PingFederate SP SLO不会转到IDP

时间:2016-06-01 14:40:47

标签: pingfederate

我们使用PingFederate作为SP并配置了opentokenadapter。我们还使用PingFederate Apache Agent(mod_pf.so)进行SSO。当用户点击下面的注销链接时,会发生以下步骤:

  1. 调用转到mod_pf.conf文件中定义的注销网址(PingFederateCancelURL)这是我们的应用程序注销页面。
  2. 另一个电话转到/sp/startSLO.png,我可以看到pingfederate服务器中的SLO日志。
  3. 但是没有呼叫为此连接配置IDP。我们是否缺少任何配置?

    P.S。我们尚未在opentoken适配器配置中配置注销服务

    添加日志:

    2016-06-13 03:01:36,128 tid:C0aV2SqcQXoy97ployGFLFGFR14 DEBUG [org.sourceid.websso.servlet.IntegrationControllerServlet] GET: https://ny-pingfed-app02.na.rtdom.net:9031/sp/startSLO.ping
    2016-06-13 03:01:36,128 tid:C0aV2SqcQXoy97ployGFLFGFR14 DEBUG [org.sourceid.saml20.service.impl.grouprpc.PreferredNodes] [] -> indices to addresses -> [10.221.56.36:7600, 10.221.56.29:7600]
    2016-06-13 03:01:36,128  DEBUG [com.pingidentity.jgroups.MuxInvocationHandler] invocation of lookupAuthnBeansAndSessions on org.sourceid.saml20.service.impl.localmemory.SpSessionRegistryMapImpl@7a85063c{bean->session=19, nidKey->sessionlists=7, pfsessionid->beanslist=17} w/args: [oYxtMFSy5GYQ5lK3EN1Lkt] returned {SpHashableAuthnBean: 8b3ec7801a2976aa103df829dffc21f260ea7aca=WebSsoSession{entityId='https://devci-casshib-ny.mediaocean.com/idp/shibboleth', assertionId='_36dab27f092d6367407cb9042e350aed', sessionIndex='_0d66d53a8fea5733ea5621a7b90b923b', nameId(value)=_3aa309b361c657bf1bc2a307d19ac432}}
    2016-06-13 03:01:36,131 tid:C0aV2SqcQXoy97ployGFLFGFR14 DEBUG [org.sourceid.saml20.service.impl.grouprpc.SpSessionRegistryGroupRpcImpl] called mode:GET_MAJORITY lookupAuthnBeansAndSessions([oYxtMFSy5GYQ5lK3EN1Lkt]) on [10.221.56.36:7600, 10.221.56.29:7600] responses:
    [sender=10.221.56.36:7600, retval={SpHashableAuthnBean: 8b3ec7801a2976aa103df829dffc21f260ea7aca=WebSsoSession{entityId='https://devci-casshib-ny.mediaocean.com/idp/shibboleth', assertionId='_36dab27f092d6367407cb9042e350aed', sessionIndex='_0d66d53a8fea5733ea5621a7b90b923b', nameId(value)=_3aa309b361c657bf1bc2a307d19ac432}}, received=true, suspected=false]
    [sender=10.221.56.29:7600, retval={SpHashableAuthnBean: 8b3ec7801a2976aa103df829dffc21f260ea7aca=WebSsoSession{entityId='https://devci-casshib-ny.mediaocean.com/idp/shibboleth', assertionId='_36dab27f092d6367407cb9042e350aed', sessionIndex='_0d66d53a8fea5733ea5621a7b90b923b', nameId(value)=_3aa309b361c657bf1bc2a307d19ac432}}, received=true, suspected=false]
    
    2016-06-13 03:01:36,131 tid:C0aV2SqcQXoy97ployGFLFGFR14 DEBUG [org.sourceid.saml20.service.impl.grouprpc.PreferredNodes] [] -> indices to addresses -> [10.221.56.36:7600, 10.221.56.29:7600]
    2016-06-13 03:01:36,131 tid:C0aV2SqcQXoy97ployGFLFGFR14 DEBUG [org.sourceid.saml20.service.impl.grouprpc.SpSessionRegistryGroupRpcImpl] called mode:GET_NONE unregisterSessionsReceived([[SpHashableAuthnBean: 8b3ec7801a2976aa103df829dffc21f260ea7aca]]) on [10.221.56.36:7600, 10.221.56.29:7600]
    2016-06-13 03:01:36,230  DEBUG [com.pingidentity.jgroups.MuxInvocationHandler] invocation of unregisterSessionsReceived on org.sourceid.saml20.service.impl.localmemory.SpSessionRegistryMapImpl@7a85063c{bean->session=18, nidKey->sessionlists=6, pfsessionid->beanslist=16} w/args: [[SpHashableAuthnBean: 8b3ec7801a2976aa103df829dffc21f260ea7aca]] returned null
    2016-06-13 03:01:36,263 tid:C0aV2SqcQXoy97ployGFLFGFR14 DEBUG [org.sourceid.util.log.internal.TrackingIdSupport] [cross-reference-message] PFSessionXRefID:_0d66d53a8fea5733ea5621a7b90b923b
    2016-06-13 03:01:36,501  WARN  [org.eclipse.jetty.servlet.ServletHandler]
    javax.servlet.ServletException: org.sourceid.websso.profiles.ProcessRuntimeException: org.sourceid.saml20.adapter.AuthnAdapterException: Logout functionality invoked, but no logout service is configured for this adapter.
            at org.sourceid.servlet.ServletExceptionSupport.throwServletException(ServletExceptionSupport.java:26)
            at org.sourceid.websso.servlet.IntegrationControllerServlet.process(IntegrationControllerServlet.java:88)
            at org.sourceid.websso.servlet.EnforcerServletBase.checkProcess(EnforcerServletBase.java:84)
    

    似乎Logout Service是必需参数。应该是什么价值?应该是IDP的SLO端点还是应用程序(SP正在保护)注销网址?

0 个答案:

没有答案