使用Django 1.9 + djangosaml2 + ADFS 2.0进行SSO

时间:2016-08-30 09:06:13

标签: python django single-sign-on saml-2.0 adfs2.0

我使用djangosaml2安装和配置ADFS 2.0作为Idp和Django项目作为SP。关于IIS 7.5的Django项目。

django saml2 config:

SAML_CONFIG = {
  # full path to the xmlsec1 binary programm
  'xmlsec_binary': 'C:\\Program Files\\xmlsec1\\xmlsec1-1.2.20-win32-x86\\bin\\xmlsec1.exe',

  # your entity id, usually your subdomain plus the url to the metadata view
  'entityid': 'https://sp.corp.com/saml2/metadata/',

  # this block states what services we provide
  'service': {
      # we are just a lonely SP
      'sp' : {
          'authn_requests_signed': "true",
          'name': 'SP',
          'name_id_format': NAMEID_FORMAT_EMAILADDRESS,

          'endpoints': {
              # url and binding to the assetion consumer service view
              # do not change the binding or service name
              'assertion_consumer_service': [
                  ('https://sp.corp.com/saml2/acs/',
                   saml2.BINDING_HTTP_POST),
                  ],
              # url and binding to the single logout service view
              # do not change the binding or service name
              'single_logout_service': [
                  ('https://sp.corp.com/saml2/ls/',
                   saml2.BINDING_HTTP_REDIRECT),
                  ('https://sp.corp.com/saml2/ls/post',
                   saml2.BINDING_HTTP_POST),
                  ],
              },

          # attributes that this project need to identify a user
          'required_attributes': ['email'],

          # attributes that may be useful to have but not required
          'optional_attributes': ['surname'],
          },
      },

  # where the remote metadata is stored
  'metadata': {
      'local': [os.path.join(BASE_DIR, 'FederationMetadata.xml')],
      },

  # set to 1 to output debugging information
  'debug': 1,

  # certificate
  'key_file': os.path.join(BASE_DIR, 'iispk.pem'),  # private part
  'cert_file': os.path.join(BASE_DIR, 'iiscert.pem'),  # public part
  }

在adfs端,通过网址https://sp.corp.com/saml2/metadata/添加Reling Party Trust。然后添加声明规则将LDAP属性作为声明,并添加电子邮件地址 - 电子邮件地址,姓氏 - 姓氏。 之后转到https://sp.corp.com/saml2/login/,输入username和pwd,并获取adfs错误,该错误显示在事件日志中:

Event 364:
Encountered error during federation passive request. 

Additional Data 

Exception details: 
Microsoft.IdentityServer.Protocols.Saml.InvalidNameIdPolicyException: MSIS7012: ошибка при обработке запроса. Для получения дополнительных сведений обратитесь к администратору.
   в Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String& samlpSessionState, String& samlpAuthenticationProvider)
   в Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSerializedToken(String signOnToken, WSFederationMessage incomingMessage)
   в Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SignIn(SecurityToken securityToken)



Event 321
The SAML authentication request had a NameID Policy that could not be satisfied. 
Requestor: https://iisserver.corp.com/saml2/metadata/ 
Name identifier format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress 
SPNameQualifier:  
Exception details: 
MSIS1000: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: False Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier: . Actual NameID properties: Format: , NameQualifier:  SPNameQualifier: , SPProvidedId: . 

This request failed. 

User Action 
Use the AD FS 2.0 Management snap-in to configure the configuration that emits the required name identifier.

折磨了几天。如何解决?建议细节。非常感谢。

1 个答案:

答案 0 :(得分:0)

您需要在SAML断言中发送NameID声明。由于您尚未在发布规则集中创建此声明,因此ADFS错误表示cl的值 目标是安全令牌中的铸造与您已配置的请求策略(并在SAML请求中发送)不匹配。

有关如何生成NameID声明及其应发布的格式,请参阅https://blogs.msdn.microsoft.com/card/2010/02/17/name-identifiers-in-saml-assertions/

谢谢//山姆 [Twitter:@MADADFS]