在与解密有关的问题.

If the the XML in the binding.XmlDocument.OuterXml should be decrypted at the point where the exceptions is thrown, otherwise there the problem is in relation to decryption.