Single sign on 使用openAm作为IDP和另一个服务提供商引发名称ID格式的异常
我正在尝试使用OpenAm作为IDP和应用程序本身作为服务提供者为我的应用程序配置SSO 以下是IDP和服务提供商的元数据:Single sign on 使用openAm作为IDP和另一个服务提供商引发名称ID格式的异常,single-sign-on,openam,Single Sign On,Openam,我正在尝试使用OpenAm作为IDP和应用程序本身作为服务提供者为我的应用程序配置SSO 以下是IDP和服务提供商的元数据: <EntityDescriptor entityID="http://www.cpfdomain.com:8091/openam_10.0.1" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> <IDPSSODescriptor WantAuthnRequestsSigned="false" protoco
<EntityDescriptor entityID="http://www.cpfdomain.com:8091/openam_10.0.1" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<ArtifactResolutionService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://www.cpfdomain.com:8091/openam_10.0.1/ArtifactResolver/metaAlias/idp"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://www.cpfdomain.com:8091/openam_10.0.1/IDPSloRedirect/metaAlias/idp" ResponseLocation="http://www.cpfdomain.com:8091/openam_10.0.1/IDPSloRedirect/metaAlias/idp"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://www.cpfdomain.com:8091/openam_10.0.1/IDPSloPOST/metaAlias/idp" ResponseLocation="http://www.cpfdomain.com:8091/openam_10.0.1/IDPSloPOST/metaAlias/idp"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://www.cpfdomain.com:8091/openam_10.0.1/IDPSloSoap/metaAlias/idp"/>
<ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://www.cpfdomain.com:8091/openam_10.0.1/IDPMniRedirect/metaAlias/idp" ResponseLocation="http://www.cpfdomain.com:8091/openam_10.0.1/IDPMniRedirect/metaAlias/idp"/>
<ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://www.cpfdomain.com:8091/openam_10.0.1/IDPMniPOST/metaAlias/idp" ResponseLocation="http://www.cpfdomain.com:8091/openam_10.0.1/IDPMniPOST/metaAlias/idp"/>
<ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://www.cpfdomain.com:8091/openam_10.0.1/IDPMniSoap/metaAlias/idp"/>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://www.cpfdomain.com:8091/openam_10.0.1/SSORedirect/metaAlias/idp"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://www.cpfdomain.com:8091/openam_10.0.1/SSOPOST/metaAlias/idp"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://www.cpfdomain.com:8091/openam_10.0.1/SSOSoap/metaAlias/idp"/>
<NameIDMappingService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://www.cpfdomain.com:8091/openam_10.0.1/NIMSoap/metaAlias/idp"/>
<AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://www.cpfdomain.com:8091/openam_10.0.1/AIDReqSoap/IDPRole/metaAlias/idp"/>
<AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" Location="http://www.cpfdomain.com:8091/openam_10.0.1/AIDReqUri/IDPRole/metaAlias/idp"/>
</IDPSSODescriptor>
我已将此标识符从我正在测试的信任圈中的IDP和SP中删除
任何帮助都将不胜感激
谢谢。由于您已从IdP和SP元数据中删除了NameIdFormat“urn:oasis:names:tc:SAML:2.0:nameid format:transient”,因此无法使用它。。。这应该是显而易见的 当然,您必须通过指定两个实体都支持的NameIdFormat来测试SSO。。。在您的例子中,“urn:oasis:names:tc:SAML:1.1:nameid格式:emailAddress” 要使用HTTP-POST绑定测试IdP启动的SSO,请使用
OPENAM_SCHEME://OPENAM_FQDN:OPENAM_PORT/OPENAM_DEPLOYMENT\u URI/idpssoinit?NameIDFormat=urn:oasis:names:tc:SAML:1.1:nameid格式:emailAddress&metaAlias=IDP_META_ALIAS&spEntityID=test&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST谢谢您的回复。。我的问题已经解决了。。我刚刚删除了IDP和SP,并与新的IDP和SP建立了一个新的信任圈,在双方注册了元数据。。我错过的是在创建IDP时指定签名密钥信息。如果这是您唯一的问题(我对此表示怀疑),那么您可以在实体配置的AssertionContent选项卡下提供证书别名,然后在远程实例上导出/导入新的元数据(以便它也知道证书)。
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="test">
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>Key Info</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="LOGOUT LOCATION URI" ResponseLocation="LOGOUT LOCATION URI"/>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
</NameIDFormat>
<AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="ASSERTION URI"/>
</SPSSODescriptor>
</EntityDescriptor>
message Error processing AuthnRequest. Service provider does not support name identifier format urn:oasis:names:tc:SAML:2.0:nameid-format:transient.