使用Drupal 8 samlauth的ADFS 3.0注销

时间:2017-08-25 11:48:19

标签: adfs3.0

目前我正在尝试实施注销功能,但我无法让它发挥作用。我非常肯定我有一些简单的东西......

这是我发送给ADFS服务器的注销请求:

<samlp:LogoutRequest"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="ONELOGIN_2728cdbd1adc8c59faf3c4312b8fec6d18914f9b"
    Version="2.0"
    IssueInstant="2017-08-23T09:37:56Z"
    Destination="https://adfs.client.nl/adfs/ls/">"
    <saml:Issuer>https://t-client-portal-cms.company.nl</saml:Issuer>"
    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">213264@student.client.nl</saml:NameID>"
    <samlp:SessionIndex>_7e271faa-209f-4f23-a5f6-56feaadc5f59</samlp:SessionIndex>"
 </samlp:LogoutRequest>

我们在ADFS错误日志中遇到的错误如下:

Log Name:      AD FS Tracing/Debug
Source:        AD FS Tracing
Date:          8/23/2017 10:18:09 AM
Event ID:      47
Task Category: None
Level:         Error
Keywords:      ADFSSamlProtocol
User:          ADS\sa_adfs
Computer:      ADFS02.ads.local
Description:
Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSignatureVerificationException: MSIS7074: SAML authentication request for the WebSSO profile must specify an issuer with no NameQualifier, SPNameQualifier or SPProvidedId properties.
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.ValidateSignatureRequirements(SamlMessage samlMessage)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Logout(HttpSamlMessage logoutMessage, String sessionState, String logoutState, Boolean partialLogout, Boolean isUrlTranslationNeeded, HttpSamlMessage& newLogoutMessage, String& newSessionState, String& newLogoutState, Boolean& validLogoutRequest)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="AD FS Tracing" Guid="{0457a490-4d4d-4a5b-b639-35382f1b6709}" />
    <EventID>47</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000200</Keywords>
    <TimeCreated SystemTime="2017-08-23T08:18:09.569879000Z" />
    <EventRecordID>37</EventRecordID>
    <Correlation ActivityID="{00000000-0000-0000-EF4F-0080010000B4}" />
    <Execution ProcessID="3320" ThreadID="3484" ProcessorID="0" KernelTime="0" UserTime="18" />
    <Channel>AD FS Tracing/Debug</Channel>
    <Computer>ADFS02.ads.local</Computer>
    <Security UserID="S-1-5-21-2632700421-2392467594-2672111853-48213" />
  </System>
  <UserData>
    <Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
      <EventData>Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSignatureVerificationException: MSIS7074: SAML authentication request for the WebSSO profile must specify an issuer with no NameQualifier, SPNameQualifier or SPProvidedId properties.
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.ValidateSignatureRequirements(SamlMessage samlMessage)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Logout(HttpSamlMessage logoutMessage, String sessionState, String logoutState, Boolean partialLogout, Boolean isUrlTranslationNeeded, HttpSamlMessage&amp; newLogoutMessage, String&amp; newSessionState, String&amp; newLogoutState, Boolean&amp; validLogoutRequest)</EventData>
    </Event>
  </UserData>
</Event>


Log Name:      AD FS Tracing/Debug
Source:        AD FS Tracing
Date:          8/23/2017 10:18:09 AM
Event ID:      153
Task Category: None
Level:         Error
Keywords:      ADFSPassivePipeline
User:          ADS\sa_adfs
Computer:      ADFS02.ads.local
Description:
Exception: MSIS7054: The SAML logout did not complete properly.
StackTrace:    at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSamlLogoutResponse(SamlContext samlContext, Boolean partialLogout, Boolean& logoutComplete)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.ProcessSignOut(SamlContext samlContext, String redirectUri, List`1 iFrameUris, Boolean partialLogout)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Signout(ProtocolContext context, String redirectUri, List`1 iFrameSignoutUris)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolSignoutRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="AD FS Tracing" Guid="{0457a490-4d4d-4a5b-b639-35382f1b6709}" />
    <EventID>153</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000004000000</Keywords>
    <TimeCreated SystemTime="2017-08-23T08:18:09.569879000Z" />
    <EventRecordID>38</EventRecordID>
    <Correlation ActivityID="{00000000-0000-0000-EF4F-0080010000B4}" />
    <Execution ProcessID="3320" ThreadID="3484" ProcessorID="0" KernelTime="0" UserTime="18" />
    <Channel>AD FS Tracing/Debug</Channel>
    <Computer>ADFS02.ads.local</Computer>
    <Security UserID="S-1-5-21-2632700421-2392467594-2672111853-48213" />
  </System>
  <UserData>
    <Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
      <EventData>Exception: MSIS7054: The SAML logout did not complete properly.
StackTrace:    at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSamlLogoutResponse(SamlContext samlContext, Boolean partialLogout, Boolean&amp; logoutComplete)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.ProcessSignOut(SamlContext samlContext, String redirectUri, List`1 iFrameUris, Boolean partialLogout)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Signout(ProtocolContext context, String redirectUri, List`1 iFrameSignoutUris)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolSignoutRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
</EventData>
    </Event>
  </UserData>
</Event>

我不理解我们收到的错误消息。任何人都可以帮我吗?我错过了什么?我应该改变什么?非常感谢您提供的任何帮助。

1 个答案:

答案 0 :(得分:0)

参考this

请求是否应该签名?

NameID是否与登录名相同且格式相同?

相关问题
最新问题