Fatal编程技术网
  • single-sign-on/
  • Single sign on 使用openAm作为IDP和另一个服务提供商引发名称ID格式的异常

Single sign on 使用openAm作为IDP和另一个服务提供商引发名称ID格式的异常

single-sign-on

Single sign on 使用openAm作为IDP和另一个服务提供商引发名称ID格式的异常,single-sign-on,openam,Single Sign On,Openam,我正在尝试使用OpenAm作为IDP和应用程序本身作为服务提供者为我的应用程序配置SSO 以下是IDP和服务提供商的元数据: <EntityDescriptor entityID="http://www.cpfdomain.com:8091/openam_10.0.1" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> <IDPSSODescriptor WantAuthnRequestsSigned="false" protoco

我正在尝试使用OpenAm作为IDP和应用程序本身作为服务提供者为我的应用程序配置SSO

以下是IDP和服务提供商的元数据:

  <EntityDescriptor entityID="http://www.cpfdomain.com:8091/openam_10.0.1" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <ArtifactResolutionService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://www.cpfdomain.com:8091/openam_10.0.1/ArtifactResolver/metaAlias/idp"/>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://www.cpfdomain.com:8091/openam_10.0.1/IDPSloRedirect/metaAlias/idp" ResponseLocation="http://www.cpfdomain.com:8091/openam_10.0.1/IDPSloRedirect/metaAlias/idp"/>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://www.cpfdomain.com:8091/openam_10.0.1/IDPSloPOST/metaAlias/idp" ResponseLocation="http://www.cpfdomain.com:8091/openam_10.0.1/IDPSloPOST/metaAlias/idp"/>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://www.cpfdomain.com:8091/openam_10.0.1/IDPSloSoap/metaAlias/idp"/>
    <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://www.cpfdomain.com:8091/openam_10.0.1/IDPMniRedirect/metaAlias/idp" ResponseLocation="http://www.cpfdomain.com:8091/openam_10.0.1/IDPMniRedirect/metaAlias/idp"/>
    <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://www.cpfdomain.com:8091/openam_10.0.1/IDPMniPOST/metaAlias/idp" ResponseLocation="http://www.cpfdomain.com:8091/openam_10.0.1/IDPMniPOST/metaAlias/idp"/>
    <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://www.cpfdomain.com:8091/openam_10.0.1/IDPMniSoap/metaAlias/idp"/>
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</NameIDFormat>
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://www.cpfdomain.com:8091/openam_10.0.1/SSORedirect/metaAlias/idp"/>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://www.cpfdomain.com:8091/openam_10.0.1/SSOPOST/metaAlias/idp"/>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://www.cpfdomain.com:8091/openam_10.0.1/SSOSoap/metaAlias/idp"/>
    <NameIDMappingService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://www.cpfdomain.com:8091/openam_10.0.1/NIMSoap/metaAlias/idp"/>
    <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://www.cpfdomain.com:8091/openam_10.0.1/AIDReqSoap/IDPRole/metaAlias/idp"/>
    <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" Location="http://www.cpfdomain.com:8091/openam_10.0.1/AIDReqUri/IDPRole/metaAlias/idp"/>
</IDPSSODescriptor>
我已将此标识符从我正在测试的信任圈中的IDP和SP中删除

任何帮助都将不胜感激

谢谢。

由于您已从IdP和SP元数据中删除了NameIdFormat“urn:oasis:names:tc:SAML:2.0:nameid format:transient”,因此无法使用它。。。这应该是显而易见的

当然,您必须通过指定两个实体都支持的NameIdFormat来测试SSO。。。在您的例子中,“urn:oasis:names:tc:SAML:1.1:nameid格式:emailAddress”

要使用HTTP-POST绑定测试IdP启动的SSO,请使用

OPENAM_SCHEME://OPENAM_FQDN:OPENAM_PORT/OPENAM_DEPLOYMENT\u URI/idpssoinit?NameIDFormat=urn:oasis:names:tc:SAML:1.1:nameid格式:emailAddress&metaAlias=IDP_META_ALIAS&spEntityID=test&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST谢谢您的回复。。我的问题已经解决了。。我刚刚删除了IDP和SP,并与新的IDP和SP建立了一个新的信任圈,在双方注册了元数据。。我错过的是在创建IDP时指定签名密钥信息。如果这是您唯一的问题(我对此表示怀疑),那么您可以在实体配置的AssertionContent选项卡下提供证书别名,然后在远程实例上导出/导入新的元数据(以便它也知道证书)。 
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="test">
    <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <KeyDescriptor>
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <X509Data>
                    <X509Certificate>Key Info</X509Certificate>
                </X509Data>
            </KeyInfo>
        </KeyDescriptor>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="LOGOUT LOCATION URI" ResponseLocation="LOGOUT LOCATION URI"/>
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
        </NameIDFormat>
        <AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="ASSERTION URI"/>
    </SPSSODescriptor>
</EntityDescriptor>

message Error processing AuthnRequest. Service provider does not support name identifier format urn:oasis:names:tc:SAML:2.0:nameid-format:transient.