技术文章 - CS377842
在 Windchill 中使用 PingFederate 配置 SSO 后,用户无法在客户 IDP 上进行身份验证
已修改: 08-Jan-2025
适用于
- FlexPLM 12.0.3.0
- Windchill PDMLink 11.0 to 12.1
说明
- 在 Windchill 中使用 PingFederate 配置 SSO 后,用户无法在客户 IDP 上进行身份验证
- 在 PingFederate 上的server.log中观察到以下错误:
tid:f8e90yYVVeLzF2Wb7TGFDZHqp4E WARN [org.sourceid.saml20.profiles.sp.HandleAuthnResponse] Invalid response: InMessageContext
XML: <saml2p:Response Destination=https://<PingFederate hostname>/sp/ACS.saml2 ID="_05b897d5498e3a44aa7db6891eafd0b818bb49" InResponseTo="QtVPqCJ2UJ8L1MpNoA9e.wKOj9Z" IssueInstant="2022-09-29T19:15:44Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://<customer's IDP></saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion ID="_461d7e7a3bedf9b7db123b96d644f1abfda2ea" IssueInstant="2022-09-29T19:15:44Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer>https://<customer's IDP></saml2:Issuer>
…..
SignatureStatus: NOT_PRESENT
Binding says to sign: true
-------------------------------------
(reference# NCRQYXQX) Missing or invalid signature (NOT_PRESENT) on assertion (ID=_461d7e7a3bedf9b7db123b96d644f1abfda2ea). All assertions must have valid signatures because the Response was not signed or the system is configured to require a signed assertion from https://<customer's IDP>.
InMessageContext
XML: <saml2p:Response Destination=https://<PingFederate hostname>/sp/ACS.saml2 ID="_05b897d5498e3a44aa7db6891eafd0b818bb49" InResponseTo="QtVPqCJ2UJ8L1MpNoA9e.wKOj9Z" IssueInstant="2022-09-29T19:15:44Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://<customer's IDP></saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>- 停止 PingFederate,清除所有日志文件并重新启动 PingFederate。以用户身份登录以重现问题并收集新的日志文件,在 PingFederate 的server.log中观察到以下错误:
---------------------------------
tid:A0ZYzWdkEKEJC-TrrDTSeq0TqaU ERROR [org.sourceid.saml20.profiles.sp.HandleAuthnResponse] Unable to verify the signature. Please make sure that verification certificates are properly configured and not expired.
tid:A0ZYzWdkEKEJC-TrrDTSeq0TqaU WARN [org.sourceid.saml20.profiles.sp.HandleAuthnResponse] Invalid response: InMessageContext
XML: <saml2p:Response Destination="https://<PingFederate hostname>/sp/ACS.saml2" ID="_784fa437e965fc315381bacb9d65c3360079dd" InResponseTo="HgYfySezK9D9cB4WhLrYAclcCY0" IssueInstant="2022-10-03T17:11:36Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://<customer's IDP></saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
....
....
entityId: https://<customer's IDP> (IDP)
virtualServerId: <ServerId>
Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
relayState: 7tChCnvNCyoED1hK4e8RSjLvtPdn3E
SignatureStatus: UNVERIFIED
Signature comments: [(IDP) ::: https://<customer's IDP> has expired digital signature verification certificate 01:87:76:50:5E:58:AE:15:BB:8D:A5:BB:F3:74:E0:41. NotAfter: Tue Feb 23 12:00:00 GMT 2021]
Binding says to sign: true
-------------------------------------
(reference# WRDKXHWY) Unable to verify the signature. Please make sure that verification certificates are valid and properly configured
-------------------------------------
这是文章 377842 的 PDF 版本,可能已过期。最新版本 CS377842