我正在运行两个 simplesamplephp 实例(一个用于 SP,一个用于 IdP)并使用 SSO。我的 IdP 使用 openLDAP 进行授权。
我从以下 php 代码开始,将它们放在 example.php 文件中,将 example.php 文件放在 apache httpd 中并从浏览器访问它:
$as = new SimpleSAML_Auth_Simple('example-sp');
$as->requireAuth();
$attr = $as->getAttributes();
print ………..
看来身份验证请求能够从 sp 发送到 Idp,这是 sp 日志:
Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76] Session: 'example-sp' not valid because we are not authenticated.
Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76] Saved state: '_04c9e1a8c58932ab2d79c179a90d4e9c88e9c693f3'
Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76] Sending SAML 2 AuthnRequest to 'https://idp.example.com/simplesaml/saml2/idp/metadata.php'
Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76] Sending message:
Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76] <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_04c9e1a8c58932ab2d79c179a90d4e9c88e9c693f3" Version="2.0" IssueInstant="2013-07-06T19:56:06Z" Destination="https://idp.example.com/simplesaml/saml2/idp/SSOService.php" AssertionConsumerServiceURL="https://sp.example.com/simplesaml/module.php/saml/sp/saml2-acs.php/example-sp" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76] <saml:Issuer>example-sp-host</saml:Issuer>
Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76] <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/>
Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76] </samlp:AuthnRequest>
然后在 Idp 日志中,我看到以下内容(似乎 IdP 能够接收请求):
Jul 06 19:56:06 simplesamlphp INFO [37f32bab7b] SAML2.0 - IdP.SSOService: Accessing SAML 2.0 IdP endpoint SSOService
Jul 06 19:56:06 simplesamlphp DEBUG [37f32bab7b] Received message:
Jul 06 19:56:06 simplesamlphp DEBUG [37f32bab7b] <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_04c9e1a8c58932ab2d79c179a90d4e9c88e9c693f3" Version="2.0" IssueInstant="2013-07-06T19:56:06Z" Destination="https://idp.example.com/simplesaml/saml2/idp/SSOService.php" AssertionConsumerServiceURL="https://sp.example.com/simplesaml/module.php/saml/sp/saml2-acs.php/example-sp" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
Jul 06 19:56:06 simplesamlphp DEBUG [37f32bab7b] <saml:Issuer>example-sp-host</saml:Issuer>
Jul 06 19:56:06 simplesamlphp DEBUG [37f32bab7b] <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/>
Jul 06 19:56:06 simplesamlphp DEBUG [37f32bab7b] </samlp:AuthnRequest>
然后在 sp 日志中我看到以下内容:
Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76] Redirect to 636 byte URL: https://idp.example.com/simplesaml/saml2/idp/SSOService.php?SAMLRequest=fVLfb4IwEP5XSN8RRKfQAInTLDNxk4jbw16WWs7RBFrWK%2Fvx36%2BAi%2B5hJs1dcnff912%2FNkZWVw1dtKaUO3hvAY3zVVcSad9ISKslVQwFUslqQGo4zRcPGxqMfNpoZRRXFbmAXEcwRNBGKEmc9Sohr%2F6URzBmIb8Jo0nADkExj%2Fh4HrHIL6YQ8TC0YRZNjhPiPINGi0yIJbJwxBbWEg2Txpb88cT15%2FbsfZ%2BOZzQIX4izsrcRkpkeVRrTIPU8UTQjKHWp0Iy4qj0UdVNBt7rXhaAb8PJ8m4P%2BEBxGTdkQZ%2FG791JJbGvQp%2B7TbnNmxn%2BJa1W0VU%2FlDUJDDlzGsa%2BecC5arezk6q2QhZBv1w09DENI7%2Ff7zM22%2BZ6kccdNe4N0emZ2uxx7l814eP1HS7teZaoS%2FNu5U7pm5rpqVxGFe%2BxHqdFMogBprE9VpT6XGpiBhBjdAvHSQfLvH0t%2FAA%3D%3D&RelayState=https%3A%2F%2Fsp.example.com%2Fexample.php
但是在我的浏览器中出现以下错误:
The website encountered an error while retrieving https://idp.example.com/simplesaml/saml2/idp/SSOService.php?SAMLRequest=fVLfb4IwEP5XSN8RRKfQAInTLDNxk4jbw16WWs7RBFrWK%2Fvx36%2BAi%2B5hJs1dcnff912%2FNkZWVw1dtKaUO3hvAY3zVVcSad9ISKslVQwFUslqQGo4zRcPGxqMfNpoZRRXFbmAXEcwRNBGKEmc9Sohr%2F6URzBmIb8Jo0nADkExj%2Fh4HrHIL6YQ8TC0YRZNjhPiPINGi0yIJbJwxBbWEg2Txpb88cT15%2FbsfZ%2BOZzQIX4izsrcRkpkeVRrTIPU8UTQjKHWp0Iy4qj0UdVNBt7rXhaAb8PJ8m4P%2BEBxGTdkQZ%2FG791JJbGvQp%2B7TbnNmxn%2BJa1W0VU%2FlDUJDDlzGsa%2BecC5arezk6q2QhZBv1w09DENI7%2Ff7zM22%2BZ6kccdNe4N0emZ2uxx7l814eP1HS7teZaoS%2FNu5U7pm5rpqVxGFe%2BxHqdFMogBprE9VpT6XGpiBhBjdAvHSQfLvH0t%2FAA%3D%3D&RelayState=https%3A%2F%2Fsp.example.com%2Fexample.php. It may be down for maintenance or configured incorrectly.
注 1 - 我不确定为什么在 sp 日志中它说“会话:'example-sp' 无效,因为我们没有经过身份验证”。也许那时还没有建立安全上下文,这正是我们需要执行 $as->requireAuth() 的原因?
注 2 - 浏览器中的错误表示什么?这是否意味着我必须设置一些额外的 html 文件或表单来输入用户名/密码以进行 LDAP 验证?关于如何设置的任何线索?
注 3 - 我根据 simplesamlphp SP 和 IdP 指南遵循了大部分配置更改,除了我没有更改“certFingerprint”值。这可能是问题吗?我有用于 IdP 和 SP 的 goDaddy.com 签名 SSL 的副本 - 我应该使用它们吗?
我实际上希望 SSOService.php 将 sp 定向到 loginuserpass.php 但不知道为什么没有。我想我可能会错过某个地方的设置,但不确定确切的位置......
谢谢!