1
我使用TestShib和Python Social Auth SAML backend在Django应用程序上实现服务提供程序。SAML服务提供者如何匹配IDP元数据信息?
我已经能够配置我的应用程序,并构建一个元数据文件。
TestShib允许我的元数据文件上传here。
我已经在我的末端正确配置了TestShib的元数据,并构建了一个指向TestShib端点的测试按钮。
当我单击该按钮时,我被重定向到TestShib,然后提供测试凭据,然后出现错误,因为元数据与重定向不匹配。
TestShib或其他任何IDP如何在输入认证请求后找到正确的元数据(在几个SP之间)? EntityID是否必须与服务提供商的URL匹配?
编辑:(添加详细信息)
SP的元数据(之前上传到TestShib):
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" cacheDuration="P10D" entityID="https://www.example.com">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDBDC .. QltX1icsr0=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" use="encryption">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDBDC .. QltX1icsr0=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://staging.example.com/complete/xx-saml/" index="1" />
</md:SPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en-US">example</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en-US">Example</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en-US">https://www.example.com</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="technical">
<md:GivenName>John Doe</md:GivenName>
<md:EmailAddress>[email protected]</md:EmailAddress>
</md:ContactPerson>
<md:ContactPerson contactType="support">
<md:GivenName>John Doe</md:GivenName>
<md:EmailAddress>[email protected]</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
请求:
https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO?SAMLRequest=fVNN ...
<samlp:AuthnRequest
AssertionConsumerServiceURL="https://staging.example.com/complete/saml/"
Destination="https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO"
ID="ONELOGIN_973a7f348c282cc6dedd4410f900efcf9538dcda" IssueInstant="2016-08-22T14:12:11Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="Example"
Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer>https://www.example.com</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
错误:
10:10:39.009 - WARN [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:206] - Relying party 'https://www.example.com' requested the response to be returned to endpoint with ACS URL 'https://staging.example.com/complete/saml/' and binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' however no endpoint, with that URL and using a supported binding, can be found in the relying party's metadata
10:10:39.009 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:447]
- No return endpoint available for relying party https://www.example.com
https://staging.example.com/complete/saml/可用,因此这个问题似乎是,元数据信息不被发现TestShib。实体ID和发行人似乎与..
你能发布实际的错误,以及你的元数据吗? –
我已添加更多信息。 Python Social Auth不需要太多配置,所以我认为元数据和断言应该匹配。也许版本不正确? – martincho