使用openAm作为IDP和另一个服务提供者将使用名称ID格式抛出异常

时间:2013-04-02 16:15:07

标签: single-sign-on openam

我正在尝试使用OpenAm作为IDP并将应用程序本身作为服务提供者为我的应用程序配置SSO。

Folowing是IDP和服务提供商的元数据:

  <EntityDescriptor entityID="http://www.cpfdomain.com:8091/openam_10.0.1" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <ArtifactResolutionService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://www.cpfdomain.com:8091/openam_10.0.1/ArtifactResolver/metaAlias/idp"/>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://www.cpfdomain.com:8091/openam_10.0.1/IDPSloRedirect/metaAlias/idp" ResponseLocation="http://www.cpfdomain.com:8091/openam_10.0.1/IDPSloRedirect/metaAlias/idp"/>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://www.cpfdomain.com:8091/openam_10.0.1/IDPSloPOST/metaAlias/idp" ResponseLocation="http://www.cpfdomain.com:8091/openam_10.0.1/IDPSloPOST/metaAlias/idp"/>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://www.cpfdomain.com:8091/openam_10.0.1/IDPSloSoap/metaAlias/idp"/>
    <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://www.cpfdomain.com:8091/openam_10.0.1/IDPMniRedirect/metaAlias/idp" ResponseLocation="http://www.cpfdomain.com:8091/openam_10.0.1/IDPMniRedirect/metaAlias/idp"/>
    <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://www.cpfdomain.com:8091/openam_10.0.1/IDPMniPOST/metaAlias/idp" ResponseLocation="http://www.cpfdomain.com:8091/openam_10.0.1/IDPMniPOST/metaAlias/idp"/>
    <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://www.cpfdomain.com:8091/openam_10.0.1/IDPMniSoap/metaAlias/idp"/>
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</NameIDFormat>
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://www.cpfdomain.com:8091/openam_10.0.1/SSORedirect/metaAlias/idp"/>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://www.cpfdomain.com:8091/openam_10.0.1/SSOPOST/metaAlias/idp"/>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://www.cpfdomain.com:8091/openam_10.0.1/SSOSoap/metaAlias/idp"/>
    <NameIDMappingService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://www.cpfdomain.com:8091/openam_10.0.1/NIMSoap/metaAlias/idp"/>
    <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://www.cpfdomain.com:8091/openam_10.0.1/AIDReqSoap/IDPRole/metaAlias/idp"/>
    <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" Location="http://www.cpfdomain.com:8091/openam_10.0.1/AIDReqUri/IDPRole/metaAlias/idp"/>
</IDPSSODescriptor>

服务提供商元数据:

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="test">
    <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <KeyDescriptor>
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <X509Data>
                    <X509Certificate>Key Info</X509Certificate>
                </X509Data>
            </KeyInfo>
        </KeyDescriptor>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="LOGOUT LOCATION URI" ResponseLocation="LOGOUT LOCATION URI"/>
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
        </NameIDFormat>
        <AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="ASSERTION URI"/>
    </SPSSODescriptor>
</EntityDescriptor>

当我测试联邦时,我总是收到以下错误:

message Error processing AuthnRequest. Service provider does not support name identifier format urn:oasis:names:tc:SAML:2.0:nameid-format:transient.

我已经在我正在测试的信任圈中从IDP和SP中删除了此标识符。

任何帮助将不胜感激。

感谢。

1 个答案:

答案 0 :(得分:1)

当您从IdP和SP MetaData中删除NameIdFormat'um:oasis:names:tc:SAML:2.0:nameid-format:transient'时,您无法使用它......这应该是显而易见的。

当然,您必须通过指定两个实体支持的NameIdFormat来测试SSO ...在您的情况下'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'。

使用HTTP-POST绑定测试IdP启动的SSO ...

OPENAM_SCHEME:// OPENAM_FQDN:OPENAM_PORT / OPENAM_DEPLOYMENT_URI / idpssoinit NameIDFormat =瓮:绿洲:名称:TC:SAML:1.1:填充NameID格式:EmailAddress的&安培; metaAlias = IDP_META_ALIAS&安培; spEntityID =试验&安培;粘合剂=瓮:绿洲:名:TC:SAML:2.0:绑定:HTTP-POST

相关问题
最新问题