我正在使用 PingFederate 进行 SSO。我的应用程序充当 SP,我正在尝试由 SP 发起的 SSO。我将 SAMLRequest 发送到已签名的 PingFederate。但它不会向 SAMLRequest9authnRequest 中提到的 ACS URL 发送 SAML 响应)。
你能帮我设置一下,这样默认的断言消费者 URL 不会被拾取,而是使用 SAMLRequest 中发送的那个吗?
问问题
3485 次
2 回答
3
[Updated}
So you are the SP and PF is the IDP? PF needs to have your Assertion Consumer Service URL listed in the local meta-data (PF can hold several ACS URLs for a single SP) and I believe you need to specify the ACSIndex (as configured in PF) or ACSURL value.
The SAMl 2.0 Core document outlines how to include AssertionConsumerServiceIndex or AssertionConsumerServiceURL in your AuthnRequest.
--Ian
Can you provide more details?
It sounds like you are using PF as the IDP and SP? If you want to PF (IDP) to use an ACS URL other than the default with SP-Init SSO you need to specify the ACSIndex of the ACS URL in the AuthnRequest. PF (SP) can specify a specific ACSIndex to include in the AuthnRequest by appending it to the startSSO.ping Application Endpoint.
If the ACSIndex is not listed in the PF (IDP) configuration the SP must sign the AuthnRequest (per the spec) and specify the ACSIndex to use instead.
Let me know if that makes sense or you need more info on how to do this.
--Ian
于 2010-09-01T19:38:35.223 回答
0
如果您使用 AuthnRequest 正确发送,PingFederate 将自动维护 RelayState(作为 IDP)并使用断言(根据规范)返回它。您无需在 PF 内执行任何操作即可实现这一目标。
我会确保您正确发送它,并且 PF 正在记录它从您那里收到的值。
于 2010-09-08T15:11:40.467 回答