Active directory Shibboleth属性查询SAML错误:入站消息颁发者未通过身份验证
idp进程日志Active directory Shibboleth属性查询SAML错误:入站消息颁发者未通过身份验证,active-directory,ldap,shibboleth,Active Directory,Ldap,Shibboleth,idp进程日志 edu.vt.middleware.ldap.jaas.LdapLoginModule required host="WIN-1GB01UK5SL6.VECISADTEST.com" port="636" base="CN=Users,DC=vecisadtest,DC=com" tls="false" serviceCredential="XXX" userRoleAttribute="sAMAccountName" serviceUser="Adm
edu.vt.middleware.ldap.jaas.LdapLoginModule required
host="WIN-1GB01UK5SL6.VECISADTEST.com"
port="636"
base="CN=Users,DC=vecisadtest,DC=com"
tls="false"
serviceCredential="XXX"
userRoleAttribute="sAMAccountName"
serviceUser="Administrator@vecisadtest.com"
ssl="true"
subtreeSearch = "true"
userField="sAMAccountName";
错误[org.opensaml.ws.security.provider.MandatoryAuthenticatedMessageRule:37]-未对入站消息颁发者进行身份验证
shibd.log
edu.vt.middleware.ldap.jaas.LdapLoginModule required
host="WIN-1GB01UK5SL6.VECISADTEST.com"
port="636"
base="CN=Users,DC=vecisadtest,DC=com"
tls="false"
serviceCredential="XXX"
userRoleAttribute="sAMAccountName"
serviceUser="Administrator@vecisadtest.com"
ssl="true"
subtreeSearch = "true"
userField="sAMAccountName";
错误OpenSAML.SOAPClient[109]:SOAP客户端检测到SAML错误:(urn:oasis:names:tc:SAML:2.0:status:Responder)(消息不符合安全要求)
错误Shibboleth.AttributeResolver.Query[109]:属性颁发机构返回SAML错误
Shibboleth身份验证过程工作正常。Active Directory服务器(LDAP)已正确配置为通过SSL工作,并使用LDP.exe进行了验证。我还编写了一个简单的Java程序,试图通过SSL协议连接到Active Directory服务器。我能够使用端口636连接到服务器,传递了包括密码在内的用户凭据,服务器正确响应
相应的JVM cacerts已经信任证书
已按照中记录的安装说明进行安装
但是,在从Active Directory服务器查询属性期间仍然存在错误。下面是配置的片段
你知道为什么属性查询会出错吗
谢谢
属性解析器.xml
<resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
ldapURL="ldaps://WIN-1GB01UK5SL6.VECISADTEST.com"
baseDN="CN=Users,DC=vecisadtest,DC=com"
principal="Administrator@vecisadtest.com"
principalCredential="XXX"
useStartTLS="false"
>
<dc:FilterTemplate>
<![CDATA[
(uid=$requestContext.principalName)
]]>
</dc:FilterTemplate>
<StartTLSTrustCredential xsi:type="sec:X509Filesystem"
xmlns="urn:mace:shibboleth:2.0:resolver:dc"
id="UA_AD_CA_Certificate">
<sec:Certificate>C:\Progs\ShibbolethIdP\certs\VECISADTEST.pem</sec:Certificate>
</StartTLSTrustCredential>
<StartTLSAuthenticationCredential xsi:type="sec:X509Filesystem"
xmlns="urn:mace:shibboleth:2.0:resolver:dc"
id="IdPtoLDAPCredential">
<sec:PrivateKey>C:\Progs\ShibbolethIdP\credentials\idp.key</sec:PrivateKey>
<sec:Certificate>C:\Progs\ShibbolethIdP\credentials\idp.crt</sec:Certificate>
</StartTLSAuthenticationCredential>
</resolver:DataConnector>
<AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.janet.org:8444/idp/profile/SAML1/SOAP/AttributeQuery"/><AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.janet.org:8444/idp/profile/SAML2/SOAP/AttributeQuery"/>
idp metadata.xml
<resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
ldapURL="ldaps://WIN-1GB01UK5SL6.VECISADTEST.com"
baseDN="CN=Users,DC=vecisadtest,DC=com"
principal="Administrator@vecisadtest.com"
principalCredential="XXX"
useStartTLS="false"
>
<dc:FilterTemplate>
<![CDATA[
(uid=$requestContext.principalName)
]]>
</dc:FilterTemplate>
<StartTLSTrustCredential xsi:type="sec:X509Filesystem"
xmlns="urn:mace:shibboleth:2.0:resolver:dc"
id="UA_AD_CA_Certificate">
<sec:Certificate>C:\Progs\ShibbolethIdP\certs\VECISADTEST.pem</sec:Certificate>
</StartTLSTrustCredential>
<StartTLSAuthenticationCredential xsi:type="sec:X509Filesystem"
xmlns="urn:mace:shibboleth:2.0:resolver:dc"
id="IdPtoLDAPCredential">
<sec:PrivateKey>C:\Progs\ShibbolethIdP\credentials\idp.key</sec:PrivateKey>
<sec:Certificate>C:\Progs\ShibbolethIdP\credentials\idp.crt</sec:Certificate>
</StartTLSAuthenticationCredential>
</resolver:DataConnector>
<AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.janet.org:8444/idp/profile/SAML1/SOAP/AttributeQuery"/><AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.janet.org:8444/idp/profile/SAML2/SOAP/AttributeQuery"/>
谢谢。通过更新服务提供商上的配置文件shibboleth2.xml解决了该问题。签名属性必须设置为true [Shibboleth服务提供商安装位置]\etc\Shibboleth\shibboleth2.xml SPConfig>ApplicationDefaults@signing
Shibboleth Service Provider 2.5.2的默认安装,签名属性为false。如何测试属性查询?通过Saml2Client还是SOAP?