我使用djangosaml2安装和配置ADFS 2.0作为Idp和Django项目作为SP。关于IIS 7.5的Django项目。
django saml2 config:
SAML_CONFIG = {
# full path to the xmlsec1 binary programm
'xmlsec_binary': 'C:\\Program Files\\xmlsec1\\xmlsec1-1.2.20-win32-x86\\bin\\xmlsec1.exe',
# your entity id, usually your subdomain plus the url to the metadata view
'entityid': 'https://sp.corp.com/saml2/metadata/',
# this block states what services we provide
'service': {
# we are just a lonely SP
'sp' : {
'authn_requests_signed': "true",
'name': 'SP',
'name_id_format': NAMEID_FORMAT_EMAILADDRESS,
'endpoints': {
# url and binding to the assetion consumer service view
# do not change the binding or service name
'assertion_consumer_service': [
('https://sp.corp.com/saml2/acs/',
saml2.BINDING_HTTP_POST),
],
# url and binding to the single logout service view
# do not change the binding or service name
'single_logout_service': [
('https://sp.corp.com/saml2/ls/',
saml2.BINDING_HTTP_REDIRECT),
('https://sp.corp.com/saml2/ls/post',
saml2.BINDING_HTTP_POST),
],
},
# attributes that this project need to identify a user
'required_attributes': ['email'],
# attributes that may be useful to have but not required
'optional_attributes': ['surname'],
},
},
# where the remote metadata is stored
'metadata': {
'local': [os.path.join(BASE_DIR, 'FederationMetadata.xml')],
},
# set to 1 to output debugging information
'debug': 1,
# certificate
'key_file': os.path.join(BASE_DIR, 'iispk.pem'), # private part
'cert_file': os.path.join(BASE_DIR, 'iiscert.pem'), # public part
}
在adfs端,通过网址https://sp.corp.com/saml2/metadata/添加Reling Party Trust。然后添加声明规则将LDAP属性作为声明,并添加电子邮件地址 - 电子邮件地址,姓氏 - 姓氏。 之后转到https://sp.corp.com/saml2/login/,输入username和pwd,并获取adfs错误,该错误显示在事件日志中:
Event 364:
Encountered error during federation passive request.
Additional Data
Exception details:
Microsoft.IdentityServer.Protocols.Saml.InvalidNameIdPolicyException: MSIS7012: ошибка при обработке запроса. Для получения дополнительных сведений обратитесь к администратору.
в Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String& samlpSessionState, String& samlpAuthenticationProvider)
в Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSerializedToken(String signOnToken, WSFederationMessage incomingMessage)
в Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SignIn(SecurityToken securityToken)
Event 321
The SAML authentication request had a NameID Policy that could not be satisfied.
Requestor: https://iisserver.corp.com/saml2/metadata/
Name identifier format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
SPNameQualifier:
Exception details:
MSIS1000: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: False Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier: . Actual NameID properties: Format: , NameQualifier: SPNameQualifier: , SPProvidedId: .
This request failed.
User Action
Use the AD FS 2.0 Management snap-in to configure the configuration that emits the required name identifier.
折磨了几天。如何解决?建议细节。非常感谢。
答案 0 :(得分:0)
您需要在SAML断言中发送NameID声明。由于您尚未在发布规则集中创建此声明,因此ADFS错误表示cl的值 目标是安全令牌中的铸造与您已配置的请求策略(并在SAML请求中发送)不匹配。
有关如何生成NameID声明及其应发布的格式,请参阅https://blogs.msdn.microsoft.com/card/2010/02/17/name-identifiers-in-saml-assertions/。
谢谢//山姆 [Twitter:@MADADFS]