我正在尝试让Shibboleth SP在我的实验室中使用OneLogin [SAML测试连接器(IdP w / attr)]。我能够使用testshib IDP完成所有工作,但是当我更改我的元数据提供程序并更新我的SSO实体ID时,我发现此错误:
使用POST将SAML邮件传递给错误的服务器URL
查看我的元数据文件时,我看到我的ACS是:
http://testserver/Shibboleth.sso/SAML2/POST
但是当它放在我的OneLogin测试连接器中时,我得到的就是上面的错误。
下面是我的Shibboleth2.xml文件(删除了实体ID)
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="1800">
<!-- Windows RequestMapper -->
<!--
The RequestMap defines portions of the webspace to protect; testserver/secure here.
-->
<!--
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMap
-->
<InProcess logger="native.logger">
<ISAPI normalizeRequest="true" safeHeaderNames="false">
<!--
Maps IIS Instance ID values to the host scheme/name/port. The name is
required so that the proper <Host> in the request map above is found without
having to cover every possible DNS/IP combination the user might enter.
-->
<Site id="1" name="testserver"/>
<!--
When the port and scheme are omitted, the HTTP request's port and scheme are used.
If these are wrong because of virtualization, they can be explicitly set here to
ensure proper redirect generation.
-->
<!--
<Site id="42" name="virtual.example.org" scheme="https" port="443"/>
-->
</ISAPI>
</InProcess>
<RequestMapper type="Native">
<RequestMap applicationId="default">
<Host name="testserver">
<Path name="secure" authType="shibboleth" requireSession="true"/>
</Host>
</RequestMap>
</RequestMapper>
<!--
The entityID is the name TestShib made for your SP.
-->
<ApplicationDefaults entityID="" REMOTE_USER="eppn">
<!--
You should use secure cookies if at all possible. See cookieProps in this Wiki article.
-->
<!--
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions
-->
<Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="false">
<!--
Triggers a login request directly to the TestShib IdP.
-->
<!--
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO
-->
<SSO entityID="">SAML2</SSO>
<!-- SAML and local-only logout. -->
<!--
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceLogout
-->
<Logout>SAML2 Local</Logout>
<!--
Handlers allow you to interact with the SP and gather more information. Try them out!
Attribute values received by the SP through SAML will be visible at:
http://sdserver/Shibboleth.sso/Session
-->
<!--
Extension service that generates "approximate" metadata based on SP configuration.
-->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="true"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<!--
Error pages to display to yourself if something goes horribly wrong.
-->
<Errors supportContact="root@localhost" logoLocation="/shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css"/>
<!--
Loads and trusts a metadata file that describes only the Testshib IdP and how to communicate with it.
-->
<MetadataProvider type="XML" file="onelogin_metadata.xml"/>
<!--
Attribute and trust options you shouldn't need to change.
-->
<AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
<AttributeResolver type="Query" subjectMatch="true"/>
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<!--
Your SP generated these credentials. They're used to talk to IdP's.
-->
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
</ApplicationDefaults>
<!--
Security policies you shouldn't change unless you know what you're doing.
-->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<!--
Low-level configuration about protocols and bindings available for use.
-->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
元数据(再次移除敏感信息)
<?xml version="1.0"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://app.onelogin.com/saml/metadata/">
<IDPSSODescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate></ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://.onelogin.com/trust/saml2/http-post/sso/"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://.onelogin.com/trust/saml2/http-post/sso/"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://.onelogin.com/trust/saml2/soap/sso/"/>
</IDPSSODescriptor>
<ContactPerson contactType="technical">
<SurName>Support</SurName>
<EmailAddress>support@onelogin.com</EmailAddress>
</ContactPerson>
</EntityDescriptor>
连接器仅具有以下设置:
ACS(消费者)URL验证器: ^ HTTP://testserver/shibboleth.sso/SAML2/POST$
ACS(消费者)URL http://testserver/shibboleth.sso/SAML2/POST
答案 0 :(得分:1)
此guide向您解释如何配置OneLogin的连接器。
在Shibboleth:
编辑 /etc/shibboleth/shibboleth2.xml ,将元数据网址添加为元数据提供程序。
我看到您已经通过以管理员身份登录OneLogin并点击了测试连接器&gt;来获取该应用的元数据URL。 SSO标签&gt;发行人URL。
并将其添加到文件中:
<MetadataProvider type="XML" file="onelogin_metadata.xml"/>
添加属性映射,编辑 /etc/shibboleth/attribute-map.xml 并添加以下属性:
<!-- OneLogin attributes -->
<Attribute name="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" id="login">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
<Attribute name="User.Email" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="email">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
<Attribute name="User.FirstName" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="firstName">
<AttributeDecoder xsi:type="StringAttributeDecoder"/>
</Attribute>
<Attribute name="User.LastName" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="lastName">
<AttributeDecoder xsi:type="StringAttributeDecoder"/>
</Attribute>
您遇到的错误“使用POST向不正确的服务器网址发送SAML邮件”is documented:
When a SAML message is addressed to a location inconsistent with where the SP believes it's running, this error will be thrown. The SP pulls much of this information from the web environment.
* Verify that the server name and port are properly set in accordance with the SP's metadata.
* Rewriting rules in effect for the Shibboleth.sso handler path must be consistent with the SP's metadata.
* The IdP needs to properly address the SAML response.
使用SAML Tracer Tool记录SAML流,并验证是否使用HTTP-POST绑定发送SAMLResponse到http://testserver/shibboleth.sso/SAML2/POST端点。