问题描述
我想使用SAML插件Link(扩展了Spring SAML)为Pentaho配置多租户SSO登录。
现在,我在 blueprint.xml 中声明了多个服务提供商(SP)和身份提供商(IDP)(每个租户一个)。
如果我使用tenant2登录,则会在URL https://my.application.com/pentaho/saml/SSO上看到一般错误页面 在日志中,我看到了异常
AuthNResponse;FAILURE;10.20.1.120;pentaho@tenant.1.name;tenant.2.name;;;org.opensaml.common.SAMLException: Response doesn't have any valid assertion which would pass subject validation
[stacktrace]
org.opensaml.common.SAMLException: Local entity is not the intended audience of the assertion in at least one AudienceRestriction
如果我检查SAML,则发送的受众包含正确的承租人(第二个承租人):我认为Pentaho正在分析任何SAML方面,好像它总是来自tenant1。 如何让Pentaho使用正确的租户SP来验证正确的SAML受众?
更多详细信息
以下是SAML插件中blueprint.xml设置的示例:
<bean id="spResourceFactoryTenant1" class="org.pentaho.platform.spring.security.saml.resources.MetadataResourceFactory">
<argument>
<map key-type="java.lang.String" value-type="java.lang.String">
<entry key="org.opensaml.util.resource.FileSystemResource" value="${saml.sp.Metadata.filesystem.tenant1}" />
</map>
</argument>
<argument value="${saml.sp.Metadata.classpath.fallback}" />
</bean>
<bean id="spResourceFactoryTenant2" class="org.pentaho.platform.spring.security.saml.resources.MetadataResourceFactory">
<argument>
<map key-type="java.lang.String" value-type="java.lang.String">
<entry key="org.opensaml.util.resource.FileSystemResource" value="${saml.sp.Metadata.filesystem.tenant2}" />
</map>
</argument>
<argument value="${saml.sp.Metadata.classpath.fallback}" />
</bean>
<bean id="idpResourceFactoryTenant1" class="org.pentaho.platform.spring.security.saml.resources.MetadataResourceFactory">
<argument>
<map key-type="java.lang.String" value-type="java.lang.String">
<entry key="org.opensaml.util.resource.FileSystemResource" value="${saml.idp.Metadata.filesystem.tenant1}" />
</map>
</argument>
<argument value="${saml.idp.Metadata.classpath.fallback}" />
</bean>
<bean id="idpResourceFactoryTenant2" class="org.pentaho.platform.spring.security.saml.resources.MetadataResourceFactory">
<argument>
<map key-type="java.lang.String" value-type="java.lang.String">
<entry key="org.opensaml.util.resource.FileSystemResource" value="${saml.idp.Metadata.filesystem.tenant2}" />
</map>
</argument>
<argument value="${saml.idp.Metadata.classpath.fallback}" />
</bean>
<!-- MetadataManager configuration - paths to Metadata of IDPs and SP's -->
<bean id="Metadata" class="org.springframework.security.saml.Metadata.CachingMetadataManager" depends-on="pentahoSamlBootstrap">
<argument>
<list>
<!-- sp Metadata with extended Metadata -->
<bean class="org.springframework.security.saml.Metadata.ExtendedMetadataDelegate">
<argument>
<bean class="org.opensaml.saml2.Metadata.provider.ResourceBackedMetadataProvider">
<argument>
<bean class="java.util.Timer"/>
</argument>
<argument>
<bean factory-ref="spResourceFactoryTenant1" factory-method="factoryResource" />
</argument>
<property name="parserPool" ref="parserPool"/>
</bean>
</argument>
<argument>
<bean class="org.springframework.security.saml.Metadata.ExtendedMetadata">
<property name="idpdiscoveryEnabled" value="${saml.discovery.idp.enabled}"/>
<property name="requirelogoutRequestSigned" value="${ensure.incoming.logout.request.signed}"/>
<property name="alias" value="tenant1sp"/>
<property name="local" value="true"/>
</bean>
</argument>
</bean>
<bean class="org.springframework.security.saml.Metadata.ExtendedMetadataDelegate">
<argument>
<bean class="org.opensaml.saml2.Metadata.provider.ResourceBackedMetadataProvider">
<argument>
<bean class="java.util.Timer"/>
</argument>
<argument>
<bean factory-ref="spResourceFactoryTenant2" factory-method="factoryResource" />
</argument>
<property name="parserPool" ref="parserPool"/>
</bean>
</argument>
<argument>
<bean class="org.springframework.security.saml.Metadata.ExtendedMetadata">
<property name="idpdiscoveryEnabled" value="${saml.discovery.idp.enabled}"/>
<property name="requirelogoutRequestSigned" value="${ensure.incoming.logout.request.signed}"/>
<property name="alias" value="tenant2sp"/>
<property name="local" value="true"/>
</bean>
</argument>
</bean>
<!-- idp Metadata -->
<bean class="org.springframework.security.saml.Metadata.ExtendedMetadataDelegate">
<argument>
<bean class="org.opensaml.saml2.Metadata.provider.ResourceBackedMetadataProvider">
<argument>
<bean class="java.util.Timer"/>
</argument>
<argument>
<bean factory-ref="idpResourceFactoryTenant1" factory-method="factoryResource" />
</argument>
<property name="parserPool" ref="parserPool"/>
</bean>
</argument>
<argument>
<bean class="org.springframework.security.saml.Metadata.ExtendedMetadata">
<property name="idpdiscoveryEnabled" value="${saml.discovery.idp.enabled}"/>
<property name="requirelogoutRequestSigned" value="${ensure.outgoing.logout.request.signed}"/>
<property name="requirelogoutResponseSigned" value="${ensure.outgoing.logout.response.signed}"/>
<property name="alias" value="tenant1idp"/>
<property name="local" value="true"/>
</bean>
</argument>
</bean>
<bean class="org.springframework.security.saml.Metadata.ExtendedMetadataDelegate">
<argument>
<bean class="org.opensaml.saml2.Metadata.provider.ResourceBackedMetadataProvider">
<argument>
<bean class="java.util.Timer"/>
</argument>
<argument>
<bean factory-ref="idpResourceFactoryTenant2" factory-method="factoryResource" />
</argument>
<property name="parserPool" ref="parserPool"/>
</bean>
</argument>
<argument>
<bean class="org.springframework.security.saml.Metadata.ExtendedMetadata">
<property name="idpdiscoveryEnabled" value="${saml.discovery.idp.enabled}"/>
<property name="requirelogoutRequestSigned" value="${ensure.outgoing.logout.request.signed}"/>
<property name="requirelogoutResponseSigned" value="${ensure.outgoing.logout.response.signed}"/>
<property name="alias" value="tenant2idp"/>
<property name="local" value="true"/>
</bean>
</argument>
</bean>
</list>
</argument>
<property name="keyManager" ref="keyManager" />
<property name="defaultIDP" value="${saml.idp.url}" />
</bean>
使用此配置,当我转到url时 https://my.application.com/pentaho/alias/tenant2sp/sp?idp=tenant.2.name 我被重定向到tend2的IDP(WSO2)公开的登录页面。登录后,我被重定向到https://my.application.com/pentaho/saml/SSO网址,并收到一般错误:see the screenshot
对不起,出了点问题。 请重试或联系 您的系统管理员。
我看到的日志中
INFO [SAMLDefaultLogger] AuthNResponse;FAILURE;10.20.1.120;pentaho@tenant.1.name;tenant.2.name;;;org.opensaml.common.SAMLException: Response doesn't have any valid assertion which would pass subject validation
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:265)
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:88)
at org.pentaho.platform.spring.security.saml.PentahoSamlAuthenticationProvider.authenticate(PentahoSamlAuthenticationProvider.java:18)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.pentaho.platform.engine.core.system.objfac.spring.BeanBuilder$1.invoke(BeanBuilder.java:162)
at com.sun.proxy.$Proxy118.authenticate(UnkNown Source)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
at org.pentaho.platform.spring.security.saml.PentahoAuthenticationManagerDelegate.authenticate(PentahoAuthenticationManagerDelegate.java:47)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:92)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.saml.SAMLlogoutProcessingFilter.processlogout(SAMLlogoutProcessingFilter.java:209)
at org.pentaho.platform.spring.security.saml.logout.PentahoSamllogoutProcessingFilter.processlogout(PentahoSamllogoutProcessingFilter.java:53)
at org.springframework.security.saml.SAMLlogoutProcessingFilter.doFilter(SAMLlogoutProcessingFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.saml.SAMLlogoutFilter.processlogout(SAMLlogoutFilter.java:168)
at org.pentaho.platform.spring.security.saml.logout.PentahoSamllogoutFilter.processlogout(PentahoSamllogoutFilter.java:78)
at org.springframework.security.saml.SAMLlogoutFilter.doFilter(SAMLlogoutFilter.java:110)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.saml.Metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.authentication.logout.logoutFilter.doFilter(logoutFilter.java:116)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.pentaho.platform.web.http.security.HttpSessionReuseDetectionFilter.doFilter(HttpSessionReuseDetectionFilter.java:136)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.pentaho.platform.web.http.filters.HttpSessionPentahoSessionIntegrationFilter.doFilter(HttpSessionPentahoSessionIntegrationFilter.java:276)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.pentaho.platform.web.http.security.CsrfGateFilter.doFilter(CsrfGateFilter.java:136)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.pentaho.platform.web.http.filters.SystemStatusFilter.doFilter(SystemStatusFilter.java:58)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.pentaho.platform.web.http.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:117)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.pentaho.platform.web.http.filters.WebappRootForwardingFilter.doFilter(WebappRootForwardingFilter.java:73)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.pentaho.platform.web.http.filters.PentahoPathDecodingFilter.doFilter(PentahoPathDecodingFilter.java:54)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
at org.apache.tomcat.util.net.socketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.opensaml.common.SAMLException: Local entity is not the intended audience of the assertion in at least one AudienceRestriction
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAudience(WebSSOProfileConsumerImpl.java:542)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertionConditions(WebSSOProfileConsumerImpl.java:494)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertion(WebSSOProfileConsumerImpl.java:339)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:250)
... 70 more
但是,如果我签入SAML,则已经提供了预期的租户受众:
<saml2:AudienceRestriction>
<saml2:Audience>pentaho</saml2:Audience>
<saml2:Audience>pentaho@tenant.2.name</saml2:Audience>
</saml2:AudienceRestriction>
如何让Pentaho使用正确的租户SP来验证正确的SAML受众?
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)