7

我正在尝试设置 ADFS 2.0 IDP - simplesaml saml sp 配置,但我被阻止了,即使在官方 adfs 文档中也找不到 ADFS 报告的错误。我已经成功设置了中继方,从 sp 应用程序我被重定向到 idp,我可以进行身份​​验证,但是在重定向到 sp 时我得到这个:

The Federation Service could not fulfill the token-issuance request.
More than  one claim based on SamlNameIdentifierClaimResource was produced after the
issuance  transform rules were applies for relying party 'url here'. Please see event  
500 with the same instance id for claims after application of issuance transform rules. 

Additional Data 
Instance id: 44ef5c64-7bcb-4766-9016-75034b4fd7eb 

User Action 
Ensure that the issuance transform rules that are configured for the relying party do not result in multiple claims based on SamlNameIdentifierClaimResource.

另外,警告:

More information for the event entry with instance id 44ef5c64-7bcb4766-9016-75034b4fd7eb. 
There may be more events with the same instance id with more information. 

Instance id:  
44ef5c64-7bcb-4766-9016-75034b4fd7eb 


Issued identity: 
http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname 
user name i used
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier 
user name i used
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier 
CKTECHNO\user name i used
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod 
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows 
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant 
2013-07-08T14:30:46.465Z

这是我的conf:

adfs 索赔

活动目录声明

名称 id 声明

我搜索了everywe,没有提到这种类型的错误。即使是我似乎在 ms 文档中找不到的 500 事件。任何帮助是极大的赞赏。谢谢!

4

2 回答 2

4

感谢@nzpcmad,问题确实是默认添加帐户名的事实,组也是如此,我创建了两次。没有明确说明这真的很遗憾,因为您无法真正说出情况是否如此。问题解决了。

于 2013-07-10T14:18:42.983 回答
2

首先,+1 记录有据可查的问题。

我怀疑问题是因为 Windows 帐户名称是内置声明之一。如果删除 sAMAccountName 的映射会发生什么?(即只是有变换)。

此外,使用电子邮件名称更为常见。那是我一直使用的那个。

于 2013-07-09T19:40:53.903 回答