从 pac4j 5.7.7 迁移到 6.0.0 后,由于该错误,我们从 ADFS 的 SAML 登录不再起作用:
org.opensaml.core.xml.io.UnmarshallingException: Saw invalid child element {urn:oasis:names:tc:SAML:2.0:metadata}RoleDescriptor on parent {urn:oasis:names:tc:SAML:2.0:metadata}EntityDescriptor
Error initializing idp metadata resolver
org.pac4j.core.exception.TechnicalException: Error initializing idp metadata resolver
at org.pac4j.saml.metadata.SAML2IdentityProviderMetadataResolver.initializeMetadataResolver(SAML2IdentityProviderMetadataResolver.java:108)
at org.pac4j.saml.metadata.SAML2IdentityProviderMetadataResolver.internalLoad(SAML2IdentityProviderMetadataResolver.java:78)
at org.pac4j.core.resource.SpringResourceLoader.load(SpringResourceLoader.java:50)
at org.pac4j.saml.metadata.SAML2IdentityProviderMetadataResolver.resolve(SAML2IdentityProviderMetadataResolver.java:71)
at org.pac4j.saml.client.SAML2Client.initIdentityProviderMetadataResolver(SAML2Client.java:221)
at org.pac4j.saml.client.SAML2Client.internalInit(SAML2Client.java:115)
at org.pac4j.core.util.InitializableObject.init(InitializableObject.java:61)
at org.pac4j.core.util.InitializableObject.init(InitializableObject.java:38)
at org.pac4j.core.client.IndirectClient.getRedirectionAction(IndirectClient.java:115)
at org.pac4j.core.engine.DefaultSecurityLogic.redirectToIdentityProvider(DefaultSecurityLogic.java:240)
at org.pac4j.core.engine.DefaultSecurityLogic.perform(DefaultSecurityLogic.java:160)
Caused by: net.shibboleth.shared.component.ComponentInitializationException: Unable to unmarshall metadata element
at org.opensaml.saml.metadata.resolver.impl.DOMMetadataResolver.initMetadataResolver(DOMMetadataResolver.java:67)
at org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver.doInitialize(AbstractMetadataResolver.java:373)
at net.shibboleth.shared.component.AbstractInitializableComponent.initialize(AbstractInitializableComponent.java:62)
at org.pac4j.saml.metadata.SAML2IdentityProviderMetadataResolver.initializeMetadataResolver(SAML2IdentityProviderMetadataResolver.java:103)
Caused by: org.opensaml.core.xml.io.UnmarshallingException: Saw invalid child element {urn:oasis:names:tc:SAML:2.0:metadata}RoleDescriptor on parent {urn:oasis:names:tc:SAML:2.0:metadata}EntityDescriptor
at org.opensaml.core.xml.io.AbstractXMLObjectUnmarshaller.processChildElement(AbstractXMLObjectUnmarshaller.java:383)
at org.opensaml.saml.saml2.metadata.impl.EntityDescriptorUnmarshaller.processChildElement(EntityDescriptorUnmarshaller.java:64)
at org.opensaml.core.xml.io.AbstractXMLObjectUnmarshaller.unmarshallChildElement(AbstractXMLObjectUnmarshaller.java:348)
at org.opensaml.core.xml.io.AbstractXMLObjectUnmarshaller.unmarshall(AbstractXMLObjectUnmarshaller.java:139)
at org.opensaml.saml.metadata.resolver.impl.DOMMetadataResolver.initMetadataResolver(DOMMetadataResolver.java:60)
有人知道 pac4j 6.0 中的哪些变化导致了这个错误吗?以及如何纠正它? 谢谢!
pac4j v6 附带 OpenSAML v5,因此解析可能更严格。也许您的 SAML IdP 元数据存在问题,例如
<?xml