我们使用PingFederate作为SP并配置了opentokenadapter。我们还使用PingFederate Apache Agent(mod_pf.so)进行SSO。当用户点击下面的注销链接时,会发生以下步骤:
但是没有呼叫为此连接配置IDP。我们是否缺少任何配置?
P.S。我们尚未在opentoken适配器配置中配置注销服务。
添加日志:
2016-06-13 03:01:36,128 tid:C0aV2SqcQXoy97ployGFLFGFR14 DEBUG [org.sourceid.websso.servlet.IntegrationControllerServlet] GET: https://ny-pingfed-app02.na.rtdom.net:9031/sp/startSLO.ping
2016-06-13 03:01:36,128 tid:C0aV2SqcQXoy97ployGFLFGFR14 DEBUG [org.sourceid.saml20.service.impl.grouprpc.PreferredNodes] [] -> indices to addresses -> [10.221.56.36:7600, 10.221.56.29:7600]
2016-06-13 03:01:36,128 DEBUG [com.pingidentity.jgroups.MuxInvocationHandler] invocation of lookupAuthnBeansAndSessions on org.sourceid.saml20.service.impl.localmemory.SpSessionRegistryMapImpl@7a85063c{bean->session=19, nidKey->sessionlists=7, pfsessionid->beanslist=17} w/args: [oYxtMFSy5GYQ5lK3EN1Lkt] returned {SpHashableAuthnBean: 8b3ec7801a2976aa103df829dffc21f260ea7aca=WebSsoSession{entityId='https://devci-casshib-ny.mediaocean.com/idp/shibboleth', assertionId='_36dab27f092d6367407cb9042e350aed', sessionIndex='_0d66d53a8fea5733ea5621a7b90b923b', nameId(value)=_3aa309b361c657bf1bc2a307d19ac432}}
2016-06-13 03:01:36,131 tid:C0aV2SqcQXoy97ployGFLFGFR14 DEBUG [org.sourceid.saml20.service.impl.grouprpc.SpSessionRegistryGroupRpcImpl] called mode:GET_MAJORITY lookupAuthnBeansAndSessions([oYxtMFSy5GYQ5lK3EN1Lkt]) on [10.221.56.36:7600, 10.221.56.29:7600] responses:
[sender=10.221.56.36:7600, retval={SpHashableAuthnBean: 8b3ec7801a2976aa103df829dffc21f260ea7aca=WebSsoSession{entityId='https://devci-casshib-ny.mediaocean.com/idp/shibboleth', assertionId='_36dab27f092d6367407cb9042e350aed', sessionIndex='_0d66d53a8fea5733ea5621a7b90b923b', nameId(value)=_3aa309b361c657bf1bc2a307d19ac432}}, received=true, suspected=false]
[sender=10.221.56.29:7600, retval={SpHashableAuthnBean: 8b3ec7801a2976aa103df829dffc21f260ea7aca=WebSsoSession{entityId='https://devci-casshib-ny.mediaocean.com/idp/shibboleth', assertionId='_36dab27f092d6367407cb9042e350aed', sessionIndex='_0d66d53a8fea5733ea5621a7b90b923b', nameId(value)=_3aa309b361c657bf1bc2a307d19ac432}}, received=true, suspected=false]
2016-06-13 03:01:36,131 tid:C0aV2SqcQXoy97ployGFLFGFR14 DEBUG [org.sourceid.saml20.service.impl.grouprpc.PreferredNodes] [] -> indices to addresses -> [10.221.56.36:7600, 10.221.56.29:7600]
2016-06-13 03:01:36,131 tid:C0aV2SqcQXoy97ployGFLFGFR14 DEBUG [org.sourceid.saml20.service.impl.grouprpc.SpSessionRegistryGroupRpcImpl] called mode:GET_NONE unregisterSessionsReceived([[SpHashableAuthnBean: 8b3ec7801a2976aa103df829dffc21f260ea7aca]]) on [10.221.56.36:7600, 10.221.56.29:7600]
2016-06-13 03:01:36,230 DEBUG [com.pingidentity.jgroups.MuxInvocationHandler] invocation of unregisterSessionsReceived on org.sourceid.saml20.service.impl.localmemory.SpSessionRegistryMapImpl@7a85063c{bean->session=18, nidKey->sessionlists=6, pfsessionid->beanslist=16} w/args: [[SpHashableAuthnBean: 8b3ec7801a2976aa103df829dffc21f260ea7aca]] returned null
2016-06-13 03:01:36,263 tid:C0aV2SqcQXoy97ployGFLFGFR14 DEBUG [org.sourceid.util.log.internal.TrackingIdSupport] [cross-reference-message] PFSessionXRefID:_0d66d53a8fea5733ea5621a7b90b923b
2016-06-13 03:01:36,501 WARN [org.eclipse.jetty.servlet.ServletHandler]
javax.servlet.ServletException: org.sourceid.websso.profiles.ProcessRuntimeException: org.sourceid.saml20.adapter.AuthnAdapterException: Logout functionality invoked, but no logout service is configured for this adapter.
at org.sourceid.servlet.ServletExceptionSupport.throwServletException(ServletExceptionSupport.java:26)
at org.sourceid.websso.servlet.IntegrationControllerServlet.process(IntegrationControllerServlet.java:88)
at org.sourceid.websso.servlet.EnforcerServletBase.checkProcess(EnforcerServletBase.java:84)
似乎Logout Service是必需参数。应该是什么价值?应该是IDP的SLO端点还是应用程序(SP正在保护)注销网址?