我正在尝试将Shibboleth IDP配置为接受其他系统的单点登录。
在配置Shibboleth并尝试执行此过程时,Shibboleth将在SAML响应中返回此消息:
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" /></saml2p:StatusCode>
<saml2p:StatusMessage>Required NameID format not supported</saml2p:StatusMessage>
我的 attribute-resolver.xml
[...]
<resolver:AttributeDefinition xsi:type="ad:Simple" id="login" sourceAttributeID="login">
<resolver:Dependency ref="myDB" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="login" friendlyName="login" />
</resolver:AttributeDefinition>
<resolver:DataConnector id="myDB" xsi:type="RelationalDatabase" xmlns="urn:mace:shibboleth:2.0:resolver:dc">
<ApplicationManagedConnection jdbcDriver="org.postgresql.Driver"
jdbcURL="jdbc:XXXXX" jdbcUserName="XXXXX" jdbcPassword="XXXXX" />
<QueryTemplate>
SELECT * FROM usuario WHERE login = replace(replace('$requestContext.principalName', '.', ''), '-', '')
</QueryTemplate>
<Column columnName="login" attributeID="login" />
</resolver:DataConnector>
<resolver:PrincipalConnector xsi:type="pc:Transient" id="shibTransient" nameIDFormat="urn:mace:shibboleth:1.0:nameIdentifier"/>
<resolver:PrincipalConnector xsi:type="pc:Transient" id="saml1Unspec" nameIDFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
<resolver:PrincipalConnector xsi:type="pc:Transient" id="saml2Transient" nameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
我的 attribute-filter.xml [...]
<afp:AttributeFilterPolicy id="releaseLogin">
<afp:PolicyRequirementRule xsi:type="basic:ANY"/>
<afp:AttributeRule attributeID="login">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
<afp:AttributeFilterPolicy id="releaseTransientIdToAnyone">
<afp:PolicyRequirementRule xsi:type="basic:ANY"/>
<afp:AttributeRule attributeID="transientId">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
非常感谢!