SubjectConfirmationData中的收件人与当前URL不匹配

时间:2016-04-24 18:15:07

标签: php simplesamlphp webseal tivoli-identity-manager

尝试连接到webseal saml端点时出现以下错误

我的服务器设置为SP,我正在尝试对我在saml20-idp-remote.php中设置的IDP进行身份验证

重定向工作正常,但当IDP重定向回我的SP时,我收到以下错误。

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 /mnt/www/html/livehappierstg/simplesaml/www/module.php:179 (N/A)
Caused by: SimpleSAML_Error_Exception: Error validating SubjectConfirmation in Assertion:
 Recipient in SubjectConfirmationData does not match the current URL. 
Recipient is 'http://example.com/simplesaml/module.php/saml/sp/metadata.php/default-sp', 
current URL is 
'http://example.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp'.
Backtrace:
3 /mnt/www/html/livehappierstg/simplesaml/modules/saml/lib/Message.php:684 (sspmod_saml_Message::processAssertion)
2 /mnt/www/html/livehappierstg/simplesaml/modules/saml/lib/Message.php:517 (sspmod_saml_Message::processResponse)
1 /mnt/www/html/livehappierstg/simplesaml/modules/saml/www/sp/saml2-acs.php:96 (require)
0 /mnt/www/html/livehappierstg/simplesaml/www/module.php:134 (N/A)

如何更改配置文件中主题确认数据中的收件人网址。

我的配置文件如下。

'default-sp' => array(
    'saml:SP',

    // The entity ID of this SP.
    // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
    'entityID' => 'http://local.com/',

    // The entity ID of the IdP this should SP should contact.
    // Can be NULL/unset, in which case the user will be shown a list of available IdPs.
    'idp' => 'https://example.com/federatedaccess/SSOConsume.do',

    // The URL to the discovery service.
    // Can be NULL/unset, in which case a builtin discovery service will be used.
    'discoURL' => null,
    'privatekey' => 'saml.pem',
    'certificate' => 'saml.crt',
)

SAML2.0 Idp远程配置

$metadata['https://example.com/federatedaccess/SSOConsume.do'] = array(
  'name' => array(
    'en' => 'My SSO',
  ),
  'description' => 'My single sign on webseal environment.',
  'ForceAuthn' => false,
  'IsPassive' => false,
  'ProtocolBinding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
  'SingleSignOnService' => 'https://example.com/federatedaccess/SSOConsume.do',
  'certificate' => 'pub.crt',
  'sign.authnrequest' => true,
  'redirect.sign' => true,
  'redirect.validate' => true,
);

干杯

1 个答案:

答案 0 :(得分:0)

这是如何使用SP配置IdP的问题。应将Recipient中的SubjectConfirmationData设置为http://example.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp,而使用http://example.com/simplesaml/module.php/saml/sp/metadata.php/default-sp(请注意路径中saml2-acs.php与metadata.php的区别)。< / p>

Idp正在使用的网址是检索SP的元数据的网址。它似乎不是在阅读元数据,而是使用该网址作为AssertionConsumerService网址。

相关问题
最新问题