1

我正在使用omniauth-saml对 Ruby on Rails 应用程序上的用户进行身份验证。

身份验证一直运行良好,直到我们声明尝试与使用 ADFS(Windows Active Directory)的公司合作。

我们的应用程序能够路由到 ADFS 登录屏幕,进行登录操作,当 ADFS 重定向回我们的应用程序时,我们会看到错误消息:

The status code of the Response was not Success, was Responder

调试,我们可以看到omniauth-saml 是生成此消息的原因。

通过挖掘发送到我们应用程序的有效负载,“SAMLResponse”属性包含一个带有以下部分的 xml 文档:

<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" /></samlp:Status>

我们认为这与omniauth-saml 提供的错误消息有关。

ADFS 明显难以调试,但我们认为以下错误消息是造成这一考验的原因:

Additional Data 

Protocol Name: 
Saml 

Relying Party: 
https://our-domain/users/auth/saml/metadata?attr1=123&attr2=432 

Exception details: 
Microsoft.IdentityModel.SecurityTokenService.InvalidScopeException: MSIS3055: The requested relying party trust 'https://our-domain/users/auth/saml/metadata' is unspecified or unsupported. If a relying party trust was specified, it is possible the user does not have permission to access the relying party trust. ---> Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.ScopeNotFoundPolicyRequestException: MSIS3020: The relying party trust with identifier 'https://our-domain/users/auth/saml/metadata' could not be located.
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
   at Microsoft.IdentityModel.Threading.TypedAsyncResult`1.End(IAsyncResult result)
   at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet, List`1 additionalClaims)
   at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, List`1 additionalClaims)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.ScopeNotFoundPolicyRequestException: MSIS3020: The relying party trust with identifier 'https://our-domain/users/auth/saml/metadata' could not be located.


Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="AD FS" Guid="{2ffb687a-1571-4ace-8550-47ab5ccae2bc}" />
    <EventID>364</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000001</Keywords>
    <TimeCreated SystemTime="2019-10-15T23:15:19.254339300Z" />
    <EventRecordID>1512764</EventRecordID>
    <Correlation ActivityID="{19de3423-ee29-40a8-890d-0080000000bf}" />
    <Execution ProcessID="752" ThreadID="4076" />
    <Channel>AD FS/Admin</Channel>
    <Computer>serve-name.domain</Computer>
    <Security UserID="S-1-5-21-1708537768-1844237615-682003330-107716" />
  </System>
  <UserData>
    <Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
      <EventData>
        <Data>Saml</Data>
        <Data>https://our-domain/users/auth/saml/metadata?attr1=123&amp;attr2=432</Data>
        <Data>Microsoft.IdentityModel.SecurityTokenService.InvalidScopeException: MSIS3055: The requested relying party trust 'https://our-domain/users/auth/saml/metadata' is unspecified or unsupported. If a relying party trust was specified, it is possible the user does not have permission to access the relying party trust. ---&gt; Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.ScopeNotFoundPolicyRequestException: MSIS3020: The relying party trust with identifier 'https://our-domain/users/auth/saml/metadata' could not be located.
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
   at Microsoft.IdentityModel.Threading.TypedAsyncResult`1.End(IAsyncResult result)
   at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1&amp; identityClaimSet, List`1 additionalClaims)
   at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, List`1 additionalClaims)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String&amp; newSamlSession, String&amp; samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String&amp; samlpSessionState, String&amp; samlpAuthenticationProvider)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.ScopeNotFoundPolicyRequestException: MSIS3020: The relying party trust with identifier 'https://our-domain/users/auth/saml/metadata' could not be located.

</Data>
      </EventData>
    </Event>
  </UserData>
</Event>

我对 ADFS 的理解是有限的,所以我不确定这些错误是由 ADFS 错误配置还是由我们需要添加到我们的应用程序以使其与 ADFS 一起使用的特定内容引起的......

您的帮助将不胜感激!

4

2 回答 2

1

ADFS 中不存在标识符为“ https://our-domain/users/auth/saml/metadata ”的 RP。

您是如何配置 ADFS RP 的?你使用元数据了吗?

当您通过 ADFS 向导查看 RP 时,它应该在“标识符”选项卡中具有上述标识符。

于 2019-10-16T19:12:36.977 回答
0

事实证明,答案是为 ADFS 提供一个替代 URL,以从我们的系统中检索 SAML 元数据文件。

似乎 ADFS 无法处理将查询字符串放入其“依赖方信任”“联合元数据文件位置”(这个 ADFS 行话让我丧命......) 在此处输入图像描述

无论如何,一旦可以在没有查询字符串的情况下使用 url,一切正常。我们将参数移动到 url 的一部分:

代替

https://our-domain/users/auth/saml/metadata?attr1=123&attr2=432

我们猴子修补了omniauth-saml并使用了一个新的url,所以我们可以使用替代url提供相同的功能:

https://our-domain/users/auth/saml/:attr1/:attr2/metadata
于 2019-10-22T01:13:41.313 回答