0

尝试连接到 webseal saml 端点时出现以下错误

我的服务器设置为 SP,我正在尝试针对我在 saml20-idp-remote.php 中设置的 IDP 进行身份验证

重定向工作正常,但是当 IDP 重定向回我的 SP 时,我收到以下错误。

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 /mnt/www/html/livehappierstg/simplesaml/www/module.php:179 (N/A)
Caused by: SimpleSAML_Error_Exception: Error validating SubjectConfirmation in Assertion:
 Recipient in SubjectConfirmationData does not match the current URL. 
Recipient is 'http://example.com/simplesaml/module.php/saml/sp/metadata.php/default-sp', 
current URL is 
'http://example.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp'.
Backtrace:
3 /mnt/www/html/livehappierstg/simplesaml/modules/saml/lib/Message.php:684 (sspmod_saml_Message::processAssertion)
2 /mnt/www/html/livehappierstg/simplesaml/modules/saml/lib/Message.php:517 (sspmod_saml_Message::processResponse)
1 /mnt/www/html/livehappierstg/simplesaml/modules/saml/www/sp/saml2-acs.php:96 (require)
0 /mnt/www/html/livehappierstg/simplesaml/www/module.php:134 (N/A)

如何在我的配置文件中更改主题确认数据中的收件人 URL。

我的配置文件如下。

'default-sp' => array(
    'saml:SP',

    // The entity ID of this SP.
    // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
    'entityID' => 'http://local.com/',

    // The entity ID of the IdP this should SP should contact.
    // Can be NULL/unset, in which case the user will be shown a list of available IdPs.
    'idp' => 'https://example.com/federatedaccess/SSOConsume.do',

    // The URL to the discovery service.
    // Can be NULL/unset, in which case a builtin discovery service will be used.
    'discoURL' => null,
    'privatekey' => 'saml.pem',
    'certificate' => 'saml.crt',
)

SAML2.0 Idp 远程配置

$metadata['https://example.com/federatedaccess/SSOConsume.do'] = array(
  'name' => array(
    'en' => 'My SSO',
  ),
  'description' => 'My single sign on webseal environment.',
  'ForceAuthn' => false,
  'IsPassive' => false,
  'ProtocolBinding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
  'SingleSignOnService' => 'https://example.com/federatedaccess/SSOConsume.do',
  'certificate' => 'pub.crt',
  'sign.authnrequest' => true,
  'redirect.sign' => true,
  'redirect.validate' => true,
);

干杯

4

1 回答 1

0

这是如何使用您的 SP 配置 IdP 的问题。应该将Recipientin设置SubjectConfirmationDatahttp://example.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp并改为使用http://example.com/simplesaml/module.php/saml/sp/metadata.php/default-sp(注意路径中的 saml2-acs.php 与 metadata.php 的区别)。

The URL the Idp is using is the URL to retrieve your SP's metadata. It seems instead of reading the metadata it is using that URL as AssertionConsumerService URL.

于 2016-04-25T14:22:39.467 回答