<samlp:AuthnRequest Version="2.0" ID="_9FE393FB-1C9C-4EDD-86A5-1AE9F2192A60" IssueInstant="2014-10-22T11:22:56.676Z" Destination="https://idp.ssocircle.com:443/sso/SSOPOST/MetaAlias/ssocircle" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Issuer>http://app.localhost</saml:Issuer>
    <samlp:NameIDPolicy AllowCreate="true" />
</samlp:AuthnRequest>

我使用以下依赖于nodejs xmlbuilder和xmlcrypto模块的coffeescript代码：

request = @xmlbuilder.create
    'samlp:AuthnRequest':
        '@xmlns:samlp':'urn:oasis:names:tc:SAML:2.0:protocol'
        '@xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion'
        '@Version': '2.0'
        '@ID': requestId
        '@IssueInstant': (new Date()).toISOString()
        '@Destination': idpUrl
        'saml:Issuer': '@@spEntityId',null,headless: true

request.comment 'insert-signature-here'
request.element 'samlp:NameIDPolicy':
                    '@AllowCreate': 'true'
saml = request.end()

@fs.readFile "certs/my-cert.pem",(err,certificate)=>
    return next @errorService.readFileError certFilePath,err if err?
    signer = new @xmlcrypto.SignedXml()
    signer.signingKey = certificate
    signer.addReference "//*[local-name(.)='AuthnRequest']",['http://www.w3.org/2000/09/xmldsig#enveloped-signature']
    signer.keyInfoProvider = new =>
        getKeyInfo: (key)=>
            public_key = /-----BEGIN CERTIFICATE-----([^-]*)-----END CERTIFICATE-----/g.exec(key)[1].replace /[\r\n|\n]/g,''
            "<X509Data><X509Certificate>#{public_key}</X509Certificate></X509Data>"
    signer.computeSignature saml
    signature = signer.getSignatureXml()
    signed = saml.replace '<!-- insert-signature-here -->',signature
    console.log signed

这会生成以下经过数字签名的SAML请求：

<samlp:AuthnRequest Version="2.0" ID="_5FEB2162-F4D0-4900-BC28-F2940188E45B" IssueInstant="2014-10-28T13:07:14.007Z" Destination="https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Issuer>http://app.localhost9de83841</saml:Issuer>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <Reference URI="#_5FEB2162-F4D0-4900-BC28-F2940188E45B">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <DigestValue>47MSlH9IpJf8vs37T3DnhZMZ7mo=</DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>T0Uw...KZkm00A==</SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>MIIDg...OgMMxZ</X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <samlp:NameIDPolicy AllowCreate="true" />
</samlp:AuthnRequest>

这似乎是有效的.

但是,当我使用SSOCircle和TestShib测试时,它们都报告摘要值不匹配.

我使用的证书是带有未加密私钥的自签名证书(pem).

我已经仔细检查以确定sp-Metadata中提供的公钥是从用于对SAML进行数字签名的相同pem文件中获取的.

私钥是否需要加密？

如果没有,那么你可以建议为什么签名检查会失败吗？

谢谢.