0

問題

OneloginPHPSAMLSdk::processResponse()暗号化されたメッセージの処理に失敗しました。

署名された SAML アサーションを含む署名された SAML 応答は、 によって正常に処理されましたOneloginPHPSAMLSdk::processResponse()

ただし、署名付き SAML アサーションを含む同じ署名付き SAML 応答が暗号化されているOneloginPHPSAMLSdk::processResponse()場合、暗号化された SAML 応答の処理は失敗します。この場合、復号化は成功しますが、XML はsaml-schema-protocol-2.0.xsd検証に失敗します。

概要:

暗号化されていないメッセージは成功します:

  • SAML 応答メッセージの SAML アサーションは署名されています
  • SAML 応答メッセージは署名されています
  • 完全に署名された SAML 応答 (暗号化されていない) がOneloginPHPSAMLSdk::processResponse()正常に処理されました

暗号化されたメッセージが失敗します:

  • 完全に署名された同じ SAML 応答は暗号化され (Onelogin オンライン ツールを使用)、によって処理されます。OneloginPHPSAMLSdk::processResponse()
  • 完全に署名された SAML 応答の復号化が成功しました
  • OneloginPHPSAMLSdk::processResponse()復号化された完全な署名付き SAML 応答の処理が失敗する

OneloginPHPSAMLSdk::processResponse() と から 返されたエラーlibxml_get_errors():

invalid_response - 無効な SAML レスポンス。saml-schema-protocol-2.0.xsd と一致しません - [{\"level\":2,\"code\":1871,\"column\":0,\"message\":\"Element 'Assertion ': この要素は予期されていません。予期されるのは ( {urn:oasis:names:tc:SAML:2.0:assertion}Assertion、{urn:oasis:names:tc:SAML:2.0:assertion}EncryptedAssertion ) のいずれかです。\n \",\"file\":\"\/var\/www\/sso\/app\/webroot\/\",\"line\":1}]"

このメッセージの暗号化されていないバージョンはsaml-schema-protocol-2.0.xsd検証に合格し、正常に処理されます。

以下は、使用されたすべての設定です。

x.509 証明書

テスト目的で、Onelogin オンライン自己署名証明書ツール ( https://developers.onelogin.com/saml/online-tools/x509-certs/obtain-self-signed-certs ) を使用して、サービス プロバイダーと ID プロバイダー x509 を生成しました。証明書:

使用される ID プロバイダー証明書

-----BEGIN CERTIFICATE-----
MIIC6DCCAlGgAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBkDELMAkGA1UEBhMCdXMx
EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAoMDU9uZWxvZ2luIFRlc3QxIjAg
BgNVBAMMGXRyaW5ldC1jbG91ZC5vbmVsb2dpbi5jb20xMDAuBgkqhkiG9w0BCQEW
IXN1cHBvcnRAdHJpbmV0LWNsb3VkLm9uZWxvZ2luLmNvbTAeFw0xNjEwMzEyMzA4
NTNaFw0xNzEwMjIyMzA4NTNaMIGQMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2Fs
aWZvcm5pYTEWMBQGA1UECgwNT25lbG9naW4gVGVzdDEiMCAGA1UEAwwZdHJpbmV0
LWNsb3VkLm9uZWxvZ2luLmNvbTEwMC4GCSqGSIb3DQEJARYhc3VwcG9ydEB0cmlu
ZXQtY2xvdWQub25lbG9naW4uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDWKr8qxoBEMEb2PuLFVfeT9fM+OKp6IxlrFkewF6KJvTPlIyJDeY6baJ0lFahV
1zi14q67iqADIk1fRqe9oMq4ZJLHZpeFazUSxiY56+paC9Tf1WGu2HmDUyxWSh+S
g0SdQQfbEKO0189mYBkcHfrHGD/QBcivsK+Su7xhDzCvaQIDAQABo1AwTjAdBgNV
HQ4EFgQUsF7CyLKVc3TUFiRNO9Q6PB90zp4wHwYDVR0jBBgwFoAUsF7CyLKVc3TU
FiRNO9Q6PB90zp4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCNqPea
KS0nlUDDCPJExXp2ovCCiNyGA2lSUOYAoBDg1LZrhE44B/KlzO0g2O4bF2nYquGF
0xfGqf9M3wNsJIybCR/MrZMZE6AQgMLN8+02QjOX2TMavO8TdYXu/kYLUQGWx0bC
UraIIKzE2L7EQR0WLes/hayMx/za9wV4rVMnyA==
-----END CERTIFICATE-----

-----BEGIN PRIVATE KEY-----
MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBANYqvyrGgEQwRvY+
4sVV95P18z44qnojGWsWR7AXoom9M+UjIkN5jptonSUVqFXXOLXirruKoAMiTV9G
p72gyrhkksdml4VrNRLGJjnr6loL1N/VYa7YeYNTLFZKH5KDRJ1BB9sQo7TXz2Zg
GRwd+scYP9AFyK+wr5K7vGEPMK9pAgMBAAECgYAtJ9IquLOurOcpYFT7+oY64i6p
PdVj7yaa15XB4RnaJNReSawdwfF5fvMzMH/PqZNBdkwVKsNWJdNedU1ExDQ5jaBz
+eY/2Rtyyv5wgkMBQdeR3mxrJ6e92KdkYoF31+SMVHg2/eTo5V8MZLLpKYGAd/Gz
wK0iDzUcAPYTKzi6aQJBAP0v5LXWabmJm7+S2c1ILPAMzOBVr5aEhzA+1Nwigq44
QhRfDiwdi8qbL2WRFs2o1PZ7rlgLXf8SJ3peuhalbYMCQQDYi9+lQ4C2dnGblJuA
uNyTjxd6UlTsT4PRUFgUi4ZNiapphw4RLMYKWhZgZzs348mRqdRXgCF7PICrtPJs
jyejAkEA57gJjhJqOJCkprRz+djwp9JPP5GsXgl04MbgcYh0KZb7g0Fr6xwvcIKO
4lnjkN3P6rZPXe0pXeTzlJ9VmJxWmQJBAJ6v0dJv5zDPF23ltxbbYXkY0SGol+cc
VgLbl9BmdqL3kVQHzn0zjGUlo2Q+Ah1w5dPC2oLMuLxwl/I8hbKcLXUCQQDTkA5n
9vNjtkNC+vAz6BEAG0OdPt602iyImHkDKj/fbJuHw8D3lhu3XV44jY7REMYP2rk0
2qzCuQBQ2T5oFCS5
-----END PRIVATE KEY-----

使用されるサービス プロバイダー証明書:

-----BEGIN CERTIFICATE-----
MIIDKjCCApOgAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBsTELMAkGA1UEBhMCdXMx
EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAoMC1RyaU5ldCwgSW5jMSEwHwYD
VQQDDBhzc28udHJpbmV0Y2xvdWQuY29tbG9jYWwxFTATBgNVBAcMDFNhbnRhIE1v
bmljYTEVMBMGA1UECwwMVHJpTmV0IENsb3VkMSYwJAYJKoZIhvcNAQkBFhdzdXBw
b3J0QHRyaW5ldGNsb3VkLmNvbTAeFw0xNjEwMzEyMzAyMTFaFw0xNzEwMjIyMzAy
MTFaMIGxMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UE
CgwLVHJpTmV0LCBJbmMxITAfBgNVBAMMGHNzby50cmluZXRjbG91ZC5jb21sb2Nh
bDEVMBMGA1UEBwwMU2FudGEgTW9uaWNhMRUwEwYDVQQLDAxUcmlOZXQgQ2xvdWQx
JjAkBgkqhkiG9w0BCQEWF3N1cHBvcnRAdHJpbmV0Y2xvdWQuY29tMIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQDNoMEfS6J8nYZzt6v/Zjc13A7jPZp+rDulJ6Hv
SYZ8nvoySbAyyAVO5A07Q1KOMJDciYGiNgkctx36uJtsJwb6SQr9sAddXDDV0hvl
HPk/I+ZPIi1l81jD7uUr+xVIVT5nIejAVlyqapbWm3YFywO9MVLuPDbaGXoQX0B1
U2USVwIDAQABo1AwTjAdBgNVHQ4EFgQUjc/p6B8r/hMXKeAVCKmaunvgJmYwHwYD
VR0jBBgwFoAUjc/p6B8r/hMXKeAVCKmaunvgJmYwDAYDVR0TBAUwAwEB/zANBgkq
hkiG9w0BAQ0FAAOBgQCj7Lakk9vK7PSVnP8uooKN2xU0e9Tbt9Mz6iO0F0h0ebFO
spTnju01i00KOvEdXb61Xpe8Qjex7RS94mnSunRFbXvtFecc8in2WtFcXXzLwIEr
bm3pDAD9vhhF/ilaoHkWmOAEGgc0fyFnKL32oyxbGlhpd87PGQtcCXEhHaS4Mw==
-----END CERTIFICATE-----

-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAM2gwR9LonydhnO3
q/9mNzXcDuM9mn6sO6Unoe9Jhnye+jJJsDLIBU7kDTtDUo4wkNyJgaI2CRy3Hfq4
m2wnBvpJCv2wB11cMNXSG+Uc+T8j5k8iLWXzWMPu5Sv7FUhVPmch6MBWXKpqltab
dgXLA70xUu48NtoZehBfQHVTZRJXAgMBAAECgYA1agzAlGUg+cpzRMLpFSRCWWeE
n/wB67uSqzjlb7P/q0xSw9GBX3QBijvlqRdI2FTI9O83s9GqI+cluc6lyX2GDxWs
2Gzkl6Rb7bxWsXZDNRJEipZHAJTuiPDWpZKyA1q4Erc8UeZt/AIljF31yLiYBf+L
bjegYqrtSiHGtq6QAQJBAPHk2/gP1k/E+0DHlosdCZWar+04IPBkj188Q3NCJ7qJ
8pfYgsQmVUqCbdbG+dzF2FtZe884dwUVYMKTeddzNXECQQDZnn5g9pwnO+uecCZs
Iaw+F79+qPmZobE5iKyGPZmJMKyjVkUiDPNniVFzyfYtECsc1onMOdYsSIlHwebn
5UBHAkEArHiJfq2MGQRSQTYN2NKzasAIgBNtKPoKX9UQIrYgrZh+KFZvpnvOhHnK
50CoFwnZ4ghDhtSzyCQeAZ41WbEDgQJAMc/Gi7lHCu/7QbvX/55Bh8D10y8oWtMY
9tti6iNFdpKOoaCImH+wYz2aSE+tKqltxN8SkY2XiXFdAvDOQrxF1wJAFrzpMLQs
rqOZKRf9uakwDscTwwYauzPfrcikiN9Qd8MA64xG9Z3RUxOq2UkDLZSSKzYMEKMk
Te3+629HzIPTjg==
-----END PRIVATE KEY-----

読み込まれた OneloginPHPSAMLSdk 設定:

Array
(
    [strict] => 1
    [debug] => 1
    [sp] => Array
        (
            [entityId] => https://sso.serviceprovider.com/metadata
            [assertionConsumerService] => Array
                (
                    [url] => https://sso.serviceprovider.com/saml/consume
                    [binding] => urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
                )

            [singleLogoutService] => Array
                (
                    [url] => https://sso.serviceprovider.com/saml/logout
                    [binding] => urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
                )

            [NameIDFormat] => urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
            [x509cert] => -----BEGIN CERTIFICATE-----
MIIDKjCCApOgAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBsTELMAkGA1UEBhMCdXMx
EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAoMC1RyaU5ldCwgSW5jMSEwHwYD
VQQDDBhzc28udHJpbmV0Y2xvdWQuY29tbG9jYWwxFTATBgNVBAcMDFNhbnRhIE1v
bmljYTEVMBMGA1UECwwMVHJpTmV0IENsb3VkMSYwJAYJKoZIhvcNAQkBFhdzdXBw
b3J0QHRyaW5ldGNsb3VkLmNvbTAeFw0xNjEwMzEyMzAyMTFaFw0xNzEwMjIyMzAy
MTFaMIGxMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UE
CgwLVHJpTmV0LCBJbmMxITAfBgNVBAMMGHNzby50cmluZXRjbG91ZC5jb21sb2Nh
bDEVMBMGA1UEBwwMU2FudGEgTW9uaWNhMRUwEwYDVQQLDAxUcmlOZXQgQ2xvdWQx
JjAkBgkqhkiG9w0BCQEWF3N1cHBvcnRAdHJpbmV0Y2xvdWQuY29tMIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQDNoMEfS6J8nYZzt6v/Zjc13A7jPZp+rDulJ6Hv
SYZ8nvoySbAyyAVO5A07Q1KOMJDciYGiNgkctx36uJtsJwb6SQr9sAddXDDV0hvl
HPk/I+ZPIi1l81jD7uUr+xVIVT5nIejAVlyqapbWm3YFywO9MVLuPDbaGXoQX0B1
U2USVwIDAQABo1AwTjAdBgNVHQ4EFgQUjc/p6B8r/hMXKeAVCKmaunvgJmYwHwYD
VR0jBBgwFoAUjc/p6B8r/hMXKeAVCKmaunvgJmYwDAYDVR0TBAUwAwEB/zANBgkq
hkiG9w0BAQ0FAAOBgQCj7Lakk9vK7PSVnP8uooKN2xU0e9Tbt9Mz6iO0F0h0ebFO
spTnju01i00KOvEdXb61Xpe8Qjex7RS94mnSunRFbXvtFecc8in2WtFcXXzLwIEr
bm3pDAD9vhhF/ilaoHkWmOAEGgc0fyFnKL32oyxbGlhpd87PGQtcCXEhHaS4Mw==
-----END CERTIFICATE-----
            [privateKey] => -----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAM2gwR9LonydhnO3
q/9mNzXcDuM9mn6sO6Unoe9Jhnye+jJJsDLIBU7kDTtDUo4wkNyJgaI2CRy3Hfq4
m2wnBvpJCv2wB11cMNXSG+Uc+T8j5k8iLWXzWMPu5Sv7FUhVPmch6MBWXKpqltab
dgXLA70xUu48NtoZehBfQHVTZRJXAgMBAAECgYA1agzAlGUg+cpzRMLpFSRCWWeE
n/wB67uSqzjlb7P/q0xSw9GBX3QBijvlqRdI2FTI9O83s9GqI+cluc6lyX2GDxWs
2Gzkl6Rb7bxWsXZDNRJEipZHAJTuiPDWpZKyA1q4Erc8UeZt/AIljF31yLiYBf+L
bjegYqrtSiHGtq6QAQJBAPHk2/gP1k/E+0DHlosdCZWar+04IPBkj188Q3NCJ7qJ
8pfYgsQmVUqCbdbG+dzF2FtZe884dwUVYMKTeddzNXECQQDZnn5g9pwnO+uecCZs
Iaw+F79+qPmZobE5iKyGPZmJMKyjVkUiDPNniVFzyfYtECsc1onMOdYsSIlHwebn
5UBHAkEArHiJfq2MGQRSQTYN2NKzasAIgBNtKPoKX9UQIrYgrZh+KFZvpnvOhHnK
50CoFwnZ4ghDhtSzyCQeAZ41WbEDgQJAMc/Gi7lHCu/7QbvX/55Bh8D10y8oWtMY
9tti6iNFdpKOoaCImH+wYz2aSE+tKqltxN8SkY2XiXFdAvDOQrxF1wJAFrzpMLQs
rqOZKRf9uakwDscTwwYauzPfrcikiN9Qd8MA64xG9Z3RUxOq2UkDLZSSKzYMEKMk
Te3+629HzIPTjg==
-----END PRIVATE KEY-----
        )

    [idp] => Array
        (
            [entityId] => https://app.onelogin.com/saml/metadata/123456
            [singleSignOnService] => Array
                (
                    [url] => https://app.onelogin.com/trust/saml2/http-post/sso/123456
                    [binding] => urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
                )

            [singleLogoutService] => Array
                (
                    [url] => https://app.onelogin.com/trust/saml2/http-redirect/slo/123456
                    [binding] => urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
                )

            [x509cert] => -----BEGIN CERTIFICATE-----
MIIC6DCCAlGgAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBkDELMAkGA1UEBhMCdXMx
EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAoMDU9uZWxvZ2luIFRlc3QxIjAg
BgNVBAMMGXRyaW5ldC1jbG91ZC5vbmVsb2dpbi5jb20xMDAuBgkqhkiG9w0BCQEW
IXN1cHBvcnRAdHJpbmV0LWNsb3VkLm9uZWxvZ2luLmNvbTAeFw0xNjEwMzEyMzA4
NTNaFw0xNzEwMjIyMzA4NTNaMIGQMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2Fs
aWZvcm5pYTEWMBQGA1UECgwNT25lbG9naW4gVGVzdDEiMCAGA1UEAwwZdHJpbmV0
LWNsb3VkLm9uZWxvZ2luLmNvbTEwMC4GCSqGSIb3DQEJARYhc3VwcG9ydEB0cmlu
ZXQtY2xvdWQub25lbG9naW4uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDWKr8qxoBEMEb2PuLFVfeT9fM+OKp6IxlrFkewF6KJvTPlIyJDeY6baJ0lFahV
1zi14q67iqADIk1fRqe9oMq4ZJLHZpeFazUSxiY56+paC9Tf1WGu2HmDUyxWSh+S
g0SdQQfbEKO0189mYBkcHfrHGD/QBcivsK+Su7xhDzCvaQIDAQABo1AwTjAdBgNV
HQ4EFgQUsF7CyLKVc3TUFiRNO9Q6PB90zp4wHwYDVR0jBBgwFoAUsF7CyLKVc3TU
FiRNO9Q6PB90zp4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCNqPea
KS0nlUDDCPJExXp2ovCCiNyGA2lSUOYAoBDg1LZrhE44B/KlzO0g2O4bF2nYquGF
0xfGqf9M3wNsJIybCR/MrZMZE6AQgMLN8+02QjOX2TMavO8TdYXu/kYLUQGWx0bC
UraIIKzE2L7EQR0WLes/hayMx/za9wV4rVMnyA==
-----END CERTIFICATE-----
        )

    [compress] => Array
        (
            [requests] => 1
            [responses] => 1
        )

    [security] => Array
        (
            [wantMessagesSigned] => 1
            [wantAssertionsEncrypted] => 1
            [wantAssertionsSigned] => 1
            [wantNameId] => 1
            [signatureAlgorithm] => http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
        )

    [contactPerson] => Array
        (
            [technical] => Array
                (
                    [givenName] => Support
                    [emailAddress] => support@serviceprovider.com
                )

            [support] => Array
                (
                    [givenName] => Support
                    [emailAddress] => support@serviceprovider.com
                )

        )

    [organization] => Array
        (
            [en-US] => Array
                (
                    [name] => Service Provider
                    [displayname] => Service Provider
                    [url] => https://serviceprovider.com
                )

        )

)

使用された署名付き SAML アサーションを含む署名済み SAML 応答 ( OneloginPHPSAMLSdk::processResponse() によって正常に処理された)

上記の証明書でhttps://developers.onelogin.com/saml/online-tools/sign/responseを使用して署名されています。

<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfxa414281f-8c20-d4b9-6cd5-f713aca895e9" Version="2.0" IssueInstant="2020-06-17T14:54:07Z" Destination="https://sso.serviceprovider.com/saml/consume" InResponseTo="_57bcbf70-7b1f-012e-c821-782bcb13bb38">
  <saml:Issuer>https://app.onelogin.com/saml/metadata/123456</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  <ds:Reference URI="#pfxa414281f-8c20-d4b9-6cd5-f713aca895e9"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>OH53i4NTaUj8M29kPGDQEZimvGE=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>edMuHtgqaRJiAGBUdGCSJiWxQ2CDXi3THKotbgkDhU1uMrD3vxRnopFlaUGFW/3GCt9Q9CScMmkamS2s6JZqo0iGuuzsaIl7NPhM502iHp6BIjinrGARtjOjfamLahVrIGBggvgNbbfzwPKSNCf+T9PNtnWNBwKVNIIHZeNNJ3I=</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIC6DCCAlGgAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBkDELMAkGA1UEBhMCdXMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAoMDU9uZWxvZ2luIFRlc3QxIjAgBgNVBAMMGXRyaW5ldC1jbG91ZC5vbmVsb2dpbi5jb20xMDAuBgkqhkiG9w0BCQEWIXN1cHBvcnRAdHJpbmV0LWNsb3VkLm9uZWxvZ2luLmNvbTAeFw0xNjEwMzEyMzA4NTNaFw0xNzEwMjIyMzA4NTNaMIGQMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UECgwNT25lbG9naW4gVGVzdDEiMCAGA1UEAwwZdHJpbmV0LWNsb3VkLm9uZWxvZ2luLmNvbTEwMC4GCSqGSIb3DQEJARYhc3VwcG9ydEB0cmluZXQtY2xvdWQub25lbG9naW4uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWKr8qxoBEMEb2PuLFVfeT9fM+OKp6IxlrFkewF6KJvTPlIyJDeY6baJ0lFahV1zi14q67iqADIk1fRqe9oMq4ZJLHZpeFazUSxiY56+paC9Tf1WGu2HmDUyxWSh+Sg0SdQQfbEKO0189mYBkcHfrHGD/QBcivsK+Su7xhDzCvaQIDAQABo1AwTjAdBgNVHQ4EFgQUsF7CyLKVc3TUFiRNO9Q6PB90zp4wHwYDVR0jBBgwFoAUsF7CyLKVc3TUFiRNO9Q6PB90zp4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCNqPeaKS0nlUDDCPJExXp2ovCCiNyGA2lSUOYAoBDg1LZrhE44B/KlzO0g2O4bF2nYquGF0xfGqf9M3wNsJIybCR/MrZMZE6AQgMLN8+02QjOX2TMavO8TdYXu/kYLUQGWx0bCUraIIKzE2L7EQR0WLes/hayMx/za9wV4rVMnyA==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="pfx11d47ee6-6b2f-0ccb-2ad8-045666918aca" Version="2.0" IssueInstant="2020-06-17T14:54:14Z">
    <saml:Issuer>https://app.onelogin.com/saml/metadata/123456</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  <ds:Reference URI="#pfx11d47ee6-6b2f-0ccb-2ad8-045666918aca"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>hRtng2jDhJfDGYAkp6W89Ei96Jc=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>fgNDg7BAHZgqtA67png8JVeAciUt9Bfopf/UaFvTN+vOpeK/NsCh6YQ06RBqDOGKpA7X9SiK4olXy8wqUV2wNguP77Q/48DoYoWoG8InlzL2nEFg7tjp5Fp60Ywc+zmiFPD9Xahhvjpo8QVHQbbPAnJFKMa3SFP5zS905BXOOUY=</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIC6DCCAlGgAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBkDELMAkGA1UEBhMCdXMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAoMDU9uZWxvZ2luIFRlc3QxIjAgBgNVBAMMGXRyaW5ldC1jbG91ZC5vbmVsb2dpbi5jb20xMDAuBgkqhkiG9w0BCQEWIXN1cHBvcnRAdHJpbmV0LWNsb3VkLm9uZWxvZ2luLmNvbTAeFw0xNjEwMzEyMzA4NTNaFw0xNzEwMjIyMzA4NTNaMIGQMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UECgwNT25lbG9naW4gVGVzdDEiMCAGA1UEAwwZdHJpbmV0LWNsb3VkLm9uZWxvZ2luLmNvbTEwMC4GCSqGSIb3DQEJARYhc3VwcG9ydEB0cmluZXQtY2xvdWQub25lbG9naW4uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWKr8qxoBEMEb2PuLFVfeT9fM+OKp6IxlrFkewF6KJvTPlIyJDeY6baJ0lFahV1zi14q67iqADIk1fRqe9oMq4ZJLHZpeFazUSxiY56+paC9Tf1WGu2HmDUyxWSh+Sg0SdQQfbEKO0189mYBkcHfrHGD/QBcivsK+Su7xhDzCvaQIDAQABo1AwTjAdBgNVHQ4EFgQUsF7CyLKVc3TUFiRNO9Q6PB90zp4wHwYDVR0jBBgwFoAUsF7CyLKVc3TUFiRNO9Q6PB90zp4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCNqPeaKS0nlUDDCPJExXp2ovCCiNyGA2lSUOYAoBDg1LZrhE44B/KlzO0g2O4bF2nYquGF0xfGqf9M3wNsJIybCR/MrZMZE6AQgMLN8+02QjOX2TMavO8TdYXu/kYLUQGWx0bCUraIIKzE2L7EQR0WLes/hayMx/za9wV4rVMnyA==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
    <saml:Subject>
      <saml:NameID SPNameQualifier="https://sso.serviceprovider.com/metadata" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">test@testmail.com</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData NotOnOrAfter="2040-06-17T14:59:14Z" Recipient="https://sso.serviceprovider.com/saml/consume" InResponseTo="_57bcbf70-7b1f-012e-c821-782bcb13bb38"/>
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2011-06-17T14:53:44Z" NotOnOrAfter="2040-06-17T14:59:14Z">
      <saml:AudienceRestriction>
        <saml:Audience>https://sso.serviceprovider.com/metadata</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2020-06-17T14:54:07Z" SessionNotOnOrAfter="2040-06-17T22:54:14Z" SessionIndex="_51be37965feb5579d803141076936dc2e9d1d98ebf">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
      <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">test@testmail.com</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="cn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">Norin</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="sn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">Radd</saml:AttributeValue>
      </saml:Attribute>           
    </saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>

使用された署名付き SAML アサーションを含む暗号化された署名付き SAML 応答 (OneloginPHPSAMLSdk::processResponse() が失敗する原因)

https://developers.onelogin.com/saml/online-tools/encrypt-decrypt/encrypt-xmlを使用して、サービス プロバイダーの公開鍵で暗号化されます。

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfx5f2c7a86-1714-916f-551a-07250ddd4edd" Version="2.0" IssueInstant="2020-06-17T14:54:07Z" Destination="https://sso.serviceprovider.com/saml/consume" InResponseTo="_57bcbf70-7b1f-012e-c821-782bcb13bb38">
  <saml:Issuer>https://app.onelogin.com/saml/metadata/123456</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  <ds:Reference URI="#pfx5f2c7a86-1714-916f-551a-07250ddd4edd"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>72IRpA9rPgadwFJ2UTi8nGQI/tM=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>buqEO/5rw/XqX8TLQ6FmejlxzdN6+DTlK+jRprQnCKOdq4vcykex5lsq1zfLS+SRfU8MYdmBbKSll04u737aMnLCvc1552MXeG55z8JtSVzfaUmNAyfl+QQDLeBSGipMTQm2Wya4VSNYt/SbDkJ1EgRNIla8VXjr3JYgbqh2RfI=</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIC6DCCAlGgAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBkDELMAkGA1UEBhMCdXMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAoMDU9uZWxvZ2luIFRlc3QxIjAgBgNVBAMMGXRyaW5ldC1jbG91ZC5vbmVsb2dpbi5jb20xMDAuBgkqhkiG9w0BCQEWIXN1cHBvcnRAdHJpbmV0LWNsb3VkLm9uZWxvZ2luLmNvbTAeFw0xNjEwMzEyMzA4NTNaFw0xNzEwMjIyMzA4NTNaMIGQMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UECgwNT25lbG9naW4gVGVzdDEiMCAGA1UEAwwZdHJpbmV0LWNsb3VkLm9uZWxvZ2luLmNvbTEwMC4GCSqGSIb3DQEJARYhc3VwcG9ydEB0cmluZXQtY2xvdWQub25lbG9naW4uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWKr8qxoBEMEb2PuLFVfeT9fM+OKp6IxlrFkewF6KJvTPlIyJDeY6baJ0lFahV1zi14q67iqADIk1fRqe9oMq4ZJLHZpeFazUSxiY56+paC9Tf1WGu2HmDUyxWSh+Sg0SdQQfbEKO0189mYBkcHfrHGD/QBcivsK+Su7xhDzCvaQIDAQABo1AwTjAdBgNVHQ4EFgQUsF7CyLKVc3TUFiRNO9Q6PB90zp4wHwYDVR0jBBgwFoAUsF7CyLKVc3TUFiRNO9Q6PB90zp4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCNqPeaKS0nlUDDCPJExXp2ovCCiNyGA2lSUOYAoBDg1LZrhE44B/KlzO0g2O4bF2nYquGF0xfGqf9M3wNsJIybCR/MrZMZE6AQgMLN8+02QjOX2TMavO8TdYXu/kYLUQGWx0bCUraIIKzE2L7EQR0WLes/hayMx/za9wV4rVMnyA==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>

<saml:EncryptedAssertion><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><xenc:CipherData><xenc:CipherValue>ke/VijNVVwAgMIRK3jz6jQ/fBMKsVOzbIKtrtoP7bQCm2iZi1UHtZ5rZzdSJgpYP8EEHddqxdv51RCQheBuCpfFjI1GRlk18sbxUkvAQ0qxV45AdBcUecvHRsRFBOl3G9QGEHr3aYD1QqQx+1CBiA+t2RYHKVaJdlX+sVRFBR/Q=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></dsig:KeyInfo>
   <xenc:CipherData>
      <xenc:CipherValue>p0e4GbSLMp+CsEfj9k1aHGK4p65JmHu/wof+GTCFtIFkr8pShqAH/6Rtnxbhcyph4rg1Hf97d5A/XArKjUfp0QCYyz/0EQTFjs1WuZFS0NuUN9lgO98exbkhCQHgxx2TkYoAY4/0hkfERMc4yWbA11K74utCqVq8o8z7QsShpzoyC+10xmbXqy1mnV1XnpkkoqWDClvTCUQvzeCo42ps4hac6l5dk+qH2jcMPNIZh92scLV3OG/A0l5zvtd67rgRQgMOOZeCX8+FJ29BYb+APAL7YPmS5ybVzzhVHY7oB1KWyy8eRW9vNfY7mVHIeIWBuZZ19cY9wNtVpOrzlebDVrygbOUl8XbT4KDW2hIcPdKcU67hixH+jc0SNq4cEr2fxM9+E8CUdkygtxa9keI6k7ipOTXTtpx1gS5U0mUdIHCC2rh/1rjwHL0MmRD8q5wKOKcXuqCvAZIsMKOWAgI43q23xD9z5zZuExWQIv38zsBkxYtLLiI1b3Jcv02NRC9Vm7FJCEUMyCM9cYaqzKv/0miXSex50VqIMj8BciC43GN/shEVJmxqJ0SFEBEzTALdGDLIU+6c7uxf5oi4ss0k1lPzsb/CoBerErtWTSucX0gLdPE32H/8FlWcr/AWujgVQYVrZdn9BxaXXmk25vyZbdI4APqHgOWzs04YcNsCLgTDpRZPSXGWByaUzfdsbYQ6eSiKfVIWVmcfA2zHjVKdLFirLiCr5OLBhzDBT/8T50PzCxFipMbPAhxuXFfYMHPiuOgDBOCdq3NdsC7G0vX74GTLZgtHbbIg2tyovsChOXfU1GmJqkWJf+hq2zUgP9cpoh8tEPycMP2fsC2pleWgw8qaJZ2q2L8BzkIkzbLVm8Rkywzf1YyyJ20m2h8ThITApth5YpOVSVaMON4HSxloKQNrxccrAt2jemXBJxRps5+WOMoQPBYjxprNsPi3AkOTfqa7G5yY4nXpdpLqXfhPdSQAvcvYNfsqimrsG+OGneCOTlQDmN6rjwHG+kj1RrK6eWafwHqMdF62ZyDc/8/t4Mmi/+U3YLh+FXS5hZ9gWXdgOImupj7fsIpeinVAUiTYtGuf9bNbhHmxjA1jV68boI2SHonwFEUYbzw+B3LpDOY++Wz2ILxclW77LE+TL1yGUS2nfMKPxGhIUlrXusZfojkziT2sGl+0NLeianUw2RwRdtPQVJn2cEEC58LtgZnTHdg17qN6/siAnWUZ9ZvPcLErz/Im5QLBM2nnEshHDGZkSXzbyTEEg4CddEjuoY8P2obuB6euqzZI+spAoguP+6+/+rAd0VKCcHsnVf828HlmLwS5X3K/YXMiFM2ArHN5ZKSnz2coge6zx8Z3AywrMbGOQHUcvgu71mDEnuP5yNjhFmhHvJ/yAaJ2Nv00zKoDsNciotLXm11tyJimHiFI0pCfQX87/ZqmkofpiF2L/dINZWbqN1iX6Wxx93/BzZ2JKvUZ4t+hjsSfFS3EK08oMCLcG2Cd1FJYQ2H3RXVx8EwPSkVDqP2cc8ful8sB3z0NatEQb7/HRFxFeQxF7QzAaBSVloag9xyaP0T6hUYh5LWPSK/qabgiYdCIl+XqvrVBCBPos3VU1OAFNkitAuZeotMONUK6X+sK7XQz4lS9zAr4szDzqFsm0QbhXDXeqYuXqwzAnb8pT+k+X1yS0p2plft9a5VSBJFo0EmSlhQ8qYItUnfBdxZ7lGfAw2tJQaOoJ2xp8ayBVew92n1H+mmvLFjOZwQ37rI9ibMrR5i59RIoMejWa2OSlTWcCSA8wR6uY2bHC6y8i3Bqky5Vv5DjSnpmXB8ssDcDZ66hMGZRNMdZch6cCqlrsEdgAw1K8Lr1oiqiqGe+Tx3UoADOibUS123tWsuUh5rmXEVJf4FFOw+o+itFvImDl7FepmDogRADUR53p01PTJ8i7QGdnensrgz16iP4TR4RpUzUP0RN5q5NhMTKEIM9XxMZ+h3M0sTpth86BedQdHSdeJWkT0PzGrA8qdxb/22/XMKzphbIP/JvjaaR4xkKx+n9LxxT5JhWEzt2UFI4LHSl6YkC9OHjr5Oed/fGJRaLuNCbZUkqq7lPJSyHwsOdOGM1kjHUvF1t66dsawaPIKdvUYdp2eIgwEGTQSzDf6bh4yZaNrdx17JkfViyWlG9I9e7A3iKEZMqmCl0kwthMjlZpjFIYZkQWIlgiGtz4OACTgnkk7MrIu+pwFu4z+wSADHuDF+dhq33epZ7yywq2ITEtEa2gQxYG4HaU4/z2AGlJi+ggeqVKK4rlN4k+Ss9Y9Rr5Grji66wh+UlDmMd8zF+rvpoSs3vf0Ck1eymWz4jkBLdTyd4+my9cM+Qg/CWc+zLKCsR8CK0YOuhUWMKY43oos20ekz55+JWZM6eIQbOy1quEFsLCZU2jJLhG6g2T8zOb28NBVxIqPl4Ea6fqQpk1lkJxg0d4AfIQBgO6b0qoOrAC7ZmB6QkpB5+kLRXiUsvRxgjQIrJZ8GRTPR02eW/QvyNdsgFlsLKf5MQ2gd4tlCwUjZEtlQS7J5UxbVpKF7WCfixG9qef3br+BXYXRges2ebWE4/DJPT0WM61AqQXXQ/MdGMxymB22JH6ZdXpe17MsE/mukrsZyILIM57yEilfENVRZzR7ebeq5VMvZYARjdhatE6C3nhpE+BoCul+DtKEFU5Yz9eve232vxqP9fmqrmxhouWzdjgCs+A8UgKpdRmYKfAbAknVxbIOmxBwfs66Sgx2C7+LfLK0uNKQMsA7M6O7m+CbTA9tfljbvR3fX/gKZC/5bpzNDt+xr+zdxE48sXcl5rflPxURu29HxFBme1qeo0fw==</xenc:CipherValue>
   </xenc:CipherData>
</xenc:EncryptedData></saml:EncryptedAssertion></samlp:Response>
4

1 に答える 1

1

メッセージ全体の署名を含む有効な SAMLResponse があり、Assertion 要素を暗号化する場合は、署名の検証が失敗するように XML を変更します。

署名されたメッセージ全体に対して暗号化された署名のないアサーションを生成する場合のプロセスは次のとおりです。

  1. アサーションを暗号化します。
  2. メッセージ全体に署名します。

暗号化されたアサーション要素を持つ代替の有効な SAMLResponse は、署名が復号化されたアサーションにあるものです。それを生成するには:

  1. アサーションに署名する
  2. アサーションを暗号化する
  3. (オプション) メッセージ全体に署名することもできます。
于 2016-11-04T09:10:58.787 に答える