Question

我们有PF安装，我们正在尝试设置基于OpenID Connect的SSO。我们将PF IdP连接到我们的内部Windows AD。当我们尝试请求Auth Code时，要执行基于浏览器的SSO，我们会遇到以下异常： Mapping into unique user key resulted in null or empty value from source attributes

这是日志文件中的内容

2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.saml20.domain.LDAPUsernamePasswordCredentialValidator] search sAMAccountName=MYLOGIN
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.servlet.HttpServletRespProxy] adding lazy cookie Cookie{PF=v15OJ5PwavFr0TTQqGGPxWrOjzUTXlkVKfVCB2yceOXN; path=/; maxAge=-1; domain=null} replacing Cookie{PF=v15OJ5PwavFr0TTQqGGPxWv76zVxxdpyURw82xJJBtXK; path=/; maxAge=-1; domain=null}
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.saml20.service.impl.grouprpc.PreferredNodes] [] -> indices to addresses -> [IP1, IP2]
2016-04-26 10:42:26,912  DEBUG [org.sourceid.saml20.service.impl.localmemory.InterReqStateMgmtMapImpl] setAttr(oldKey: v76zVxxdpyURw82xJJBtXK, newKey: rOjzUTXlkVKfVCB2yceOXN, name: HtmlFormIdpAuthnAdapter:WatsonHTML:SESSION)
2016-04-26 10:42:26,912  DEBUG [org.sourceid.saml20.service.impl.localmemory.InterReqStateMgmtMapImpl] setAttr: new size of attribute map=110
2016-04-26 10:42:26,912  DEBUG [com.pingidentity.jgroups.MuxInvocationHandler] invocation of setAttr on InterReqStateMgmtMapImpl state map size:8 attributes map size110
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.saml20.service.impl.grouprpc.InterRequestStateMgmtGroupRpcImpl] called mode:GET_MAJORITY setAttr() on [IP1, IP2]
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.saml20.service.impl.grouprpc.PreferredNodes] [] -> indices to addresses -> [IP1, IP2]
2016-04-26 10:42:26,912  DEBUG [org.sourceid.saml20.service.impl.localmemory.InterReqStateMgmtMapImpl] setAttr(oldKey: rOjzUTXlkVKfVCB2yceOXN, newKey: rOjzUTXlkVKfVCB2yceOXN, name: HtmlFormIdpAuthnAdapter:WatsonHTML:last-activity)
2016-04-26 10:42:26,912  DEBUG [org.sourceid.saml20.service.impl.localmemory.InterReqStateMgmtMapImpl] setAttr: new size of attribute map=110
2016-04-26 10:42:26,912  DEBUG [com.pingidentity.jgroups.MuxInvocationHandler] invocation of setAttr on InterReqStateMgmtMapImpl state map size:8 attributes map size110
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.saml20.service.impl.grouprpc.InterRequestStateMgmtGroupRpcImpl] called mode:GET_MAJORITY setAttr() on [IP1, IP2]
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.saml20.service.impl.grouprpc.PreferredNodes] [] -> indices to addresses -> [IP1, IP2]
2016-04-26 10:42:26,912  DEBUG [org.sourceid.saml20.service.impl.localmemory.InterReqStateMgmtMapImpl] setAttr(oldKey: rOjzUTXlkVKfVCB2yceOXN, newKey: rOjzUTXlkVKfVCB2yceOXN, name: HtmlFormIdpAuthnAdapter:WatsonHTML:first-activity)
2016-04-26 10:42:26,912  DEBUG [org.sourceid.saml20.service.impl.localmemory.InterReqStateMgmtMapImpl] setAttr: new size of attribute map=110
2016-04-26 10:42:26,912  DEBUG [com.pingidentity.jgroups.MuxInvocationHandler] invocation of setAttr on InterReqStateMgmtMapImpl state map size:8 attributes map size110
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.saml20.service.impl.grouprpc.InterRequestStateMgmtGroupRpcImpl] called mode:GET_MAJORITY setAttr() on [IP1, IP2]
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.servlet.HttpServletRespProxy] adding lazy cookie Cookie{pf-hfa-WatsonHTML-rmu=; path=/; maxAge=0; domain=null} replacing null
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.websso.authn.AdapterAuthnProcessor] adapterResponse=SUCCESS
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.util.log.AttributeMap] Ignoring attempt to add null value to attribute map for context.TargetResource
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.util.log.AttributeMap] Ignoring attempt to add null value to attribute map for USER_KEY
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.util.log.AttributeMap] Ignoring attempt to add null value to attribute map for USER_NAME
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.saml20.domain.AttributeMapping] Source attributes:{context.ClientIp=CLIP, context.OAuthScopes=openid, username=MYLOGIN, DN=CN=My Name,OU=Users,OU=xx,OU=xx,DC=xx,DC=yy,DC=co,DC=uk, org.sourceid.saml20.adapter.idp.authn.authnInst=1461663746912, context.ClientId=UAT-Watson, context.HttpRequest=/as/Z3XeL/resume/as/authorization.ping} Resulting attributes:{}
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI ERROR [org.sourceid.oauth20.handlers.HandleAuthorizationRequest] Exception occurred during request processing
org.sourceid.websso.profiles.ProcessRuntimeException: Mapping into unique user key resulted in null or empty value from source attributes
    at org.sourceid.oauth20.domain.UserKeyAttrMapping.execMapping(UserKeyAttrMapping.java:50) ~[pf-protocolengine.jar:?]
    at org.sourceid.oauth20.domain.UserKeyAttrMapping.execMapping(UserKeyAttrMapping.java:38) ~[pf-protocolengine.jar:?]

我很困惑为什么它为USER_KEY和USER_NAME获取NULL值，尽管IdP适配器响应是成功的。

有人可以帮忙吗？

感谢

Answer 1

确定。我发现了修复。在我的IdP适配器映射中，我USER_NAME已从displayName映射到Adapter。我将其更改为Text ${username}的值。这有帮助。但是，仍然不明白为什么这是正确的事情。

PingFederate错误 - 忽略尝试将空值添加到USER_KEY

1 个答案: