将Shibboleth作为IdP和API Publisher连接为SP

时间:2016-12-05 17:17:04

标签: wso2 wso2is shibboleth

计划

我们将shibboleth配置为IdP,因此我们可以进行SSO。我们已经为电子邮件和帐户信息等许多其他内容配置了shibboleth,但在尝试添加我们的API发布商时,我们似乎遇到了错误。我们认为这是一个wso2配置错误。我们一直使用这个wso2文档作为模板:如何将Shibboleth IdP配置为可信身份提供者

情况

到目前为止,我们可以访问登录屏幕并输入我们的凭据,但是当它尝试重定向我们时,我们会收到错误401:需要授权。

SAML代码

<saml2p:Response 
Destination="localhost" 
ID="mbnfmmagbmefckldpefbmjopkadjahbkocadhmib" 
InResponseTo="lihfmcpiofkdkhphfbahlndllmmemhldckammgaf" 
IssueInstant="2016-12-05T16:20:37.939Z" 
Version="2.0" 
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" 
xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer 
    Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" 
    xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">IdsDev
</saml2:Issuer>
<ds:Signature 
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
        <ds:CanonicalizationMethod 
            Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <ds:SignatureMethod 
            Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <ds:Reference 
            URI="#mbnfmmagbmefckldpefbmjopkadjahbkocadhmib">
            <ds:Transforms>
                <ds:Transform 
                    Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                <ds:Transform 
                    Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                    <ec:InclusiveNamespaces 
                        PrefixList="xs" 
                        xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod 
                Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>9xbWKA7A+
                7k7Vaz6O18z8Xliqbo=
            </ds:DigestValue>
        </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>kX11Q4eCUyME+VP5M7+5iI6D45kqQgE6MIqth7hNosSmfdSD3kZS0dwlcNwVlrzA64LMUZxclU256xP6w6nn0TqEqLjKy/tGXeQbKjaYrPcXx6336kIp8YGajqDiBh7IJswFDxugLoRx70APaKGthJi5VwRea1oT3lE4RHJoMgiN7o5FO1N+8IE34zEJLmTIpt+lYdXQPJanN29GY9YfIouFe2TGfHfXd9PT2nt7Dmf+M69DM3giEyizbzljYHdkjJrTlqoYTlHBHNPq8NF/+1wwuL76SP0Bory4k/7JvelW6RSAz82pdjDc0ublBmuceTENza2GiC2sitVQPycl/
        g==
    </ds:SignatureValue>
    <ds:KeyInfo>
        <ds:X509Data>
            <ds:X509Certificate>MIIFejCCBGKgAwIBAgIQCKTAgWTgw/Ea7HQ+L665tTANBgkqhkiG9w0BAQsFADBwMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNzdXJhbmNlIFNlcnZlciBDQTAeFw0xNjA5MjYwMDAwMDBaFw0xOTEwMDExMjAwMDBaMHIxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIEwVJZGFobzEQMA4GA1UEBxMHUmV4YnVyZzEnMCUGA1UEChMeQnJpZ2hhbSBZb3VuZyBVbml2ZXJzaXR5LUlkYWhvMRgwFgYDVQQDEw9pZHNkZXYuYnl1aS5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCeLpdcJnXbGKRYujiUIoCOFrjR3PZ2E+BmzGNNTSTbnxjRPCJpjoI/5OWXPV/59I4s+b/lMaVuth5G8FD/yGDE/cyOKHM79G8UR399aqflqVWCfBc5Kqf7oKByBiost5JQyLGUTlXOvOKvLNTSHEC1gZUYP6Sn9m7/HOtcaMji32N0Pr22NYk92LSbUZqwVUM5e71q7Yze4OTiAv/Sd3Us1M4YgD+qJpy15Rph5Uo7jq1J9YE38dVmznJKD5xKt6G5Bn/b7pWipnhfG9gNJhjkpP/IVOfkpsDIm4QDXOArjzV/qLck8GF6zr8+PiUM4k/peottkvq6UV0AKPiv/DPJAgMBAAGjggIMMIICCDAfBgNVHSMEGDAWgBRRaP+QrwIHdTzM2WVkYqISuFlyOzAdBgNVHQ4EFgQUgpnRRipdTainSlDqezFYUGdyKWgwPgYDVR0RBDcwNYIPaWRzZGV2LmJ5dWkuZWR1ghBJZHNEZXYxLmJ5dWkuZWR1ghBJZHNEZXYyLmJ5dWkuZWR1MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0fBG4wbDA0oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTItaGEtc2VydmVyLWc1LmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTItaGEtc2VydmVyLWc1LmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjCBgwYIKwYBBQUHAQEEdzB1MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wTQYIKwYBBQUHMAKGQWh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJIaWdoQXNzdXJhbmNlU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBADAayQq4l5DqWmgste9KgnqWOkOkjWw7bxu7WOh++oPyaNlyzieaz2ZJXrf4bHHeF5pCA9FUzhpdwGg+iWzt5Wd8L3G50mEUBJKjKgAzkOr9ywoGlPio/GaqqNrMmKhmLQDz6hcIoCk3SXAR5GDzRCjn5PZvboL9l+uTCE0h6Sg8qCRjgIYvOHbN8FhMla2opx2B7mnX5jAnfzfnJgGQZERLDSy8dvYhtXBaxaCzDqfYwZFQjec+IRjHHHLQpAPKzB5ARNe5IYlSMfkbi71kNpaFQ1WAJtAO+9pld5zgA/
                OvSamgXd5RBJbXq376LX3r9jcYGpQwJT3hqMl9Qa1B0pY=
            </ds:X509Certificate>
        </ds:X509Data>
    </ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
    <saml2p:StatusCode 
        Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion 
    ID="gihomiibdbpcojhdmjofkecelaibhdcdonghhkpm" 
    IssueInstant="2016-12-05T16:20:37.939Z" 
    Version="2.0" 
    xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
    xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <saml2:Issuer 
        Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">IdsDev
    </saml2:Issuer>
    <ds:Signature 
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod 
                Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod 
                Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <ds:Reference 
                URI="#gihomiibdbpcojhdmjofkecelaibhdcdonghhkpm">
                <ds:Transforms>
                    <ds:Transform 
                        Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform 
                        Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces 
                            PrefixList="xs" 
                            xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod 
                    Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>Z7DIvjwTk4JpF0TRMNzo3Z/
                    4sfc=
                </ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>h1Stjkbw306VU7TN5OEou2XII3nzvhr34GVbced5Gk7q+EZailZusYISkC11eJjk4Y+CejMa4RODelwnMAdpfeWmMYz6ukk0jh9RH97/uWPOWKfOp4n/oXVnYE3rdImGcb1egas/zprqM7Pl8mbwI7vK3ScMUagBg6Td1sxHfRgVBk6r8C+40sgTAG8LsOd+q8LKNYj5mSeZ5K34SBdkmMWNpAS9mOT9CSJfWOrd9uAvFXHeuWN31MbIgVV5seEMfUzC18I/4s3qXwWqIvQxIsF8l9WuIuMYsFPT+oQJBU/ltQVf54w29k50tvN+LyvmNbZCZANf+
            3JXwygyImc2Yg==
        </ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIIFejCCBGKgAwIBAgIQCKTAgWTgw/Ea7HQ+L665tTANBgkqhkiG9w0BAQsFADBwMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNzdXJhbmNlIFNlcnZlciBDQTAeFw0xNjA5MjYwMDAwMDBaFw0xOTEwMDExMjAwMDBaMHIxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIEwVJZGFobzEQMA4GA1UEBxMHUmV4YnVyZzEnMCUGA1UEChMeQnJpZ2hhbSBZb3VuZyBVbml2ZXJzaXR5LUlkYWhvMRgwFgYDVQQDEw9pZHNkZXYuYnl1aS5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCeLpdcJnXbGKRYujiUIoCOFrjR3PZ2E+BmzGNNTSTbnxjRPCJpjoI/5OWXPV/59I4s+b/lMaVuth5G8FD/yGDE/cyOKHM79G8UR399aqflqVWCfBc5Kqf7oKByBiost5JQyLGUTlXOvOKvLNTSHEC1gZUYP6Sn9m7/HOtcaMji32N0Pr22NYk92LSbUZqwVUM5e71q7Yze4OTiAv/Sd3Us1M4YgD+qJpy15Rph5Uo7jq1J9YE38dVmznJKD5xKt6G5Bn/b7pWipnhfG9gNJhjkpP/IVOfkpsDIm4QDXOArjzV/qLck8GF6zr8+PiUM4k/peottkvq6UV0AKPiv/DPJAgMBAAGjggIMMIICCDAfBgNVHSMEGDAWgBRRaP+QrwIHdTzM2WVkYqISuFlyOzAdBgNVHQ4EFgQUgpnRRipdTainSlDqezFYUGdyKWgwPgYDVR0RBDcwNYIPaWRzZGV2LmJ5dWkuZWR1ghBJZHNEZXYxLmJ5dWkuZWR1ghBJZHNEZXYyLmJ5dWkuZWR1MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0fBG4wbDA0oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTItaGEtc2VydmVyLWc1LmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTItaGEtc2VydmVyLWc1LmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjCBgwYIKwYBBQUHAQEEdzB1MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wTQYIKwYBBQUHMAKGQWh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJIaWdoQXNzdXJhbmNlU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBADAayQq4l5DqWmgste9KgnqWOkOkjWw7bxu7WOh++oPyaNlyzieaz2ZJXrf4bHHeF5pCA9FUzhpdwGg+iWzt5Wd8L3G50mEUBJKjKgAzkOr9ywoGlPio/GaqqNrMmKhmLQDz6hcIoCk3SXAR5GDzRCjn5PZvboL9l+uTCE0h6Sg8qCRjgIYvOHbN8FhMla2opx2B7mnX5jAnfzfnJgGQZERLDSy8dvYhtXBaxaCzDqfYwZFQjec+IRjHHHLQpAPKzB5ARNe5IYlSMfkbi71kNpaFQ1WAJtAO+9pld5zgA/
                    OvSamgXd5RBJbXq376LX3r9jcYGpQwJT3hqMl9Qa1B0pY=
                </ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2:Subject>
        <saml2:NameID 
            Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">username
        </saml2:NameID>
        <saml2:SubjectConfirmation 
            Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml2:SubjectConfirmationData 
                InResponseTo="lihfmcpiofkdkhphfbahlndllmmemhldckammgaf" 
                NotOnOrAfter="2016-12-05T16:25:37.939Z" 
                Recipient="localhost"/>
        </saml2:SubjectConfirmation>
    </saml2:Subject>
    <saml2:Conditions 
        NotBefore="2016-12-05T16:20:37.939Z" 
        NotOnOrAfter="2016-12-05T16:25:37.939Z">
        <saml2:AudienceRestriction>
            <saml2:Audience>API_PUBLISHER</saml2:Audience>
        </saml2:AudienceRestriction>
    </saml2:Conditions>
    <saml2:AuthnStatement 
        AuthnInstant="2016-12-05T16:20:37.941Z" 
        SessionIndex="cbc00514-954b-4de2-8e7b-b50edf9c5976">
        <saml2:AuthnContext>
            <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
        </saml2:AuthnContext>
    </saml2:AuthnStatement>
    <saml2:AttributeStatement>
        <saml2:Attribute 
            Name="http://wso2.org/claims/fullname" 
            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml2:AttributeValue 
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                xsi:type="xs:string">username
            </saml2:AttributeValue>
        </saml2:Attribute>
    </saml2:AttributeStatement>
</saml2:Assertion>

IdP配置

Shibboleth IDS configuration

Shibboleth IDS configuration

1 个答案:

答案 0 :(得分:2)

我们解决了这个问题!因此,我们无法获得shibboleth 2来在SAML代码中的subject / nameID中发送正确的信息,但是当我们尝试shibboleth 3时,nameID的自定义更容易使用。无论如何,wso2无法仅使用subject / nameID中的用户名授权访问,它还需要域名并格式化为此 / 用户名。有了这个,我们得到SSO工作。