gpt4 book ai didi

single-sign-on - Ping 联邦 : Single sign-on authentication was unsuccessful

转载 作者:行者123 更新时间:2023-12-03 01:14:01 30 4
gpt4 key购买 nike

我在实现 Ping Federate 时遇到此问题

Error - Single Sign-On
Single sign-on authentication was unsuccessful (reference # TAELHKAD).
Please contact your system administrator for assistance regarding this error.
Partner: localhost:default:entityId
Target Resource: http://sp-connection.com

但是服务器日志没有显示任何错误消息/指示:

16:32:32,854 DEBUG [IntegrationControllerServlet] GET: https://localhost:9031/idp/startSSO.ping
16:32:32,856 DEBUG [IdpAdapterSupportBase] IdP Adapter Selection disabled, performing legacy adapter selection.
16:32:32,859 DEBUG [InterReqStateMgmtMapImpl] Object removeAttr(key: null, name: NUMBER_OF_ATTEMPTS): null
16:32:32,860 DEBUG [AttributeMap] Ignoring attempt to add null value to attribute map for context.TargetResource
16:32:32,860 DEBUG [AttributeMapping] Source attributes:{not-before=2014-05-26T10:47:32Z, authnContext=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, subject=joe, userId=joe, context.AuthenticationCtx=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, context.ClientIp=127.0.0.1, not-on-or-after=2014-05-26T10:52:32Z, renew-until=2014-05-26T22:47:32Z, password=test, context.HttpRequest=/idp/startSSO.ping} Resulting attributes:{SAML_SUBJECT=joe}
16:32:32,862 DEBUG [TrackingIdSupport] [cross-reference-message] PFSessionXRefID:MzqNiwww3_exb1uk7K60oH69Wzx
16:32:32,863 DEBUG [IdpSessionRegistryMapImpl] registerSessionIssued: authnbean a6fff81d8b37477eb3f90824fdc8f2d3adb847c2 | assertion id MzqNiwww3_exb1uk7K60oH69Wzx
16:32:32,863 DEBUG [IdpSessionRegistryMapImpl] registerAuthnBean IdpHashableAuthnBean: a6fff81d8b37477eb3f90824fdc8f2d3adb847c2 with session id PedsaJJVNrmTayLjKvIOvz. Session now has 15 beans associated with it.
16:32:32,863 DEBUG [TrackingIdSupport] [cross-reference-message] entityid:sbwb-ppc-idp subject:joe
16:32:32,885 DEBUG [LoggingInterceptor] Transported Response. OutMessageContext:
OutMessageContext
XML: <samlp:Response Version="2.0" ID="pvQGJNnQ3P22J_J_uBSMckj1jVd" IssueInstant="2014-05-26T10:47:32.856Z" Destination="https://localhost:9031/sp/ACS.saml2" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">localhost:default:entityId</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#pvQGJNnQ3P22J_J_uBSMckj1jVd">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>xPhSc53rXySUbxdfq0vHG0pvuq4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>qoEICv2FFgDuif8G0KVli2KWykvLbnu4jzIZRViS4WAyPuVKaxHik0Zg6cp5yX0ns4PRjcGH4KZP
UkZTMZ5P3mLOAgvy7AUX02vsQSs9hFqNlmDbgH7r9c3UyIdl4OGf/FC1Rcse7Z5FIfkJnUc9yu5q
AE9Dl7CsWNe0uzbLpkQ=</ds:SignatureValue>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion ID="MzqNiwww3_exb1uk7K60oH69Wzx" IssueInstant="2014-05-26T10:47:32.861Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>localhost:default:entityId</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">joe</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData Recipient="https://localhost:9031/sp/ACS.saml2" NotOnOrAfter="2014-05-26T10:52:32.861Z"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2014-05-26T10:42:32.861Z" NotOnOrAfter="2014-05-26T10:52:32.861Z">
<saml:AudienceRestriction>
<saml:Audience>sbwb-ppc-idp</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement SessionIndex="MzqNiwww3_exb1uk7K60oH69Wzx" AuthnInstant="2014-05-26T10:47:32.860Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
entityId: sbwb-ppc-idp (SP)
Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Endpoint: https://localhost:9031/sp/ACS.saml2
SignaturePolicy: BINDING_DEFAULT

16:32:32,942 DEBUG [ProtocolControllerServlet] ---REQUEST (POST)/sp/ACS.saml2 from 127.0.0.1:
---PARAMETERS---
SAMLResponse:
PHNhbWxwOlJlc3BvbnNlIFZlcnNpb249IjIuMCIgSUQ9InB2UUdKTm5RM1AyMkpfSl91QlNNY2tqMWpWZCIgSXNzdWVJbnN0YW50PSIyMDE0LTA1LTI2VDEwOjQ3OjMyLjg1NloiIERlc3RpbmF0aW9uPSJodHRwczovL2xvY2FsaG9zdDo5MDMxL3NwL0FDUy5zYW1sMiIgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCI+PHNhbWw6SXNzdWVyIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmxvY2FsaG9zdDpkZWZhdWx0OmVudGl0eUlkPC9zYW1sOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4KPGRzOlNpZ25lZEluZm8+CjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4KPGRzOlJlZmVyZW5jZSBVUkk9IiNwdlFHSk5uUTNQMjJKX0pfdUJTTWNrajFqVmQiPgo8ZHM6VHJhbnNmb3Jtcz4KPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+CjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4KPC9kczpUcmFuc2Zvcm1zPgo8ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz4KPGRzOkRpZ2VzdFZhbHVlPnhQaFNjNTNyWHlTVWJ4ZGZxMHZIRzBwdnVxND08L2RzOkRpZ2VzdFZhbHVlPgo8L2RzOlJlZmVyZW5jZT4KPC9kczpTaWduZWRJbmZvPgo8ZHM6U2lnbmF0dXJlVmFsdWU+CnFvRUlDdjJGRmdEdWlmOEcwS1ZsaTJLV3lrdkxibnU0anpJWlJWaVM0V0F5UHVWS2F4SGlrMFpnNmNwNXlYMG5zNFBSamNHSDRLWlAKVWtaVE1aNVAzbUxPQWd2eTdBVVgwMnZzUVNzOWhGcU5sbURiZ0g3cjljM1V5SWRsNE9HZi9GQzFSY3NlN1o1Rklma0puVWM5eXU1cQpBRTlEbDdDc1dOZTB1emJMcGtRPQo8L2RzOlNpZ25hdHVyZVZhbHVlPgo8L2RzOlNpZ25hdHVyZT48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24gSUQ9Ik16cU5pd3d3M19leGIxdWs3SzYwb0g2OVd6eCIgSXNzdWVJbnN0YW50PSIyMDE0LTA1LTI2VDEwOjQ3OjMyLjg2MVoiIFZlcnNpb249IjIuMCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+PHNhbWw6SXNzdWVyPmxvY2FsaG9zdDpkZWZhdWx0OmVudGl0eUlkPC9zYW1sOklzc3Vlcj48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OnVuc3BlY2lmaWVkIj5qb2U8L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBSZWNpcGllbnQ9Imh0dHBzOi8vbG9jYWxob3N0OjkwMzEvc3AvQUNTLnNhbWwyIiBOb3RPbk9yQWZ0ZXI9IjIwMTQtMDUtMjZUMTA6NTI6MzIuODYxWiIvPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDpTdWJqZWN0PjxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE0LTA1LTI2VDEwOjQyOjMyLjg2MVoiIE5vdE9uT3JBZnRlcj0iMjAxNC0wNS0yNlQxMDo1MjozMi44NjFaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPnNid2ItcHBjLWlkcDwvc2FtbDpBdWRpZW5jZT48L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWw6Q29uZGl0aW9ucz48c2FtbDpBdXRoblN0YXRlbWVudCBTZXNzaW9uSW5kZXg9Ik16cU5pd3d3M19leGIxdWs3SzYwb0g2OVd6eCIgQXV0aG5JbnN0YW50PSIyMDE0LTA1LTI2VDEwOjQ3OjMyLjg2MFoiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDp1bnNwZWNpZmllZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+

16:32:32,942 DEBUG [BindingFactory] POST
with Params: [SAMLResponse]
assume binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
from: 127.0.0.1
Referer: https://localhost:9031/idp/startSSO.ping?PartnerSpId=sbwb-ppc-idp&IdpAdapterId=sbwbinstance&opentoken=T1RLAQJ-xGLJVNYpt6wbFuBEdkTdV_H7ExDDab6qMWCtnsV-8a8MiZQoAACgJ8IrzSTee9EIMxp11drk1ECkiKk5ogNZpGTfMN64-QOJsNBdeMKeU-L3-iD0HjNKDFOoTFVbhtUr20WUp22RVpp8KtvErnHQ984ZAj9AD5h4DU_OVA1cpDDcF9zZVqC_EpLZkUoK3vH9oj5B0cBpIM7QpIOVys4YZXx6-83C7RgpoWg7nAFK_Yx0JtnrS7Nd-bc8EVcVIdSUhVcsSxBAnQ**
AuthType: null
Content-Type: application/x-www-form-urlencoded
16:32:32,955 DEBUG [LoggingInterceptor] Received InMessageContext:
InMessageContext
XML: <samlp:Response Version="2.0" ID="pvQGJNnQ3P22J_J_uBSMckj1jVd" IssueInstant="2014-05-26T10:47:32.856Z" Destination="https://localhost:9031/sp/ACS.saml2" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">localhost:default:entityId</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#pvQGJNnQ3P22J_J_uBSMckj1jVd">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>xPhSc53rXySUbxdfq0vHG0pvuq4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>qoEICv2FFgDuif8G0KVli2KWykvLbnu4jzIZRViS4WAyPuVKaxHik0Zg6cp5yX0ns4PRjcGH4KZP
UkZTMZ5P3mLOAgvy7AUX02vsQSs9hFqNlmDbgH7r9c3UyIdl4OGf/FC1Rcse7Z5FIfkJnUc9yu5q
AE9Dl7CsWNe0uzbLpkQ=</ds:SignatureValue>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion ID="MzqNiwww3_exb1uk7K60oH69Wzx" IssueInstant="2014-05-26T10:47:32.861Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>localhost:default:entityId</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">joe</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData Recipient="https://localhost:9031/sp/ACS.saml2" NotOnOrAfter="2014-05-26T10:52:32.861Z"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2014-05-26T10:42:32.861Z" NotOnOrAfter="2014-05-26T10:52:32.861Z">
<saml:AudienceRestriction>
<saml:Audience>sbwb-ppc-idp</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement SessionIndex="MzqNiwww3_exb1uk7K60oH69Wzx" AuthnInstant="2014-05-26T10:47:32.860Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
entityId: localhost:default:entityId (IDP)
Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
SignatureStatus: VALID
Binding says to sign: true

16:32:32,965 WARN [AudienceEvaluator] no protocol: sbwb-ppc-idp when checking audience sbwb-ppc-idp against https://localhost:9031
16:32:32,966 WARN [ValidateWebSsoResponse] Invalid assertion
Assertion (MzqNiwww3_exb1uk7K60oH69Wzx) Status: INVALID
Remarks:
Assertion audience condition validation failed, expecting localhost:default:entityId or a URL with the same hostname as the base URL (https://localhost:9031) in all audience restriction conditions.
16:32:32,967 DEBUG [TrackingIdSupport] [cross-reference-message] entityid:null subject:null
16:32:32,968 WARN [HandleAuthnResponse] Invalid response: InMessageContext
XML: <samlp:Response Version="2.0" ID="pvQGJNnQ3P22J_J_uBSMckj1jVd" IssueInstant="2014-05-26T10:47:32.856Z" Destination="https://localhost:9031/sp/ACS.saml2" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">localhost:default:entityId</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#pvQGJNnQ3P22J_J_uBSMckj1jVd">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>xPhSc53rXySUbxdfq0vHG0pvuq4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>qoEICv2FFgDuif8G0KVli2KWykvLbnu4jzIZRViS4WAyPuVKaxHik0Zg6cp5yX0ns4PRjcGH4KZP
UkZTMZ5P3mLOAgvy7AUX02vsQSs9hFqNlmDbgH7r9c3UyIdl4OGf/FC1Rcse7Z5FIfkJnUc9yu5q
AE9Dl7CsWNe0uzbLpkQ=</ds:SignatureValue>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion ID="MzqNiwww3_exb1uk7K60oH69Wzx" IssueInstant="2014-05-26T10:47:32.861Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>localhost:default:entityId</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">joe</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData Recipient="https://localhost:9031/sp/ACS.saml2" NotOnOrAfter="2014-05-26T10:52:32.861Z"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2014-05-26T10:42:32.861Z" NotOnOrAfter="2014-05-26T10:52:32.861Z">
<saml:AudienceRestriction>
<saml:Audience>sbwb-ppc-idp</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement SessionIndex="MzqNiwww3_exb1uk7K60oH69Wzx" AuthnInstant="2014-05-26T10:47:32.860Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
entityId: localhost:default:entityId (IDP)
Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
SignatureStatus: VALID
Binding says to sign: true
-------------------------------------
(reference# RMCQDOUY) Response contains no valid assertions: [
Assertion (MzqNiwww3_exb1uk7K60oH69Wzx) Status: INVALID
Remarks:
Assertion audience condition validation failed, expecting localhost:default:entityId or a URL with the same hostname as the base URL (https://localhost:9031) in all audience restriction conditions. ]. InMessageContext
XML: <samlp:Response Version="2.0" ID="pvQGJNnQ3P22J_J_uBSMckj1jVd" IssueInstant="2014-05-26T10:47:32.856Z" Destination="https://localhost:9031/sp/ACS.saml2" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">localhost:default:entityId</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#pvQGJNnQ3P22J_J_uBSMckj1jVd">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>xPhSc53rXySUbxdfq0vHG0pvuq4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>qoEICv2FFgDuif8G0KVli2KWykvLbnu4jzIZRViS4WAyPuVKaxHik0Zg6cp5yX0ns4PRjcGH4KZP
UkZTMZ5P3mLOAgvy7AUX02vsQSs9hFqNlmDbgH7r9c3UyIdl4OGf/FC1Rcse7Z5FIfkJnUc9yu5q
AE9Dl7CsWNe0uzbLpkQ=</ds:SignatureValue>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion ID="MzqNiwww3_exb1uk7K60oH69Wzx" IssueInstant="2014-05-26T10:47:32.861Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>localhost:default:entityId</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">joe</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData Recipient="https://localhost:9031/sp/ACS.saml2" NotOnOrAfter="2014-05-26T10:52:32.861Z"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2014-05-26T10:42:32.861Z" NotOnOrAfter="2014-05-26T10:52:32.861Z">
<saml:AudienceRestriction>
<saml:Audience>sbwb-ppc-idp</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement SessionIndex="MzqNiwww3_exb1uk7K60oH69Wzx" AuthnInstant="2014-05-26T10:47:32.860Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
entityId: localhost:default:entityId (IDP)
Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
SignatureStatus: VALID
Binding says to sign: true

-------------------------------------

我有以下配置:

  • PF 服务器同时充当 IdPSP 服务器。
  • 查询参数用于从 IdP 传输 OpenToken应用于PF
  • 我为 IdP 和 SP 创建了两个适配器。
  • 以及 IdP 端的 SP 连接(我尚未配置 IdP 连接)。
  • IdP 适配器 - SP 适配器映射-我使用默认的 data.zip 作为 PF 的基础。

我被困在这个协议(protocol)端点:https://localhost:9031/sp/ACS.saml2

问题

  1. 我是否在适配器映射中遗漏了某些内容?
  2. PF 如何映射/知道要为 SP 端选择哪个适配器OpenToken 生成?

任何提示/线索将不胜感激。谢谢。

最佳答案

server.log 指出错误是什么:

16:32:32,965 WARN  [AudienceEvaluator] no protocol: sbwb-ppc-idp when checking audience sbwb-ppc-idp against https://localhost:9031    
16:32:32,966 WARN [ValidateWebSsoResponse] Invalid assertion
Assertion (MzqNiwww3_exb1uk7K60oH69Wzx) Status: INVALID
Remarks:
Assertion audience condition validation failed, expecting localhost:default:entityId or a URL with the same hostname as the base URL (https://localhost:9031) in all audience restriction conditions.

SAML 响应已正确生成,但您的 SP 期望的受众值与您发送的受众值不同。您的 IDP 生成的受众值为:

<saml:Audience>sbwb-ppc-idp</saml:Audience>

但它期望收到localhost:default:entityId

我注意到您现在已经打开了一些有关基本设置的案例。您是否已与您的 Ping 解决方案架构师联系以帮助回答其中一些问题?

关于single-sign-on - Ping 联邦 : Single sign-on authentication was unsuccessful,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/23868629/

30 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com