对于这个用例,我有一个奇怪的行为:WSO2 IS 有一个租户(租户 A),并且在租户中添加了一个 Shibboleth 服务提供商(未选择 SaaS,因此 SP 应该只对租户可见)。Shibboleth SP 具有 wso2 IDP 的元数据,并且证书已就位且正确。配置是通过碳控制台完成的。导航受 Shibboleth SP 保护的 URL 我得到了奇怪的行为:
我被重定向到tenantDomain=carbon.super 并且(正确地)wso2 日志告诉我我的SP 没有注册。
TLDR:我找不到在 Shibboleth SP 和 WSO2 IS 之间的 SP 发起的 SSO 中通知租户域的方法。这种行为是有意的吗?谢谢
这里 wso2 是常驻 IDP 元数据。这是使用 wso2 控制台中的“下载元数据”按钮生成的。然后将其复制到 Shibboleth SP 中。
<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://iam01.com">
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" validUntil="2019-01-24T14:47:48.803Z">
<KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIIDezCCAmOgAwIBAgIEJesahDANBgkqhkiG9w0BAQsFADBuMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRIwEAYDVQQDEwlwdWdsaWEuaXQwHhcNMTkwMTIzMTM1MzMxWhcNMjAwMTE4MTM1MzMxWjBuMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRIwEAYDVQQDEwlwdWdsaWEuaXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKIumEc7InbTUemGKGMnGtM9xzCbaVdqG8yE/ziEvo0dwxEvHtxsUMj/18D95hoDFpG90AOTcThHxa3ppMuN4IMhx/oNcwCahUsUQNesmQCtcL5CmduILELVmca0SQXeYqie7xLiM+osr/cGDXzzLyzyYPuWqehigtV3kGXbbMEl8mjMxwZbW3dyUeiaTmwoLmfPvvAn0KNV6aKxekziXRpELFdCZYM0u3wxfwRcwb/AMTCjTCUQANf3Fq55p1vE4+W5Wpl31Aua3SEqNAj33pJ1Bj2/e3mfWcFJeknOR/JqwEN3xAqOiLHffhiVVfN76JV7bc8bxyg6yPVpopvz9fAgMBAAGjITAfMB0GA1UdDgQWBBTvYpC7Y/jBh04BNfoqAqP4nLahPDANBgkqhkiG9w0BAQsFAAOCAQEAoE2kBEHZtKTqnYORFob5pDzLh4GZA7R7sNoCWgUsyyMOEXEyfHBNBljrvr6LMnlS6iGcuYlWAu8eonYdxlLryiThHkAMYryHp3jZXYb7AKwdm7ZJkAiiaemSXR9jjG7rzONRiLNJgoDLUdPJjzKndV4/I4VfWuYJiP1Ah7+9vR3Yu1rGom7anOfAiHv9dA/RKO642mOys3ihc6vLGsCTDFRy1pwkI62C9Tc62aSxOtNq9vasx142fKELe1+iGv5gs0oipD9/yusk6+92XdgbKASHw+r+LZVQCJN+Zn/kwFPldzhe35NVHWhx5c5ZOii0qreouYhB/ZGc0Ndl/4yzOc==</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://iam01.com:9443/samlsso" ResponseLocation="https://iam01.com:9443/samlsso"/>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://iam01.com:9443/samlsso"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://iam01.com:9443/samlsso"/>
</IDPSSODescriptor>
</EntityDescriptor>