这个问题与另一个帖子非常相似:
使用 ADFS 2.0 实现 SSO 获取 NameIDPolicyError
但是,上面的答案不起作用。我已经阅读了该站点上的许多帖子以及有关如何解决此问题的其他帖子。很多人都能让它工作,但我做不到。简而言之,当我们将 OpenAM 服务器配置为 AD 中的信赖方信任时,我们在登录后会收到 SSO 错误。
日志名称:AD FS 2.0/Admin 来源:AD FS 2.0 日期:2013 年 11 月 4 日下午 12:52:04 事件 ID:321 任务类别:无级别:
错误关键字:AD FS 用户:CBC\adfsuser 计算机:
domainserver2.cincybible.priv 描述:SAML 身份验证请求具有无法满足的 NameID 策略。请求者:sso.uat.firstmarblehead.com/ccuniversity_sso 名称标识符格式:urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: sso.uat.firstmarblehead.com/ccuniversity_sso 异常详细信息:MSIS1000:SAML请求包含已颁发令牌不满足的 NameIDPolicy。请求的 NameIDPolicy:AllowCreate:True 格式:urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier:sso.uat.firstmarblehead.com/ccuniversity_sso。实际 NameID 属性:null。此请求失败。
我们按照我们在网上找到的所有文章的指示创建了发行转换规则。我们已经尝试了很多版本,但这是我们最新的尝试。
第一条规则:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "http://sso.uat.firstmarblehead.com/ccuniversity_sso", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http://auth.ccuniversity.edu/adfs/services/trust");
第二条规则:
c:[Type == "http://mycompany/internal/sessionid"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");
以下是 Get-ADFSRelyingPartyTrust 的输出:
AutoUpdateEnabled : False
DelegationAuthorizationRules :
EncryptionCertificateRevocationCheck : CheckChainExcludeRoot
IssuanceAuthorizationRules : @RuleTemplate = "AllowAllAuthzRule"
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Val
ue = "true");
SigningCertificateRevocationCheck : CheckChainExcludeRoot
WSFedEndpoint :
IssuanceTransformRules : @RuleName = "tma1"
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameiden
tifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value,
ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/ident
ity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transi
ent", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties
/spnamequalifier"] = "http://sso.uat.firstmarblehead.com/ccuniversity_sso", Prop
erties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequali
fier"] = "http://auth.ccuniversity.edu/adfs/services/trust");
@RuleTemplate = "MapClaims"
@RuleName = "tms"
c:[Type == "http://mycompany/internal/sessionid"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameiden
tifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value,
ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/ident
ity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transi
ent");
ClaimsAccepted : {}
ConflictWithPublishedPolicy : False
EncryptClaims : True
Enabled : True
EncryptionCertificate : [Subject]
CN=*.uat.firstmarblehead.com, OU=Information Technology, O="First Marblehead E
ducation Resources, Inc.", L=Boston, S=Massachusetts, C=US
[Issuer]
CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US
[Serial Number]
098E9D684BFAE209A18CCEF5787321DC
[Not Before]
4/17/2013 8:00:00 PM
[Not After]
4/22/2016 8:00:00 AM
[Thumbprint]
CA87AB342FBD2B07FF6642FAE1B6F9A685914BC8
Identifier : {sso.uat.firstmarblehead.com/ccuniversity_sso}
LastMonitoredTime : 1/1/1900 12:00:00 AM
LastPublishedPolicyCheckSuccessful :
LastUpdateTime : 1/1/1900 12:00:00 AM
MetadataUrl :
MonitoringEnabled : False
Name : tms
NotBeforeSkew : 0
Notes :
OrganizationInfo :
ImpersonationAuthorizationRules : c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" ] => issue(store="_
ProxyCredentialStore",types=("http://schemas.microsoft.com/authorization/claims/
permit"),query="isProxySid({0})", param=c.Value );
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", I
ssuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" ] => issue(store="_Pr
oxyCredentialStore",types=("http://schemas.microsoft.com/authorization/claims/pe
rmit"),query="isProxySid({0})", param=c.Value );
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/proxytrustid
", Issuer =~ "^SELF AUTHORITY$" ] => issue(store="_ProxyCredentialStore",types=(
"http://schemas.microsoft.com/authorization/claims/permit"),query="isProxyTrustP
rovisioned({0})", param=c.Value );
ProtocolProfile : WsFed-SAML
RequestSigningCertificate : {[Subject]
CN=*.uat.firstmarblehead.com, OU=Information Technology, O="First Marblehead E
ducation Resources, Inc.", L=Boston, S=Massachusetts, C=US
[Issuer]
CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US
[Serial Number]
0FF7E7A675A284662D016D88667AB41F
[Not Before]
4/17/2013 8:00:00 PM
[Not After]
4/22/2016 8:00:00 AM
[Thumbprint]
24EC80DB593EAFB2828D779562EA8CED42D76846
}
EncryptedNameIdRequired : False
SignedSamlRequestsRequired : True
SamlEndpoints : {Microsoft.IdentityServer.PowerShell.Resources.SamlEndpoint, Microsoft.IdentityS
erver.PowerShell.Resources.SamlEndpoint, Microsoft.IdentityServer.PowerShell.Res
ources.SamlEndpoint, Microsoft.IdentityServer.PowerShell.Resources.SamlEndpoint}
SamlResponseSignature : AssertionOnly
SignatureAlgorithm : http://www.w3.org/2000/09/xmldsig#rsa-sha1
TokenLifetime : 0
这是解密/解码的 saml。这是发给我们服务器 IDP 的帖子:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="s2eed242413a54b59b47903b814912ab1e84144944"
Version="2.0"
IssueInstant="2013-11-05T17:17:15Z"
Destination="https://auth.ccuniversity.edu/adfs/ls/"
ForceAuthn="false"
IsPassive="false"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="https://sso.uat.firstmarblehead.com/openam/Consumer/metaAlias/fmdrealm001/ccuniversity_sso_sp"
>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">sso.uat.firstmarblehead.com/ccuniversity_sso</saml:Issuer>
<samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
SPNameQualifier="sso.uat.firstmarblehead.com/ccuniversity_sso"
AllowCreate="true"
/>
<samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Comparison="exact"
>
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
这是浏览器发布到其服务器 SP 的内容
<samlp:Response ID="_13d60ca8-b098-4373-96e3-e344668312f6"
Version="2.0"
IssueInstant="2013-11-05T17:17:40.234Z"
Destination="https://sso.uat.firstmarblehead.com/openam/Consumer/metaAlias/fmdrealm001/ccuniversity_sso_sp"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
InResponseTo="s2eed242413a54b59b47903b814912ab1e84144944"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://auth.ccuniversity.edu/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_13d60ca8-b098-4373-96e3-e344668312f6">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>8a98Uanf5TQZNwTEGU46itoq4Nc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>aesO2KDvxadT+O2z3P84c190vBPOcHYKTZjP3Sow41iRNaMo09Tz1ERLSUw0/W3g+a67D/l5ZL5SsncsQCvhVLKwGy/JO1J1fHZuzxQ5YgoRqznYQWVUVI8x1G6ZTXuLFsnj7M5FJZNsv//uGwpPmdj/6+p7gvzkhX5mE6tCHeltKD7LDXwaO6O2XwpGNuUiYr8Zix27ZpEoVtRXrZLuSdkBhWvALyDt79MsYMRfe88FWEnWxImIMPmc/+JAj4Wnw7cSh1eSc51n2h4Ke69J2tpiiz/TgTe+N2rMDTfmHHljk6TPt1eNxMIDPIMZE1yA0NBP4QU/xf+PktNmz+rx2g==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC9jCCAd6gAwIBAgIQca/kv1WgNI9OHqgFCiBlLDANBgkqhkiG9w0BAQsFADA3MTUwMwYDVQQDEyxBREZTIFNpZ25pbmcgLSBET01BSU5TRVJWRVIyLmNpbmN5YmlibGUucHJpdjAeFw0xMzEwMjQxODMzMjFaFw0xNDEwMjQxODMzMjFaMDcxNTAzBgNVBAMTLEFERlMgU2lnbmluZyAtIERPTUFJTlNFUlZFUjIuY2luY3liaWJsZS5wcml2MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiJKOTVYA9zyL6eomSCPILgGxFlVIQ4esw5AGOBt7Ws5fC8Wd2gO84T1WBErf0PCzrigIxPDCFuU9cEX91VAfKlCML5NGJl40MEvwtyBEo8sp4fq5RLmYYH7R+VqDf3nIkqmE7gPijkWAX9f0kaU8A7QKoSSUSmN+51jCft/ksFC9opNvq71zsKRP4m7qI/Geowh+a6PwiJHkTZBFImqFormVtm3UE+OyUpkagOKtK23vypIOLNXtfErsQVQO1JCTj/Bg4ECEib1yn/Kuy6yJOerSEwevFU6d8YwBkjBX8UeNBntpOA7F1Toma6vPIy+iqlf4xx2LK+a6o9A5Ac/o4wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAaAgfSJ/DM+lQ8IPUsdrMH4tTl/5DZmMy5fPeCouzi8DuV3igTCvBL79YDSkxU3IUvE7BFiTbZlW6qG5zPmULHZ/8Bcp00F/TVF/wbu2zWhPFfP0m79dEJNcVrEudWkNTKqQcfvvYrg+7Lm8yR4Fo2neFC6UfPyfqUD903y+0Xu+g6hUSJu+O9y9J4e2JQvMM9yA0DW8JcIXJceL3qB6Dm4vg/aiPStV3IKZRUo7FCvKNsffQl2Thjo+mbR2RRo7DSpKk/XSZhytE8F4gry0JWtShrJhlxPFuiBf8QDNkas78s4leau3JZ/zEc6TMsyxJTftxtISvpKztZa5BA0Vo/</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" />
</samlp:StatusCode>
</samlp:Status>
</samlp:Response>
这是浏览器中显示的错误:
GET https://sso.uat.firstmarblehead.com/favicon.ico HTTP/1.1
Host: sso.uat.firstmarblehead.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: amlbcookie=03; BIGipServerUAT.sso.firstmarblehead.com-HTTP=1548095916.20480.0000
HTTP/?.? 404 Not Found
Date: Tue, 05 Nov 2013 17:17:40 GMT
Server: Apache/2.2.17 (Red Hat Enterprise Web Server)
Content-Length: 325
Connection: close
Content-Type: text/html; charset=iso-8859-1
以下是 AD FS Tracing --> Debug 类别中似乎很重要的仅有的两个日志。这是一个“信息日志”
Date: 10/25/2013 2:32:50 PM
Event ID: 49
Task Category: None
Level: Information
Keywords: ADFSSamlProtocol
User: CBC\adfsuser
Computer: domainserver2.cincybible.priv
Description:
Response: Id='_36e6dc52-2c10-40d6-8c7c-be8340812130', InResponseTo='s21d64ddbc5730da20e41936d9059bdbcf8800fa40', Status='urn:oasis:names:tc:SAML:2.0:status:Requester(urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy)', Destination='https://sso.uat.firstmarblehead.com/openam/Consumer/metaAlias/fmdrealm001/ccuniversity_sso_sp': error response created
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="AD FS 2.0 Tracing" Guid="{f1aa12b3-dba2-4cab-b909-2c2b7afcf1fd}" />
<EventID>49</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000200</Keywords>
<TimeCreated SystemTime="2013-10-25T18:32:50.360003000Z" />
<EventRecordID>92</EventRecordID>
<Correlation ActivityID="{4DD6736A-7793-4261-BF76-DC5F84FCE6EE}" />
<Execution ProcessID="5068" ThreadID="5636" ProcessorID="1" KernelTime="3" UserTime="15" />
<Channel>AD FS 2.0 Tracing/Debug</Channel>
<Computer>domainserver2.cincybible.priv</Computer>
<Security UserID="S-1-5-21-617894710-599159305-1136263860-26051" />
</System>
<UserData>
<Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
<EventData>Response: Id='_36e6dc52-2c10-40d6-8c7c-be8340812130', InResponseTo='s21d64ddbc5730da20e41936d9059bdbcf8800fa40', Status='urn:oasis:names:tc:SAML:2.0:status:Requester(urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy)', Destination='https://sso.uat.firstmarblehead.com/openam/Consumer/metaAlias/fmdrealm001/ccuniversity_sso_sp': error response created</EventData>
</Event>
</UserData>
</Event>
这是一个错误日志:
Log Name: AD FS 2.0 Tracing/Debug
Source: AD FS 2.0 Tracing
Date: 10/25/2013 2:32:50 PM
Event ID: 47
Task Category: None
Level: Error
Keywords: ADFSSamlProtocol
User: CBC\adfsuser
Computer: domainserver2.cincybible.priv
Description:
Microsoft.IdentityServer.Protocols.Saml.InvalidNameIdPolicyException: MSIS1000: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: sso.uat.firstmarblehead.com/ccuniversity_sso. Actual NameID properties: null.
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest issueRequest)
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="AD FS 2.0 Tracing" Guid="{f1aa12b3-dba2-4cab-b909-2c2b7afcf1fd}" />
<EventID>47</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000200</Keywords>
<TimeCreated SystemTime="2013-10-25T18:32:50.309219800Z" />
<EventRecordID>88</EventRecordID>
<Correlation ActivityID="{4DD6736A-7793-4261-BF76-DC5F84FCE6EE}" />
<Execution ProcessID="5068" ThreadID="5636" ProcessorID="2" KernelTime="3" UserTime="12" />
<Channel>AD FS 2.0 Tracing/Debug</Channel>
<Computer>domainserver2.cincybible.priv</Computer>
<Security UserID="S-1-5-21-617894710-599159305-1136263860-26051" />
</System>
<UserData>
<Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
<EventData>Microsoft.IdentityServer.Protocols.Saml.InvalidNameIdPolicyException: MSIS1000: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: sso.uat.firstmarblehead.com/ccuniversity_sso. Actual NameID properties: null.
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest issueRequest)
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)</EventData>
</Event>
</UserData>
</Event>
有人做过这个或有想法吗?
因此,我们通过更改 ADFS(IDP)和 OpenAM(SP)中的规则取得了一些进展。我们现在收到一个关于证书的错误,我们乐观地认为我们可以解决。
以下是确切的更新规则:
Rule 1
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);
规则 2
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "sso.uat.firstmarblehead.com/ccuniversity_sso");
该论坛描述了对 OpenAM 所做的更改
http://list-archives.org/2012/09/29/openam-forgerock-org/openam-and-adfs-fedration/f/1331885749
特别注意本节:
"> >>> Peter Major <peter.major@forgerock.com> 9/29/2012 3:04 AM >>>
>
> Go to the Federation page, and try to remove persistent nameid-format
> from both SP and IdP configuration (one of seems to be on the top of the
> nameid format, but adfs doesn't like it).
> The OpenAM side of the error is probably at handling the SAML error
> response, can you please provide the HTTP flow (or the SAML
> requests/responses)?"