我已使用ADFS 3.0用我的JBoss 6.1.0_final配置了JDK6
设置成功,当我访问应用程序URL时,它会将我重定向到adfs页面。成功登录adfs后,它将重定向到我的应用程序URL,在这里我遇到的错误是
ERROR [org.picketlink.identity.federation] Service Provider could not handle the request.: java.lang.IllegalArgumentException: PL00092: Null Value:No assertions in reply from IDP
at org.picketlink.identity.federation.DefaultPicketLinkLogger.samlHandlerNoAssertionFromIDP(DefaultPicketLinkLogger.java:1410) [:2.1.8.Final]
at org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler$SPAuthenticationHandler.handleStatusResponseType(SAML2AuthenticationHandler.java:415) [:2.1.8.Final]
at org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler.handleStatusResponseType(SAML2AuthenticationHandler.java:135) [:2.1.8.Final]
at org.picketlink.identity.federation.web.process.SAMLHandlerChainProcessor.callHandlerChain(SAMLHandlerChainProcessor.java:64) [:2.1.8.Final]
at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.processHandlersChain(ServiceProviderSAMLResponseProcessor.java:105) [:2.1.8.Final]
at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.process(ServiceProviderSAMLResponseProcessor.java:86) [:2.1.8.Final]
at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.handleSAMLResponse(AbstractSPFormAuthenticator.java:448) [:2.1.8.Final]
at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:324) [:2.1.8.Final]
at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:252) [:2.1.8.Final]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:559) [:6.1.0.Final]
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:88) [:6.1.0.Final]
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:100) [:6.1.0.Final]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:159) [:6.1.0.Final]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [:6.1.0.Final]
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158) [:6.1.0.Final]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [:6.1.0.Final]
at org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.invoke(ActiveRequestResponseCacheValve.java:53) [:6.1.0.Final]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:362) [:6.1.0.Final]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [:6.1.0.Final]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:654) [:6.1.0.Final]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:951) [:6.1.0.Final]
at java.lang.Thread.run(Thread.java:662) [:1.6.0_45]
我的picketlink.xml是
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1"
ServerEnvironment="tomcat" BindingType="POST" SupportsSignatures="true" CanonicalizationMethod="http://www.w3.org/2001/10/xml-exc-c14n#">
<KeyProvider
ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
<Auth Key="KeyStoreURL" Value="server.keystore" />
<Auth Key="KeyStorePass" Value="changeit" />
<Auth Key="SigningKeyPass" Value="changeit" />
<Auth Key="SigningKeyAlias" Value="jbosskey" />
<ValidatingAlias Key="{APPLICATION-URL}" Value="digite" />
<ValidatingAlias Key="{ADFS-URL}" Value="digite" />
</KeyProvider>
</PicketLinkSP>
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" >
<Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
<Option Key="CLOCK_SKEW_MILIS" Value="3600000"/></Handler>
<Handlerv class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler" ></Handler>
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler">
<Option Key="ATTRIBUTE_CHOOSE_FRIENDLY_NAME" Value="true"/>
</Handler>
</Handlers>
</PicketLink>
更新1: ADFS上的错误是
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = Microsoft.IdentityServer.Tokens.MSISSecurityKeyIdentifierClause
)
'. Ensure that the SecurityTokenResolver is populated with the required key.
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.ResolveSigningCredentials()
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.OnEndOfRootElement()
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.Read()
at System.Xml.XmlReader.ReadEndElement()
at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadAuthnRequest(XmlReader reader)
at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadSamlMessage(XmlReader reader, NamespaceContext context)
at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage)
at Microsoft.IdentityServer.Protocols.Saml.Contract.SamlContractUtility.CreateSamlMessage(MSISSamlBindingMessage message)
我尝试了以下运气不错的解决方案。
Set-ADFSRelyingPartyTrust –TargetName “Name property of your RP Trust” –SigningCertificateRevocationCheck “None” sp-metadata.xml和RP中的实体ID必须相同请帮忙。
答案 0 :(得分:0)
确保两个符号方法的值相同。 Picketlink会始终将Signature SIGN METHOD的值设置为w3.org,而不管使用REDIRECT绑定类型时设置的值如何,并且ADFS需要使两种Sign方法都相同才能使通信成功进行。