SAML响应中不需要的InResponseTo属性

时间:2017-10-03 10:48:51

标签: saml-2.0 azure-ad-b2c

我使用AAD B2C作为IDP,它正在向PingOne发送SAML响应,但在该响应中,有一个属性 InResponseTo 属性,其ID为AuthnRequest,PingOne因请求而失败它

https://community.pingidentity.com/PingOne/PingOne-General/SAML-223-The-request-you-sent-is-outdated-This-can-be-due-to-an-old-entry-in-the-browser-cache-or-a-bookmark-to-a-transient-login-page-Try-restarting-your-browser-and-using-the-application-URL-again

我按照以下文档创建了自定义策略

https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-custom-setup-adfs2016-idp

https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/blob/master/Walkthroughs/RP-SAML.md

AuthNRequest 

<samlp:AuthnRequest 
ID="F84D888AA3B44C1B844375A4E8210D9E" 
xmlns="urn:oasis:names:tc:SAML:2.0:metadata" 
Version="2.0" 
IsPassive="false"   
AssertionConsumerServiceURL="https://sso.connect.pingidentity.com/
sso/sp/ACS.saml2" 
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <Issuer 
    xmlns="urn:oasis:names:tc:SAML:2.0:assertion">  
    https://login.microsoftonline.com/te/
      TENANT.onmicrosoft.com/POLICY_NAME
    </Issuer>
    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-
        format:unspecified">
    </samlp:NameIDPolicy>
</samlp:AuthnRequest>

通过使用上面的AuthnRequest,我创建了编码的SAMLRequest并点击了以下URL https://login.microsoftonline.com/te/TENANT.onmicrosoft.com/POLICY_NAME/samlp/sso/login?SAMLRequest=ENCODED_AUTHNREQUEST_SAML&RelayState=https%3A%2F%2Fpingone.com%2F1.0%2FENTITY_ID

SAML响应 

<samlp:Response 
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#" 
    ID="_18b91c0a-e117-4c0d-877b-12e1627fbfd0" 
    InResponseTo="F84D888AA3B44C1B844375A4E8210D9E" 
    Version="2.0" 
    IssueInstant="2017-10-02T16:25:45.6637019Z" 
    Destination="https://sso.connect.pingidentity.com/sso/sp/ACS.saml2" 
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml:Issuer 
        Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://login.microsoftonline.com/te/TENANT.onmicrosoft.com/saml
    </saml:Issuer>
    <Signature 
        xmlns="http://www.w3.org/2000/09/xmldsig#">
      .....
    </Signature> 
    <samlp:Status>
      .....
    </samlp:Status> 
    <saml:Assertion >
      .....
    </saml:Assertion>

0 个答案:

没有答案
相关问题
最新问题