我正在试图让OpenSSO(OpenAM)fedlet在ADFS2.0服务器上运行。我已经导入了他们的元数据(idp.xml)并与ADFS服务器交换了证书。我不得不从XML文件中删除一些元素;声明类型和其他一些这样的元素。
当我点击“使用HTTP POST绑定运行Fedlet(SP)启动单点登录”链接尝试SSO时,我会被弹回“HTTP状态500 - 单点登录失败”页面。
我的fedlet在myServer.domain.net上运行,ADFS服务器在adfs.domain.net。
我已经解码了我正在向ADFS服务器发出的SAML请求:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s25420b00d06164c30c915b9f69c6e5b73408c6b27" Version="2.0" IssueInstant="2011-03-14T21:37:27Z" Destination="https://adfs.domain.net/adfs/ls/" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://myServer:8999/fedlet/fedletapplication">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">myServer.domain.net</saml:Issuer>
<samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" SPNameQualifier="myServer.domain.net" AllowCreate="true"></samlp:NameIDPolicy>
<samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact">
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
这些是我的jboss日志中的错误和堆栈跟踪:
2011-03-14 16:22:00,330 ERROR [STDERR] Mar 14, 2011 4:22:00 PM com.sun.identity.plugin.log.impl.FedletLogger access
INFO: GOT_RESPONSE_FROM_POST
{}
2011-03-14 16:22:00,331 ERROR [STDERR] Mar 14, 2011 4:22:00 PM com.sun.identity.plugin.log.impl.FedletLogger error
INFO: WRONG_STATUS_CODE
{_12549e97-9ef2-49f2-a3c2-3dd40171ce8a}
{}
2011-03-14 16:22:00,331 INFO [STDOUT] ### {SAMLResponse=[Ljava.lang.String;@1d341d34}\
2011-03-14 16:22:00,331 INFO [STDOUT] ### SAMLResponse:
来自ADFS服务器的SAMLResponse:
<samlp:Response ID="_12549e97-9ef2-49f2-a3c2-3dd40171ce8a" Version="2.0" IssueInstant="2011-03-14T21:22:38.770Z" Destination="https://myServer:8999/fedlet/fedletapplication" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="s2d4265ae10edc2e33c08dc34c248a95dd771ce4ce" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.domain.net/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_12549e97-9ef2-49f2-a3c2-3dd40171ce8a">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>AX/P9yGMxS6g8X5wbWqV1bbDeIxJXuHhr5OK3VJ9lzU=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>ViPPkKk8KLx6TUHWjaVcbiDHEBQOio7+7gJqC2lnVeT6Ja4MqrF6GtIX8MjwHAHM+s5gOcxdldPYoKNfAkh12C690BQvlWXQd0nc6NmDVNvYGSCWy2JL19wiBDoNreWO4YwCXOoeHOS/CvsxB1gE5CiyQ8BzbsIAGvH3+uIVOcOrj30SuDQkXYBqnZw5OPM9BlmG7C4UBS8wlO44Ukbvs0oqwgVxSeBk6kywBYW9PoNGCc6ViTZwhWoQYGj2dFd/k282mzaZ4cz+aHBpAYMju9QJuXPpzdtP4Ms6x8BxpBrQUwPcg9+wV+jtwCmMgarFfOWwlR00b6m64XdPK9bmJw==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC2DCCAcCgAwIBAgIQE8jPCJT5aIVMphr1XJ3sNDANBgkqhkiG9w0BAQsFADAoMSYwJAYDVQQDEx1BREZTIFNpZ25pbmcgLSBhZGZzLm1tcGxwLm5ldDAeFw0xMDExMzAyMjAzMDVaFw0xMTExMzAyMjAzMDVaMCgxJjAkBgNVBAMTHUFERlMgU2lnbmluZyAtIGFkZnMubW1wbHAubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvl/P5VDzs+hpXiStYihulMkz+iR6LjDSy5sxjePEylM2XbYxMJJIuUhvHq86sb4FKiTZWAzh9VkDLvee8j+KDwuYR3yQ0VDteD/ig/hSN5ehpzijPOLhTh+7DbUqVzcXKdrhVXfhvybfeDSNEAY424h+rusdj+hIn0ggrn+rwXhC6satnbZvxhbUssiRFAEXdDKNuakpywZUw97XjTUBxm6E6GwoCznQX/wk6F82z0AkcGUV9pUOs83aPA97DBjq4oGCt+uqVUtO/KauFmydtVojU7RyYsoPOguPEOODOACd7tnag/6qyPZEroHk8OU7VdzjGg2ItXOAYlDV3HTb1QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBwACOtAkh4rngQCWf98Lsu0GuvzIhVJ+RO+Jlwc058FOXT+whyHyEJVm0joiR89lILsUJDEnYcoXEBHoiAGblDAyT+bqqWJuJBenRfXlBGlQfoGGz4eOAQ7gWkXL5kToDVtosSJ1ZtbWTeum9bYTS3xy7qzsbJLXSXUZ7mrz/kbA9ksSmTInDPhkLBkcg/OQhcDQ0F0J+ab5iGKRGkNmLgI3JRs6WRjrFRg0V8aQAtU94m6hvceu2QI8q8t9asQ3JISHLLaTUs7jDXp7j8xbeMHm8exs80mebDoJLWVEsvVLSSuUU8cTxNScpInnpjE82qH2baa2ig+XfVQbyxyJjc</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" />
</samlp:Status>
</samlp:Response>
错误/堆栈跟踪:
2011-03-14 16:22:00,331 ERROR [STDERR] com.sun.identity.saml2.common.SAML2Exception: Single Sign On failed.
2011-03-14 16:22:00,331 ERROR [STDERR] at com.sun.identity.saml2.profile.SPACSUtils.processResponseForFedlet(Unknown Source)
2011-03-14 16:22:00,331 ERROR [STDERR] at org.apache.jsp.fedletSampleApp_jsp._jspService(fedletSampleApp_jsp.java:262)
2011-03-14 16:22:00,331 ERROR [STDERR] at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)
2011-03-14 16:22:00,331 ERROR [STDERR] at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
2011-03-14 16:22:00,331 ERROR [STDERR] at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:332)
2011-03-14 16:22:00,331 ERROR [STDERR] at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:314)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:264)
2011-03-14 16:22:00,332 ERROR [STDERR] at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:175)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:392)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
2011-03-14 16:22:00,332 ERROR [STDERR] at java.lang.Thread.run(Thread.java:810)
这可能来自编辑ADFS服务器提供给我的元数据吗?我无法确定从这里挖掘的地方。
谢谢,
答案 0 :(得分:0)