saml-2.0 - 即使我们在 OS 2016 ADFS 中配置了 SAML2.0，也无法看到 SAML 2.0 响应，始终只显示 SAML 1.1 响应

Question

我正在与我的应用程序进行基于 SAML 2.0（OS 2016 中的 ADFS）的集成。我在 OS2016 中使用 ADFS 作为我的 IDP。除了一件事外，我几乎可以端到端地成功进行集成。IDP 始终仅以 SAML 1.1 格式而不是 SAML 2.0 格式向 SP（我的应用程序）发送响应。

根据下面的文章和提到的 3 点，我得出的结论是，我得到的响应仅是 SAML 1.1。（如果我错了，请澄清我）

http://saml.xml.org/differences-between-saml-2-0-and-1-1

1.  The MajorVersion and MinorVersion attributes that appeared on various elements have been combined into a single Version attribute that has the value "2.0".
   

2.  The <AuthenticationStatement> element has been renamed to <AuthnStatement>.
   

3.  The AuthenticationMethod attribute has been replaced by the new structured <AuthnContext> element permitting the expression of new, very fine-grained authentication methods and other authentication-related information.
   

以下是我从 IDP（OS.2016 中的 ADFS）获得的回复。

1. 哇：wsignin1.0

2. wresult：<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust"><t:Lifetime><wsu:Created xmlns:wsu="http://docs. oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2020-06-26T04:57:32.190Z</wsu:Created><wsu:Expires xmlns:wsu ="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2020-06-26T05:57:32.190Z</wsu:Expires ></t:Lifetime><wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><wsa:EndpointReference xmlns:wsa="http://www. w3.org/2005/08/addressing">wsa:Addresshttps://SPmachineHost:9555/samllogin</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><t:RequestedSecurityToken><saml:Assertion MajorVersion ="1"MinorVersion="1" AssertionID="_18ed877c-5232-48cb-96fa-ee9f6a4052f1" Issuer="http://acs-adfs.acsadfs.local/adfs/services/trust" IssueInstant="2020-06-26T04:57: 32.190Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"><saml:Conditions NotBefore="2020-06-26T04:57:32.190Z" NotOnOrAfter="2020-06-26T05: 57:32.190Z">saml:AudienceRestrictionConditionsaml:Audiencehttps://SPmachineHost:9555/samllogin</saml:Audience></saml:AudienceRestrictionCondition></saml:Conditions>saml:AttributeStatementsaml:Subjectsaml:SubjectConfirmationsaml:ConfirmationMethodurn:oasis:names :tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject><saml:Attribute AttributeName="name" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">saml:AttributeValueAdmin1</saml:AttributeValue></saml:Attribute></saml:AttributeStatement><saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc :SAML:2.0:ac:classes:PasswordProtectedTransport" AuthenticationInstant="2020-06-26T04:57:32.128Z">saml:Subjectsaml:SubjectConfirmationsaml:ConfirmationMethodurn:oasis:names:tc:SAML:1.0:cm:bearer</saml :ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds :SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/ 2001/04/xmldsig-more#rsa-sha256"/><ds:参考 URI="#_18ed877c-5232-48cb-ee9f6052f1"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#envelope-signature " /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http:// www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>80PFFLCrLFF8oL/MWx40FrZEx5A5w=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>MJd9e6ASmechzBC7jjnzV0mwP73n2GN3Dsz5GOEwPWzqzU 91O2QGQDrmnK8jVEN8RCylhJhUs42pjZpJmnse/jzse9NwJaLDgK2SjEDPJOQgYhYrS/Ax956B//40ZJzSZEiI7TeiQOdz3F2S2jwK9FV4rMcMwqAOKwC5uuZxKI2zTVN/l2p0TBrwXOm2a8za52k9YbhxsVw==</ds:SignatureValue>MIIC8DCCAdigAwIBAgIQF/6tTpRToJFN/3SNsFADA0MTIwMAYDVQQDEylBREZTIFNpZ25pbmMuY2FzbWFkZnNxYS5sb2NhbDAeFw0yMDAyMTAxMTQ0MzFaFw0yMTAyMDkxMTQ0MzFaMDQtYWRmcy5jYXNtYWRmc3FhLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0mkhjInACpV9uKi5OuldVtszKTvd9bKK6Hb+r8iaU9WzpEu7IvRLz/alVvKmmjxvR3MX/K7lh8AzMNkA7fqU3prBvCJsVEPjS6mNIYNBfg6noDNAtXvlii+YML5Lt4GZKpY0miWW/eZPb+Q4eAPqhnWEywkRipAHCLZJjzMbX86ZfVghj69MwEvghHcODNIhSqkH6g814JCXiXQ+UrnF4A6Fn7n5dnD+rY4Qufv92Qnpv9fOAyY6m0m58nphD7gnXOWzs1NtUViMDjAQIDAQABMA0GBCwUAA4IBAQBzxTEnuJiK8ccfr8hOmEHRhdO6IPHEII8PE3+T6m3FTw4ELOOL4WTNpLiEylDNbnfkIvd/Jjigb6s/SKZn3BqA0rncxsjdILyCADyz9tEuU7Pl23Xnd3GA7049nK/0YddYFjsNtTUYiwNoFUXqh2hT+3dth5kBWdIPgoVwkf1HqMWtZCeaY/jOQgJUZ07O1zyvS3+mMRuFgJeZrS1bqfy2pMimS4TESpIFeKSBtZfyjfwZudfJdxdgfBEuZn0LTnmyQ/5TooWCoz</ds:Signature></saml:Assertion>< /t:RequestedSecurityToken><t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType><t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType ><t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType></t:RequestSecurityTokenResponse>

3. wctx：空

对此的任何帮助将是一个很大的帮助。

谢谢， 塞卡