作者热门文章
- html - 出于某种原因,IE8 对我的 Sass 文件中继承的 html5 CSS 不友好?
- JMeter 在响应断言中使用 span 标签的问题
- html - 在 :hover and :active? 上具有不同效果的 CSS 动画
- html - 相对于居中的 html 内容固定的 CSS 重复背景?
我成功地将 OneLogin java-saml 库用于 SAML SSO。但是,Active Directory 联合身份验证服务 (ADFS) 的 SLO(单点注销)存在问题。库创建的 LogoutRequest 被 ADFS 拒绝,而 SimpleSAMLphp IdP 接受它。我在 LogoutRequest 创建时在响应中传递从 ADFS 收到的 nameId
和 sessionIndex
。
以下是生成的请求和收到的响应:
身份验证请求:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_a80567d6-8957-482b-90e9-99d1b40ec8b1" Version="2.0" IssueInstant="2017-05-31T15:43:07Z" ProviderName="My Company Service Provider" Destination="https://wintest.mycompany.test/adfs/ls/" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://localhost:8443/builder/login_check_sso">
<saml:Issuer>http://localhost:4568/sso/saml/metadata</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" />
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://localhost:8443/builder/login_check_sso" ID="_f5ea3a59-92f9-4b22-aaf0-36ed392df051" InResponseTo="ONELOGIN_a80567d6-8957-482b-90e9-99d1b40ec8b1" IssueInstant="2017-05-31T15:43:10.158Z" Version="2.0">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://wintest.mycompany.test/adfs/services/trust</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_6f6daef8-f0b5-4437-8e35-ae44ffc48cfe" IssueInstant="2017-05-31T15:43:10.158Z" Version="2.0">
<Issuer>http://wintest.mycompany.test/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_6f6daef8-f0b5-4437-8e35-ae44ffc48cfe">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>FNwbMonYZBBvTXSRbCWP7WxZgPZPSCcCFZozok9eRK4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>fG1SIq3azZfBFQ+5YBBruuCQ03sLIHJ/YpK/AAOYkyJKXEZ5+SvNLgl+8/3a6Tk8mabZmwmawoJRf5UPb+fNtk+CeeWJ7kiUYcb2uvB4ic7Qd4qB+OgfqK0qVCkn9FWGEODLXA6v4tXWBZfSnzDrHEg7xLHrngesSnffY3uyQvH/rm4G2Vjd59LUeUtpJo2X5ZjVuk4sT5r21+UxpNU9LX8z7hXAZHhD1o4d2dqAs21tAGoid3p0RgNDy1WWGh1WSjFLHPDh220ZIchRFKveJE3R9M9nTKtOFESQsYc6TfmhJ5+Xm/j0VY7vvdhgguyq4MKzcPFK6tBL7I8KREck/Q==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC4DCCAcigAwIBAgIQawxJmIMxo49K2BnRDsVfGDANBgkqhkiG9w0BAQsFADAsMSowKAYDVQQDEyFBREZTIFNpZ25pbmcgLSBXSU5URVNULlRvbmljLnRlc3QwHhcNMTcwNDIwMTIxNzUyWhcNMTgwNDIwMTIxNzUyWjAsMSowKAYDVQQDEyFBREZTIFNpZ25pbmcgLSBXSU5URVNULlRvbmljLnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLUb41Ui5/ytBky/npDW5eV6gQhR7WZ3KJs/JEHEN+pbyNRYZXDY3zXIXcUDRMMdDUnewOisNN4iAMHDri/J7c2zBa05XReyQarnTBDPuiB2Hex6pxA486Mk5KqW8MGB2oWexCM+g1VXiaaSJEOHTb0V+GOhYHcDckNOfnBCKehqnYxqAmJp5WHzmU7IZWNb5P6tl92EfbdATA5fU29dkKVoYDGQJqdDDeLDI1mzxyMENce3v8JER9cnTW7zC2k4hD0TYafF3xphn2yLpnqnGEgbHDla9vdDMqX82+L4DSt4747kEdpc4+V9wwrkOnM5Cz5KKHyzQqzOS91CorCJI/AgMBAAEwDQYJKoZIhvcNAQELBQADggEBACdbOOfVkVNgaPzD+o60HHytR2MzbPcksKq1tZnS++nR+KM5Vo9FiH3LQ8BUulv8sEEq3ITeiLo92fMRySwiaftunLAAEYdBDTIbdi/fUJgLBoCVkDQvdtlRpnunr1KY7ILhKq4w9eQ0I5M5RDZlY2g3LEbyZpFknV1P1Ykx4d/re7BP42kt6JvY8SeA6TnfzgoQUGRBP7DAHiJ3J/HFPQZUvhqpKf6b5SEFMiSczx7wT1/CManyQ9rxOc0rycbGOcIuMNvxCipKWHsBwxvX021uXojhiSx37VxHWSNyWx5HA60GKkOolK8z2xZ/kdXmn5lxaRvH1P169Cd6HrjKzes=</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID>hamilton1@mycompany.test</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="ONELOGIN_a80567d6-8957-482b-90e9-99d1b40ec8b1" NotOnOrAfter="2017-05-31T15:48:10.158Z" Recipient="https://localhost:8443/builder/login_check_sso" />
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2017-05-31T15:43:10.158Z" NotOnOrAfter="2017-05-31T16:43:10.158Z">
<AudienceRestriction>
<Audience>http://localhost:4568/sso/saml/metadata</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue>hamilton@mycompany.com</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2017-05-31T12:18:50.194Z" SessionIndex="_6f6daef8-f0b5-4437-8e35-ae44ffc48cfe">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_947f5e64-8423-4464-b4b0-fa416dfe62a0" Version="2.0" IssueInstant="2017-05-31T15:43:18Z" Destination="https://wintest.mycompany.test/adfs/ls/">
<saml:Issuer>http://localhost:4568/sso/saml/metadata</saml:Issuer>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">hamilton1@mycompany.test</saml:NameID>
<samlp:SessionIndex>_6f6daef8-f0b5-4437-8e35-ae44ffc48cfe</samlp:SessionIndex>
</samlp:LogoutRequest>
<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_1b3e8c81-2aba-45be-8fe6-54edda514d51" Version="2.0" IssueInstant="2017-05-31T15:43:24.808Z" Destination="https://localhost:8443/builder/logout_sso" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="ONELOGIN_947f5e64-8423-4464-b4b0-fa416dfe62a0">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://wintest.mycompany.test/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_1b3e8c81-2aba-45be-8fe6-54edda514d51">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>NDfLVWPkh2/UCEbLQ6V97OK2u4pajv3aLB9cPs5JkSc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>M1JaIz/AeJAh1bUzAUBrljch9EVOVA6K3lzuFDWwF0LtmXgcMEZV9Htp9owq5MNcOZ/mymBrKmndz1EDwDxwOCLjpvp5QX42G23dUCyYAGfQXE1Dzub7dsaTSlMWnkbh6fMLk/j5/fcLEi8vwXMInQv6isVpxnbYI+4ayQWOzo9QpfJBaromDDqVwbmkoT8lhRo06n32OAi8CtaAS2rjNqJyPfcnLp3jMpfg5Qh3wiKYnT6VkMpXw5ddVASByKlqzIRiuItwJsqF4JDDj+f2qgSdq6PaTgYpu8xnbFXTdOvDeg0ZgetQrnaZ07+5xLFLGI73feAWPUFPXwMHQ2THXA==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC4DCCAcigAwIBAgIQawxJmIMxo49K2BnRDsVfGDANBgkqhkiG9w0BAQsFADAsMSowKAYDVQQDEyFBREZTIFNpZ25pbmcgLSBXSU5URVNULlRvbmljLnRlc3QwHhcNMTcwNDIwMTIxNzUyWhcNMTgwNDIwMTIxNzUyWjAsMSowKAYDVQQDEyFBREZTIFNpZ25pbmcgLSBXSU5URVNULlRvbmljLnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLUb41Ui5/ytBky/npDW5eV6gQhR7WZ3KJs/JEHEN+pbyNRYZXDY3zXIXcUDRMMdDUnewOisNN4iAMHDri/J7c2zBa05XReyQarnTBDPuiB2Hex6pxA486Mk5KqW8MGB2oWexCM+g1VXiaaSJEOHTb0V+GOhYHcDckNOfnBCKehqnYxqAmJp5WHzmU7IZWNb5P6tl92EfbdATA5fU29dkKVoYDGQJqdDDeLDI1mzxyMENce3v8JER9cnTW7zC2k4hD0TYafF3xphn2yLpnqnGEgbHDla9vdDMqX82+L4DSt4747kEdpc4+V9wwrkOnM5Cz5KKHyzQqzOS91CorCJI/AgMBAAEwDQYJKoZIhvcNAQELBQADggEBACdbOOfVkVNgaPzD+o60HHytR2MzbPcksKq1tZnS++nR+KM5Vo9FiH3LQ8BUulv8sEEq3ITeiLo92fMRySwiaftunLAAEYdBDTIbdi/fUJgLBoCVkDQvdtlRpnunr1KY7ILhKq4w9eQ0I5M5RDZlY2g3LEbyZpFknV1P1Ykx4d/re7BP42kt6JvY8SeA6TnfzgoQUGRBP7DAHiJ3J/HFPQZUvhqpKf6b5SEFMiSczx7wT1/CManyQ9rxOc0rycbGOcIuMNvxCipKWHsBwxvX021uXojhiSx37VxHWSNyWx5HA60GKkOolK8z2xZ/kdXmn5lxaRvH1P169Cd6HrjKzes=</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" />
</samlp:Status>
</samlp:LogoutResponse>
The SAML Single Logout request does not correspond to the logged-in session participant.
带有额外的错误描述:
User Action
Verify that the claim provider trust or the relying party trust configuration is up to date. If the name identifier in the request is different from the name identifier in the session only by NameQualifier or SPNameQualifier, check and correct the name identifier policy issuance rule using the AD FS Management snap-in.
最佳答案
好的,问题解决了。
正如您在 SAML 响应中看到的,我发布了 NameID
元素没有 Format
属性:
<Subject>
<NameID>hamilton1@mycompany.test</NameID>
...
</Subject>
LogouRequest
中也不存在 Format 属性。
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_947f5e64-8423-4464-b4b0-fa416dfe62a0" Version="2.0" IssueInstant="2017-05-31T15:43:18Z" Destination="https://wintest.mycompany.test/adfs/ls/">
<saml:Issuer>http://localhost:4568/sso/saml/metadata</saml:Issuer>
<saml:NameID>hamilton1@mycompany.test</saml:NameID>
<samlp:SessionIndex>_6f6daef8-f0b5-4437-8e35-ae44ffc48cfe</samlp:SessionIndex>
</samlp:LogoutRequest>
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress">hamilton1@mycompany.test</NameID>
...
</Subject>
LogutRequest
和
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress">
注销成功:
LogoutRequest
没有接受
nameIdFormat
的构造函数:
https://github.com/onelogin/java-saml/blob/v2.0.1/core/src/main/java/com/onelogin/saml2/logout/LogoutRequest.java :
LogoutRequest logoutRequest = new LogoutRequest(settings, null, nameId, sessionIndex);
String samlRequestXml = logoutRequest.getLogoutRequestXml();
samlRequestXml = samlRequestXml.replaceAll(" Format=\".+\"", "");
LogoutRequest
作为参数的
nameIdFormat
构造函数。
https://github.com/onelogin/java-saml/issues/98 中有更多细节。
关于saml - 使用 ADFS IdP 进行单点注销的正确注销请求,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/44290083/
这个问题在这里已经有了答案: Git for beginners: The definitive practical guide (37 个答案) 关闭 9 年前。 在使用句点(或句点,单点)将文件
我是一名优秀的程序员,十分优秀!