ADFS 2.0 simpleSAML问题:生成了多个基于SamlNameIdentifierClaimResource的声明

时间:2013-07-09 08:33:48

标签: saml saml-2.0 adfs

我正在尝试设置ADFS 2.0 IDP - simplesaml saml sp配置,并且我被阻止,现在甚至在官方adfs文档中也可以找到ADFS报告的错误。 我已经成功设置了中继方,从sp应用程序我被重定向到idp,我可以认证,但在重定向到sp我得到这个:

The Federation Service could not fulfill the token-issuance request.
More than  one claim based on SamlNameIdentifierClaimResource was produced after the
issuance  transform rules were applies for relying party 'url here'. Please see event  
500 with the same instance id for claims after application of issuance transform rules. 

Additional Data 
Instance id: 44ef5c64-7bcb-4766-9016-75034b4fd7eb 

User Action 
Ensure that the issuance transform rules that are configured for the relying party do not result in multiple claims based on SamlNameIdentifierClaimResource.

另外,警告:

More information for the event entry with instance id 44ef5c64-7bcb4766-9016-75034b4fd7eb. 
There may be more events with the same instance id with more information. 

Instance id:  
44ef5c64-7bcb-4766-9016-75034b4fd7eb 


Issued identity: 
http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname 
user name i used
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier 
user name i used
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier 
CKTECHNO\user name i used
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod 
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows 
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant 
2013-07-08T14:30:46.465Z 

这是我的conf:

adfs claims

active directory claim

name id claim

我搜索了每一个,没有提到这种类型的错误。即使是500事件我似乎也没有在ms文档中找到。 任何帮助是极大的赞赏。谢谢!

2 个答案:

答案 0 :(得分:3)

感谢@nzpcmad,问题确实是默认添加帐户名称的事实,也是组,我创建了两次。真的很遗憾,这没有明确规定,因为你无法真正说明情况。 问题解决了。

答案 1 :(得分:2)

首先,+1是有充分记录的问题。

我怀疑问题是因为Windows帐户名称是内置声明之一。如果删除sAMAccountName的映射会发生什么? (即只是进行转换)。

此外,更常见的是使用电子邮件名称。那是我一直用的那个。