0

我正在尝试使用 OpenAm 作为 IDP 和应用程序本身作为服务提供商为我的应用程序配置 SSO。

以下是 IDP 和服务提供商的元数据:

  <EntityDescriptor entityID="http://www.cpfdomain.com:8091/openam_10.0.1" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <ArtifactResolutionService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://www.cpfdomain.com:8091/openam_10.0.1/ArtifactResolver/metaAlias/idp"/>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://www.cpfdomain.com:8091/openam_10.0.1/IDPSloRedirect/metaAlias/idp" ResponseLocation="http://www.cpfdomain.com:8091/openam_10.0.1/IDPSloRedirect/metaAlias/idp"/>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://www.cpfdomain.com:8091/openam_10.0.1/IDPSloPOST/metaAlias/idp" ResponseLocation="http://www.cpfdomain.com:8091/openam_10.0.1/IDPSloPOST/metaAlias/idp"/>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://www.cpfdomain.com:8091/openam_10.0.1/IDPSloSoap/metaAlias/idp"/>
    <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://www.cpfdomain.com:8091/openam_10.0.1/IDPMniRedirect/metaAlias/idp" ResponseLocation="http://www.cpfdomain.com:8091/openam_10.0.1/IDPMniRedirect/metaAlias/idp"/>
    <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://www.cpfdomain.com:8091/openam_10.0.1/IDPMniPOST/metaAlias/idp" ResponseLocation="http://www.cpfdomain.com:8091/openam_10.0.1/IDPMniPOST/metaAlias/idp"/>
    <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://www.cpfdomain.com:8091/openam_10.0.1/IDPMniSoap/metaAlias/idp"/>
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</NameIDFormat>
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://www.cpfdomain.com:8091/openam_10.0.1/SSORedirect/metaAlias/idp"/>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://www.cpfdomain.com:8091/openam_10.0.1/SSOPOST/metaAlias/idp"/>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://www.cpfdomain.com:8091/openam_10.0.1/SSOSoap/metaAlias/idp"/>
    <NameIDMappingService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://www.cpfdomain.com:8091/openam_10.0.1/NIMSoap/metaAlias/idp"/>
    <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://www.cpfdomain.com:8091/openam_10.0.1/AIDReqSoap/IDPRole/metaAlias/idp"/>
    <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" Location="http://www.cpfdomain.com:8091/openam_10.0.1/AIDReqUri/IDPRole/metaAlias/idp"/>
</IDPSSODescriptor>

服务提供商元数据:

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="test">
    <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <KeyDescriptor>
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <X509Data>
                    <X509Certificate>Key Info</X509Certificate>
                </X509Data>
            </KeyInfo>
        </KeyDescriptor>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="LOGOUT LOCATION URI" ResponseLocation="LOGOUT LOCATION URI"/>
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
        </NameIDFormat>
        <AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="ASSERTION URI"/>
    </SPSSODescriptor>
</EntityDescriptor>

当我测试联邦时,我总是收到以下错误:

message Error processing AuthnRequest. Service provider does not support name identifier format urn:oasis:names:tc:SAML:2.0:nameid-format:transient.

在我正在测试的信任圈中,我已从 IDP 和 SP 中删除了此标识符。

任何帮助,将不胜感激。

谢谢。

4

1 回答 1

1

由于您已经从 IdP 和 SP MetaData 中删除了 NameIdFormat 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' ,因此您不能使用它......这应该很明显。

当然,您必须通过指定两个实体都支持的 NameIdFormat 来测试 SSO ...在您的情况下为“urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”。

要使用 HTTP-POST 绑定测试 IdP 发起的 SSO,请使用 ...

OPENAM_SCHEME://OPENAM_FQDN:OPENAM_PORT/OPENAM_DEPLOYMENT_URI/idpssoinit?NameIDFormat=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress&metaAlias=IDP_META_ALIAS&spEntityID=test&binding=urn:oasis:names:tc:SAML:2.0:bindings: HTTP-POST

于 2013-04-03T08:54:21.503 回答