wso2 - 当 saml 响应具有 RequestDenied 断言时,具有 ADFS 联合的 WSO2 Identity Server 5.7.0 无法显示错误页面
问题描述
当未经授权的用户尝试访问在 WSO2 中注册的应用程序时,我目前遇到了 WSO2 Identity Server 5.7.0 和 ADFS 之间的联合问题。
正如我在这个问题#58123989 中所描述的,在我们的组织中,有一些属于 Active Directory 组织单位 (OU) 的用户无法使用 ADFS 的某些依赖方 (RP)。这已通过颁发授权规则成功实现,当 RP 配置了 WS-Federation 时,ADFS 页面上会显示错误,说明用户无权访问应用程序/RP
但是,当 RP 与 SAML 配置(如我们的 WSO2 解决方案)联合时,ADFS 上不会显示任何错误,并且根据我的阅读,SAML 协议鼓励呈现身份验证错误的责任落在请求的服务提供商身上身份验证。据我了解,在我们的场景中,WSO2 IS 同时是一个 RP 和 SP,并且没有显示错误页面。
因此,当属于不允许的 OU 的用户尝试登录时,返回的 SAML 响应如下所示:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="_8e68c63c-6fb4-4dec-8d6d-2c4d885ea36f"
Version="2.0"
IssueInstant="2019-10-30T09:11:10.159Z"
Destination="https://km.apim.ipleiria.pt/commonauth"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
InResponseTo="_c48ab89ffc9dabae2294416785a7c701"
>
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://login.ipleiria.pt/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_8e68c63c-6fb4-4dec-8d6d-2c4d885ea36f">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>i2O6tpoM9sv9W7T5J99VENpfSplM0xcs4ocGgdFYwXw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>CoU7XShDtzjVciFP1zvHe5+kXpQ5gsI1XMiEcskqbDvzdAcH4woGYrAGHge9wY2+Nw6aJVfzm6YyKiWRfp83Rl7kny/cVhttApKXQskci/mtOk5BKKm/AMGXbYu82baS8mdJN1M9QDRtQQoDyeoxCv15T1zwKJhMGmweOGpYAXOqO3QKl7QMAPcggwwdp0/j8MRfqN8rqSyQGfbnPdS0Qz8fYWjou6C9T0hbQhfkPJwXHfpNmw4Ar8t7jL2b5K1nkHl4QLw5IHfpbTO9a06AU6j1WSmboAd7/zHs3CxxKYL4YQNpJuUXmac0GK9dkhptc8XWZZ4XUQb7wbvsZ8Hzvg==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC3jCCAcagAwIBAgIQE3nSS2FEuKFJ+zFvEamRMjANBgkqhkiG9w0BAQsFADArMSkwJwYDVQQDEyBBREZTIFNpZ25pbmcgLSBsb2dpbi5pcGxlaXJpYS5wdDAeFw0xOTA5MDYxNDA2MTZaFw0yMDA5MDUxNDA2MTZaMCsxKTAnBgNVBAMTIEFERlMgU2lnbmluZyAtIGxvZ2luLmlwbGVpcmlhLnB0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkNWCUJTODaV3kfUwLPo60WTdDY7DPxG2cfEni1KRk41tU/3c6xripBSe4ZtPO0mpfPa9iTKrYEXI1yZUZqUvCFV1rVOurKs0/TuRUNOJyViP2z5M1y5XokvY4nCKRHdkGGrp5pfnFcxXb7vl9U8WxsHGKF/3u0qdPHfS8bMkC+9E5Ocq6xlKlGLFEie4V7p7vc/euKTNDfha6Inhpm9oAguZVC2vBlTAPWuUsVjgBeYxreOThsFGAZHISOi+fJd/V6TSMhf4eeR2IfZikvyCUfrP6t7yR9ukBdnrXkRo3g3Nw9la9h4jvPhh9DXGwyek6pZJIusSbCraImHkCvOIawIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAiMCIMnXpuu9K3ZvojTPcsP7Yeafp9KCudfSTs/EaA3aHSH2oWiS4RpwBzynufTxYaNJpQazUc+xCndcr5rovghVt/z+ui3hdok/ZT4E0TBezYvZWovc0dB2vao8S5wbDLxa/6fnTmVu71UtrlAarThpBD8t14bwHoh1P89yDYrWlOHG726/sLJAb0B1NxtlvXErVXjH7OQcr5jRZj9ZHegKs1rfBugmUovVEQXVTl2Fhasdjfy4FIweo7bghWwU7rQN+QQK8WjbPF6wuH7pDdNgs6CBaOVqlCkjE5Sk8lGDqWd27FKqjBIdOMASQoVQJQj76JG3UnViAUG1M0ClY+</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied" />
</samlp:StatusCode>
</samlp:Status>
</samlp:Response>
如您所见,StatusCode 是 urn:oasis:names:tc:SAML:2.0:status:RequestDenied。
当 WSO2IS 处理响应时,会引发异常,并带有以下消息和堆栈跟踪: SAML Assertion is not found in the Response
TID: [-1234] [] [2019-10-30 09:11:08,797] ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} - SAML Assertion is not found in the Response
org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException: SAML Assertion is not found in the Response
at org.wso2.carbon.identity.application.authenticator.samlsso.SAMLSSOAuthenticator.processAuthenticationResponse(SAMLSSOAuthenticator.java:325)
at org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator.process(AbstractApplicationAuthenticator.java:77)
at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.doAuthentication(DefaultStepHandler.java:497)
at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handleResponse(DefaultStepHandler.java:471)
at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handle(DefaultStepHandler.java:174)
at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handle(DefaultStepBasedSequenceHandler.java:185)
at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.GraphBasedSequenceHandler.handle(GraphBasedSequenceHandler.java:102)
at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler.handle(DefaultAuthenticationRequestHandler.java:135)
at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator.handle(DefaultRequestCoordinator.java:162)
at org.wso2.carbon.identity.application.authentication.framework.servlet.CommonAuthenticationServlet.doPost(CommonAuthenticationServlet.java:53)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)
at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.wso2.carbon.identity.captcha.filter.CaptchaFilter.doFilter(CaptchaFilter.java:76)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:72)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:65)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:124)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:80)
at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:91)
at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:65)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)
at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1775)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1734)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.wso2.carbon.identity.application.authenticator.samlsso.exception.SAMLSSOException: SAML Assertion is not found in the Response
at org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.processSSOResponse(DefaultSAML2SSOManager.java:538)
at org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.executeSAMLReponse(DefaultSAML2SSOManager.java:383)
at org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.processSAMLResponse(DefaultSAML2SSOManager.java:374)
at org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.processResponse(DefaultSAML2SSOManager.java:331)
at org.wso2.carbon.identity.application.authenticator.samlsso.SAMLSSOAuthenticator.processAuthenticationResponse(SAMLSSOAuthenticator.java:252)
... 59 more
但是没有向用户显示错误页面,并且连接返回给应用程序(通常是单页应用程序,在 WSO2 Api Manager 中注册),没有身份验证信息。
由于 ADFS 在文档中有些稀少,当然还有 SAML 协议规则(鼓励将错误呈现给 SP),我的方法是捕获 WSO2IS 抛出的异常并显示错误页面,尽管没有成功.
如何捕获错误并呈现页面?有不同的方法吗?这可以在 ADFS 中配置吗?
解决方案
推荐阅读
- javascript - 添加和删除事件侦听器 - JavaScript
- python - 如何使用来自 csv 文件输入的自然语言生成。我们应该使用哪个 python 模块。任何人都可以分享一个示例教程吗?
- c# - 无法在 Web Api 项目中配置 autofac
- java - 错误:在相应的 try 语句的主体中永远不会抛出异常 InterruptedException
- c# - Linq to Entity:如何查询多个 Where 属性
- php - 计算字段表单插件 Wordpress - 如果 = 0,则将字段输出设为黑色;如果 <0 则为红色;如果 > 0 则为绿色
- angular - 更新数据源后数据表不显示数据
- facebook - Curl 28 连接超时面临错误
- python - 如何在 Django Rest Framework 的 API 视图中覆盖 get 方法
- reactjs - React Hooks useState 与 Object 不一致