我正在努力更好地了解GSA如何对用户进行身份验证。
我们在相同的凭据组下配置了多个cookie authn机制的GSA搜索。从日志中看,用户必须通过所有这些机制的身份验证 - 而不仅仅是一个。这是预期的行为吗?
我希望用户在GSA执行搜索之前只需要一种机制来验证他们的身份验证。
在故障日志中,GSA会通过所有四种机制,只有一种机制会验证用户。没有返回任何结果,也没有“身份验证成功!”线。 在成功日志中,已删除了反驳用户的三种机制。结果将被退回。
这对我来说很奇怪。我还在寻找,但我还没有找到任何关于此的文件。还有其他人遇到过这个吗?
失败日志:
150249 16:24:19.593 [Authentication] New session for this request: 744e33ce2597dc4391a173c3d99cd6d8 150249 16:24:19.600 [Authentication] running AuthN mechanism SAML 150249 16:24:19.602 [Authentication] Redirecting user to be authenticated by the Security Manager: <filtered> 150249 16:24:19.746 [Security Manager] Incoming cookies from user agent: <filtered> 150249 16:24:19.909 [Security Manager] Attempting to authenticate using pre-existing credentials. 150249 16:24:20.076 [Security Manager] The credentials were refuted by cred_mech1 150249 16:24:20.170 [Security Manager] The credentials were refuted by cred_mech2 150249 16:24:20.180 [Security Manager] The credentials were refuted by cred_mech3 150249 16:24:20.207 [Security Manager] The credentials were verified by cred_mech4 150249 16:24:20.213 [Security Manager] GroupsUpdateModule Auth: Looking up groups for user: <filtered> 150249 16:24:20.226 [Security Manager] GroupsUpdateModule did not find groups for: scope: 1 name: "<filtered>" name_space: "Default" case_sensitive: 0 150249 16:24:20.229 [Security Manager] The credentials were verified by Default_groups_1a852798543f79b0afe8af1789f9bb0c 150249 16:24:20.234 [Security Manager] Unable to authenticate with pre-existing credentials. Starting credentials gathering. 150249 16:24:20.237 [Security Manager] Not trying Universal Login Form because no remaining credential group can use it. 150249 16:24:20.244 [Security Manager] Not trying Universal Login Form because no remaining credential group can use it. 150249 16:24:20.251 [Security Manager] Not trying Universal Login Form because no remaining credential group can use it. 150249 16:24:20.259 [Security Manager] Outgoing cookies to user agent: (none)
成功记录:
150249 15:42:29.269 [Authentication] New session for this request: 75fa3613c48c3b505aa8cc681cd142aa 150249 15:42:29.277 [Authentication] running AuthN mechanism SAML 150249 15:42:29.280 [Authentication] Redirecting user to be authenticated by the Security Manager: <filtered> 150249 15:42:29.496 [Security Manager] Incoming cookies from user agent: <filtered> 150249 15:42:29.669 [Security Manager] Attempting to authenticate using pre-existing credentials. 150249 15:42:29.917 [Security Manager] The credentials were verified by cred_mech4 150249 15:42:29.925 [Security Manager] GroupsUpdateModule Auth: Looking up groups for user: <filtered> 150249 15:42:29.940 [Security Manager] GroupsUpdateModule did not find groups for: scope: 1 name: "<filtered>" name_space: "Default" case_sensitive: 0 150249 15:42:29.943 [Security Manager] The credentials were verified by Default_groups_1a852798543f79b0afe8af1789f9bb0c 150249 15:42:29.948 [Security Manager] Outgoing cookies to user agent: (none) 150249 15:42:30.229 [Authentication] Authentication successful! Search user identity is: <filtered> ; session: 75fa3613c48c3b505aa8cc681cd142aa 150249 15:42:30.236 [Authentication] Verified credential: <filtered>, namespace: Default 150249 15:42:30.238 [Authentication] Authentication expiration time is: 20150218T154729.673-0600 150249 15:42:30.270 [Authentication] Redirecting user to relayState value: <fitlered>
答案 0 :(得分:2)
我的理解是GSA并不打算使用它 具有多种身份验证机制的凭据组,除非一个 那些&#34;认证&#34;机制实际上只是用于 组查找。这就是拥有多个凭证组的重点。 如果你可以有多个,后期绑定授权将如何工作 单个凭据组中的身份验证机制 例?它只会使用成功的身份验证机制吗? 进行授权检查?
如果要提供多个授权路径,即使是 相应的认证机制都指向同一个用户 在掩护下的存储库,您需要提供多个存储库 凭证组。如果你想要多个身份验证 肯定是指向不同用户存储库的机制 想要使用多个凭证组。
答案 1 :(得分:1)
一个凭据组表示一个身份。如果您有多个基于cookie的身份验证机制,则需要转到单独的凭据组。