我正在构建基于Laravel框架的Web应用程序,我需要使用ADFS作为身份提供程序添加对SSO的支持。
我可以使用基于package laravel-saml2的onelogin toolkit启用单点登录,但现在我遇到了单点登出。
当从Web应用程序发出LogoutRequest时,ADFS错误日志中会显示以下错误。
Microsoft.IdentityServer.RequestFailedException:MSIS7054:SAML 注销未正确完成。 System.Security.Cryptography.CryptographicException:参数是 不正确。在 System.Security.Cryptography.CryptographicException.ThrowCryptographicException(的Int32 hr)at System.Security.Cryptography.RSACryptoServiceProvider.DecryptKey(SafeKeyHandle pKeyContext,Byte [] pbEncryptedKey,Int32 cbEncryptedKey,Boolean fOAEP,ObjectHandleOnStack ohRetDecryptedKey)at System.Security.Cryptography.RSACryptoServiceProvider.Decrypt(字节[] rgb,布尔fOAEP)at System.Security.Cryptography.RSAPKCS1KeyExchangeDeformatter.DecryptKeyExchange(字节[] rgbIn)at System.IdentityModel.Selectors.SecurityTokenResolver.SimpleTokenResolver.TryResolveSecurityKeyCore(SecurityKeyIdentifierClause keyIdentifierClause,SecurityKey&关键)at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.CreatePlaintextReaderFromEncryptedData(XmlDictionaryReader 读者,SecurityTokenResolver serviceTokenResolver, SecurityTokenSerializer keyInfoSerializer,Collection`1子句, EncryptingCredentials&安培; encryptingCredentials)at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadEncryptedId(的XmlReader 读者) Microsoft.IdentityServer.Protocols.Saml.Saml2AssertionSerializer.ReadEncryptedId(的XmlReader 读者) Microsoft.IdentityServer.Web.Protocols.Saml.SingleLogoutService.ProcessMessage(SamlMessage samlMessage,BindingInformation bindingInformation,Boolean partialLogout,Boolean validResponseMessage,Boolean& validLogoutRequest) Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Logout(HttpSamlMessage logoutMessage,String sessionState,String logoutState,Boolean partialLogout,Boolean isUrlTranslationNeeded,HttpSamlMessage& newLogoutMessage,String& newSessionState,String& newLogoutState, 布尔和放大器; validLogoutRequest)
下面列出了我正在使用的onelogin设置。
<?php
//This is variable is an example - Just make sure that the urls in the 'idp' config are ok.
$idp_hostname = 'login.adfs.pt';
return $settings = array(
/*****
* Cosmetic settings - controller routes
**/
'useRoutes' => true, //include library routes and controllers
'routesPrefix' => '/saml2',
/**
* Where to redirect after logout
*/
'logoutRoute' => '/',
/**
* Where to redirect after login if no other option was provided
*/
'loginRoute' => '/',
/**
* Where to redirect after login if no other option was provided
*/
'errorRoute' => '/',
/*****
* One Loign Settings
*/
// If 'strict' is True, then the PHP Toolkit will reject unsigned
// or unencrypted messages if it expects them signed or encrypted
// Also will reject the messages if not strictly follow the SAML
// standard: Destination, NameId, Conditions ... are validated too.
'strict' => true, //@todo: make this depend on laravel config
// Enable debug mode (to print errors)
'debug' => true, //@todo: make this depend on laravel config
// Service Provider Data that we are deploying
'sp' => array(
// Specifies constraints on the name identifier to be used to
// represent the requested subject.
// Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
// Usually x509cert and privateKey of the SP are provided by files placed at
// the certs folder. But we can also provide them with the following parameters
'x509cert' => 'XXXXXXXXXXXXXXXX MY SP Public key XXXXXXXXXXXXXXX',
'privateKey' => 'XXXXXXXXXXXYXX My SP Private key YXYYYYYYYYYYYYYY',
//LARAVEL - You don't need to change anything else on the sp
// Identifier of the SP entity (must be a URI)
'entityId' => '', //LARAVEL: This would be set to saml_metadata route
// Specifies info about where and how the <AuthnResponse> message MUST be
// returned to the requester, in this case our SP.
'assertionConsumerService' => array(
// URL Location where the <Response> from the IdP will be returned
'url' => '', //LARAVEL: This would be set to saml_acs route
// SAML protocol binding to be used when returning the <Response>
// message. Onelogin Toolkit supports for this endpoint the
// HTTP-Redirect binding only
//'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
),
// Specifies info about where and how the <Logout Response> message MUST be
// returned to the requester, in this case our SP.
'singleLogoutService' => array(
// URL Location where the <Response> from the IdP will be returned
'url' => '', //LARAVEL: This would be set to saml_sls route
// SAML protocol binding to be used when returning the <Response>
// message. Onelogin Toolkit supports for this endpoint the
// HTTP-Redirect binding only
//'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
),
),
// Identity Provider Data that we want connect with our SP
'idp' => array(
// Identifier of the IdP entity (must be a URI)
'entityId' => 'http://' . $idp_hostname . '/adfs/services/trust',
// SSO endpoint info of the IdP. (Authentication Request protocol)
'singleSignOnService' => array(
// URL Target of the IdP where the SP will send the Authentication Request Message
'url' => 'https://' . $idp_hostname . '/adfs/ls/',
// SAML protocol binding to be used when returning the <Response>
// message. Onelogin Toolkit supports for this endpoint the
// HTTP-POST binding only
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
),
// SLO endpoint info of the IdP.
'singleLogoutService' => array(
// URL Location of the IdP where the SP will send the SLO Request
//'url' => $idp_host . '/saml2/idp/SingleLogoutService.php',
'url' => 'https://' . $idp_hostname . '/adfs/ls/',
// SAML protocol binding to be used when returning the <Response>
// message. Onelogin Toolkit supports for this endpoint the
// HTTP-Redirect binding only
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
),
// Public x509 certificate of the IdP
'x509cert' => 'XXXXXXXXXXXXXXX ADFS Identity Provider public key XXXXXXXXXXXXX',
/*
* Instead of use the whole x509cert you can use a fingerprint
* (openssl x509 -noout -fingerprint -in "idp.crt" to generate it)
*/
//'certFingerprint' => '',
),
/***
*
* OneLogin advanced settings
*
*
*/
// Security settings
'security' => array(
/** signatures and encryptions offered */
// Indicates that the nameID of the <samlp:logoutRequest> sent by this SP
// will be encrypted.
'nameIdEncrypted' => true,
// Indicates whether the <samlp:AuthnRequest> messages sent by this SP
// will be signed. [The Metadata of the SP will offer this info]
'authnRequestsSigned' => true,
// Indicates whether the <samlp:logoutRequest> messages sent by this SP
// will be signed.
'logoutRequestSigned' => true,
// Indicates whether the <samlp:logoutResponse> messages sent by this SP
// will be signed.
'logoutResponseSigned' => true,
/* Sign the Metadata
False || True (use sp certs) || array (
keyFileName => 'metadata.key',
certFileName => 'metadata.crt'
)
*/
'signMetadata' => false,
/** signatures and encryptions required **/
// Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and
// <samlp:LogoutResponse> elements received by this SP to be signed.
'wantMessagesSigned' => false,
// Indicates a requirement for the <saml:Assertion> elements received by
// this SP to be signed. [The Metadata of the SP will offer this info]
'wantAssertionsSigned' => false,
// Indicates a requirement for the NameID received by
// this SP to be encrypted.
'wantNameIdEncrypted' => false,
// Authentication context.
// Set to false and no AuthContext will be sent in the AuthNRequest,
// Set true or don't present thi parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
// Set an array with the possible auth context values: array ('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'),
'requestedAuthnContext' => false,
),
// Contact information template, it is recommended to suply a technical and support contacts
'contactPerson' => array(
'technical' => array(
'givenName' => 'name',
'emailAddress' => 'my@email.pt'
),
'support' => array(
'givenName' => 'Support',
'emailAddress' => 'my@email.pt'
),
),
// Organization information template, the info in en_US lang is recomended, add more if required
'organization' => array(
'en-US' => array(
'name' => 'Michael',
'displayname' => 'Michael',
'url' => ''
),
),
/* Interoperable SAML 2.0 Web Browser SSO Profile [saml2int] http://saml2int.org/profile/current
'authnRequestsSigned' => false, // SP SHOULD NOT sign the <samlp:AuthnRequest>,
// MUST NOT assume that the IdP validates the sign
'wantAssertionsSigned' => true,
'wantAssertionsEncrypted' => true, // MUST be enabled if SSL/HTTPs is disabled
'wantNameIdEncrypted' => false,
*/
);
我一直在搜索此错误一段时间,但我无法找到任何有关如何解决它的帮助。我错过了一些配置吗?