好吧,我已经被困了好几天了,所以这是我唯一的希望。
我已经配置了带有 ADFS 3.0 的 Windows 2012 r2、带有 SAML 2.0 单点登录插件的 bitnami Wordpress (4.2.2) 和带有 SimpleSAMLphp 1.13 的 Ubuntu 服务器。
Wordpress 配置如下所示:
对于身份验证源,我使用的是 SSP 的文件模块。它具有以下属性:
User-Name
用于用户 ID、mail
用户的电子邮件地址和Filter-Id
用户组。
在 ADFS 方面,我已将声明提供者信任配置为 SSP,将依赖方的信任配置为 WP。
这些索赔规则是:
SSP:
规则 1:转换名称 id 策略。如果未设置此规则,WP 的 SSP 会给出 NameIDPolicy 无效错误。
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] == "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);
规则 2:通过所有声明
c:[Type == "https://example.com/simplesamlphp/saml2/idp/metadata.php"]
=> issue(claim = c);
WordPress:
规则 1:将名称属性转换为 WP 的属性
c:[Type == "User-Name"]
=> add(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Value = c.Value);
规则 2:转换邮件属性
c:[Type == "mail"]
=> add(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/emailaddress", Value = c.Value);
规则 3:转换组属性
c:[Type == "Filter-Id"]
=> add(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/Group", Value = c.Value);
规则 4:转换为 Givenname 属性
c:[Type == "User-Name"]
=> add(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/givenname", Value = c.Value);
规则 5:转换为姓氏属性
c:[Type == "User-Name"]
=> add(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/surname", Value = c.Value);
规则 6:转换名称 ID 政策并发出所有声明
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
用户获得良好的身份验证(SP/IdP-Initiated)。但在 WP 方面,我收到错误消息Username was not provided
。
ADFS 跟踪器日志显示我SSO token is null or empty. Cannot write SSO token to Cookies.
我检查了 IdP 的用户登录,它显示用户已登录。跟踪器日志还显示Valid assertion returned from 'https://example.com/simplesamlphp/saml2/idp/metadata.php'
我想声明规则有问题,但我不确定,因为配置看起来和工作正常。
欢迎任何指点!
谢谢!