我正在使用带有插件spring-security-saml:2.0.0的Grails 2.4。
使用此处提供的测试SAML服务,我可以毫不费力地使其工作:
https://samltest.id/
出现登录页面,然后将我重定向到我的应用程序。一切正常。
但是,在尝试了多种选项组合并在此处阅读了有关SAML的大多数问题之后,我仍然无法连接到我需要使用的实际SAML服务。它一直在告诉:
edu.internet2.middleware.shibboleth.common.profile.ProfileException: SAML 2 SSO profile is not configured for relying party localhost:dev:myAppSAML
此IDP的管理员告诉我,也许我应该启用“默认IDP发现”。我试图通过设置来做到这一点:
idpDiscoveryEnabled: true (see DefaultSamlSecurityConfig.groovy below)
但是结果是一样的。此外,我认为这不是必须的,因为我指定了要连接的IDP。
在连接测试服务或真实服务之间切换时,我所做的唯一更改是更改了我正在使用的文件“ idp.xml”,其他所有内容均保持不变。但是文件 idp.xml 是从他们那里发送给我的,他们说该文件可用于其他服务提供商,因此一定可以。
他们还从另一个服务提供商处给我发送了 sp.xml 。我用碳复写了它(URL:s除外),但还是没有运气。因此,也许问题出在我正在设置的选项(或默认设置的选项-我以前没有使用SAML-)。
有些想法?他们的终端(IDP)可能配置有误吗?
我在这里发布我的配置:
Config.groovy
grails.plugin.springsecurity.saml.active = true
grails.plugin.springsecurity.logout.filterProcessesUrl = "/saml/SingleLogout"
grails.plugin.springsecurity.providerNames = ["samlAuthenticationProvider"]
grails.plugin.springsecurity.useSwitchUserFilter = true
IDP.XML
<EntityDescriptor entityID="https://saml.organization.es"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
<Extensions>
<shibmd:Scope regexp="false">organization.es</shibmd:Scope>
</Extensions>
<KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
CERT
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
Location="https://saml.organization.es/profile/SAML1/SOAP/ArtifactResolution"
index="1"/>
<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://saml.organization.es/profile/SAML2/SOAP/ArtifactResolution"
index="2"/>
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
Location="https://saml.organization.es/profile/Shibboleth/SSO" />
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://saml.organization.es/profile/SAML2/POST/SSO" />
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
Location="https://saml.organization.es/profile/SAML2/POST-SimpleSign/SSO" />
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://saml.organization.es/profile/SAML2/Redirect/SSO" />
</IDPSSODescriptor>
<AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
<Extensions>
<shibmd:Scope regexp="false">organization.es</shibmd:Scope>
</Extensions>
<KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
CERT
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
Location="https://saml.organization.es:/profile/SAML1/SOAP/AttributeQuery" />
<AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://saml.organization.es:/profile/SAML2/SOAP/AttributeQuery" />
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
</AttributeAuthorityDescriptor>
<Organization>
<OrganizationName xml:lang="es">ORGANIZATION</OrganizationName>
<OrganizationDisplayName xml:lang="es">ORGANIZATION</OrganizationDisplayName>
<OrganizationURL xml:lang="es">http://www.organization.es</OrganizationURL>
</Organization>
<ContactPerson contactType="technical">
<Company>ORGANIZATION</Company>
<EmailAddress>suport@organization.es</EmailAddress>
</ContactPerson>
</EntityDescriptor>
SP.XML
<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor entityID = "localhost:dev:myAppSAML" xmlns = "urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor AuthnRequestsSigned="false" protocolSupportEnumeration = "urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
<AssertionConsumerService index = "1" isDefault="true" Binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location = "http://myapp.mycompany.com/myAppSAML/spring-security-saml/saml/SSO" />
</SPSSODescriptor>
</EntityDescriptor>
DefaultSamlSecurityConfig.groovy
security {
saml {
userAttributeMappings = [:]
active = true
afterLoginUrl = '/'
afterLogoutUrl = '/'
userGroupAttribute = "memberOf"
responseSkew = 60
autoCreate {
active = false
key = 'username'
assignAuthorities = true
}
metadata {
defaultIdp = 'ping'
url = '/saml/metadata'
providers = [ ping :'security/idp-samlidtest.xml']
//providers = [ ping :'security/idp-organization.xml']
sp {
file = 'security/sp-organization.xml'
defaults = [
local: true,
alias: 'localhost:dev:myAppSAML',
securityProfile: 'metaiop',
signingKey: 'ping',
encryptionKey: 'ping',
tlsKey: 'ping',
requireArtifactResolveSigned: false,
requireLogoutRequestSigned: false,
requireLogoutResponseSigned: false,
idpDiscoveryEnabled: true
]
}
}
keyManager {
storeFile = 'classpath:security/keystore.jks'
storePass = 'nalle123'
passwords = [ ping: 'ping123' ]
defaultKey = 'ping'
}
}
}