Question

我正在尝试将gitlab连接到ADFS以进行单点登录（SSO）。在gitlab配置中，我已定义了这些值。

assertion_consumer_service_url:'https://myhost/users/auth/saml/callback',
 idp_cert_fingerprint: '',
 idp_sso_target_url: 'https://myadfshost/adfs/ls',
 issuer: 'https://myhost',

我在ADFS中添加了依赖方信任。并将用户添加到AD进行身份验证。当我转到 https://mygitlabhost 时。我得到带有登录选项的ADFS页面。输入用户密码后，出现以下错误，我被重定向到gitlab登录页面：

Could not authenticate you from SAML because "The status code of the response was not success, was responder".

当我检查ADFS的事件日志时，出现此错误：

联合被动请求期间遇到错误。

Additional Data 

Protocol Name: 
Saml 

Relying Party:

https://mygitlabhost 

Exception details: 
Microsoft.IdentityServer.Web.UnsupportedSamlRequestException: MSIS7076: The configured passive endpoint 'https://win-i52r11kn5sa.rohit.local/adfs/ls/' is not a prefix of the incoming SAML message Destination URI 'https://myadfshost/adfs/ls'.
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.ValidateIncomingSamlMessage(SamlMessage samlMessage)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

这可能是由于配置错误的ssl证书引起的吗？如果不是水可能是问题？

Answer 1

这可能是由于元数据或配置。

您是否已将ADFS元数据URL发送到SAML端？

SAML端已配置为发送到https://myadfshost/adfs/ls。

配置的ADFS端点为https://win-i52r11kn5sa.rohit.local/adfs/ls/。

因此SAML端应发送到https://win-i52r11kn5sa.rohit.local/adfs/ls。

ADFS登录产生错误Microsoft.IdentityServer.Web.UnsupportedSamlRequestException

1 个答案: