问题:
Spring saml-单次注销
傅经业
我已经使用spring-saml建立了一个联合。SSO过程工作正常,但是我有一个单一注销的问题。
问题#1是,在我从SP调用saml/注销后,它从Idp注销,也从我的SP注销,但它不会重定向到Idp登录页面。
问题#2是,当我让其他SP参与处理我的SP时,我的SP不知何故断开了链,它将其他SP引导到我的SP注销页面,而不是Idp注销页面。
这是我的配置:
@Bean
public MethodInvokingFactoryBean socketFactoryInitialization() {
MethodInvokingFactoryBean methodInvokingFactoryBean = new MethodInvokingFactoryBean();
methodInvokingFactoryBean.setTargetClass(Protocol.class);
methodInvokingFactoryBean.setTargetMethod("registerProtocol");
Object[] args = {"https", socketFactoryProtocol()};
methodInvokingFactoryBean.setArguments(args);
return methodInvokingFactoryBean;
}
@Bean
public WebSSOProfileOptions defaultWebSSOProfileOptions() {
WebSSOProfileOptions webSSOProfileOptions = new WebSSOProfileOptions();
webSSOProfileOptions.setIncludeScoping(false);
return webSSOProfileOptions;
}
// Entry point to initialize authentication, default values taken from
// properties file
@Bean
public SAMLEntryPoint samlEntryPoint() {
SAMLEntryPoint samlEntryPoint = new SAMLEntryPoint();
samlEntryPoint.setDefaultProfileOptions(defaultWebSSOProfileOptions());
return samlEntryPoint;
}
// Setup advanced info about metadata
@Bean
public ExtendedMetadata extendedMetadata() {
ExtendedMetadata extendedMetadata = new ExtendedMetadata();
extendedMetadata.setIdpDiscoveryEnabled(false);
extendedMetadata.setSignMetadata(true);
return extendedMetadata;
}
// IDP Discovery Service
@Bean
public SAMLDiscovery samlIDPDiscovery() {
SAMLDiscovery idpDiscovery = new SAMLDiscovery();
idpDiscovery.setIdpSelectionPath("/saml/idpSelection");
return idpDiscovery;
}
@Bean
@Qualifier("idp-ssocircle")
public ExtendedMetadataDelegate ssoCircleExtendedMetadataProvider()
throws MetadataProviderException {
DefaultResourceLoader loader = new DefaultResourceLoader();
Resource resource = loader.getResource("classpath:/saml/idp.xml");
FilesystemMetadataProvider fileSystemMetaDataProvider = null;
try {
fileSystemMetaDataProvider = new FilesystemMetadataProvider(resource.getFile());
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
fileSystemMetaDataProvider.setParserPool(parserPool());
ExtendedMetadataDelegate extendedMetadataDelegate = new ExtendedMetadataDelegate(fileSystemMetaDataProvider, extendedMetadata());
extendedMetadataDelegate.setMetadataTrustCheck(false);
extendedMetadataDelegate.setMetadataRequireSignature(false);
return extendedMetadataDelegate;
}
// IDP Metadata configuration - paths to metadata of IDPs in circle of trust
// is here
// Do no forget to call iniitalize method on providers
@Bean
@Qualifier("metadata")
public CachingMetadataManager metadata() throws MetadataProviderException {
List<MetadataProvider> providers = new ArrayList<MetadataProvider>();
providers.add(ssoCircleExtendedMetadataProvider());
return new CachingMetadataManager(providers);
}
// Filter automatically generates default SP metadata
@Bean
public MetadataGenerator metadataGenerator() {
log.debug("Application Base URL: " + env.getProperty("applicationBaseURL"));
MetadataGenerator metadataGenerator = new MetadataGenerator();
metadataGenerator.setBindingsSLO(Arrays.asList("Redirect", "POST"));
metadataGenerator.setRequestSigned(false);
metadataGenerator.setEntityId(env.getProperty("applicationBaseURL"));
metadataGenerator.setExtendedMetadata(extendedMetadata());
metadataGenerator.setIncludeDiscoveryExtension(false);
String url = env.getProperty("applicationBaseURL");
metadataGenerator.setEntityBaseURL(url);
return metadataGenerator;
}
// The filter is waiting for connections on URL suffixed with filterSuffix
// and presents SP metadata there
@Bean
public MetadataDisplayFilter metadataDisplayFilter() {
return new MetadataDisplayFilter();
}
// Handler deciding where to redirect user after successful login
@Bean
public SavedRequestAwareAuthenticationSuccessHandler successRedirectHandler() {
SavedRequestAwareAuthenticationSuccessHandler successRedirectHandler =
new SavedRequestAwareAuthenticationSuccessHandler();
successRedirectHandler.setDefaultTargetUrl("/#/login");
return successRedirectHandler;
}
// Handler deciding where to redirect user after failed login
@Bean
public SimpleUrlAuthenticationFailureHandler authenticationFailureHandler() {
SimpleUrlAuthenticationFailureHandler failureHandler =
new SimpleUrlAuthenticationFailureHandler();
failureHandler.setUseForward(true);
failureHandler.setDefaultFailureUrl("/#/error");
return failureHandler;
}
@Bean
public SAMLWebSSOHoKProcessingFilter samlWebSSOHoKProcessingFilter() throws Exception {
SAMLWebSSOHoKProcessingFilter samlWebSSOHoKProcessingFilter = new SAMLWebSSOHoKProcessingFilter();
samlWebSSOHoKProcessingFilter.setAuthenticationSuccessHandler(successRedirectHandler());
samlWebSSOHoKProcessingFilter.setAuthenticationManager(authenticationManager());
samlWebSSOHoKProcessingFilter.setAuthenticationFailureHandler(authenticationFailureHandler());
return samlWebSSOHoKProcessingFilter;
}
// Processing filter for WebSSO profile messages
@Bean
public SAMLProcessingFilter samlWebSSOProcessingFilter() throws Exception {
SAMLProcessingFilter samlWebSSOProcessingFilter = new SAMLProcessingFilter();
samlWebSSOProcessingFilter.setAuthenticationManager(authenticationManager());
samlWebSSOProcessingFilter.setAuthenticationSuccessHandler(successRedirectHandler());
samlWebSSOProcessingFilter.setAuthenticationFailureHandler(authenticationFailureHandler());
return samlWebSSOProcessingFilter;
}
@Bean
public MetadataGeneratorFilter metadataGeneratorFilter() {
return new MetadataGeneratorFilter(metadataGenerator());
}
// Handler for successful logout
@Bean
public SimpleUrlLogoutSuccessHandler successLogoutHandler() {
SimpleUrlLogoutSuccessHandler successLogoutHandler = new SimpleUrlLogoutSuccessHandler();
return successLogoutHandler;
}
// Logout handler terminating local session
@Bean
public SecurityContextLogoutHandler logoutHandler() {
SecurityContextLogoutHandler logoutHandler =
new SecurityContextLogoutHandler();
logoutHandler.setInvalidateHttpSession(true);
logoutHandler.setClearAuthentication(true);
return logoutHandler;
}
// Filter processing incoming logout messages
// First argument determines URL user will be redirected to after successful
// global logout
@Bean
public SAMLLogoutProcessingFilter samlLogoutProcessingFilter() {
return new SAMLLogoutProcessingFilter(successLogoutHandler(), logoutHandler());
}
// Overrides default logout processing filter with the one processing SAML
// messages
@Bean
public SAMLLogoutFilter samlLogoutFilter() {
return new SAMLLogoutFilter(successLogoutHandler(),
new LogoutHandler[] { logoutHandler() },
new LogoutHandler[] { logoutHandler() });
}
// Bindings
private ArtifactResolutionProfile artifactResolutionProfile() {
final ArtifactResolutionProfileImpl artifactResolutionProfile =
new ArtifactResolutionProfileImpl(httpClient());
artifactResolutionProfile.setProcessor(new SAMLProcessorImpl(soapBinding()));
return artifactResolutionProfile;
}
@Bean
public HTTPArtifactBinding artifactBinding(ParserPool parserPool, VelocityEngine velocityEngine) {
return new HTTPArtifactBinding(parserPool, velocityEngine, artifactResolutionProfile());
}
@Bean
public HTTPSOAP11Binding soapBinding() {
return new HTTPSOAP11Binding(parserPool());
}
@Bean
public HTTPPostBinding httpPostBinding() {
return new HTTPPostBinding(parserPool(), velocityEngine());
}
@Bean
public HTTPRedirectDeflateBinding httpRedirectDeflateBinding() {
return new HTTPRedirectDeflateBinding(parserPool());
}
@Bean
public HTTPSOAP11Binding httpSOAP11Binding() {
return new HTTPSOAP11Binding(parserPool());
}
@Bean
public HTTPPAOS11Binding httpPAOS11Binding() {
return new HTTPPAOS11Binding(parserPool());
}
这是我的日志:
22:08:45.062 [DEBUG] o.o.s.m.p.ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: http://localhost:8080/
22:08:45.062 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Searching for entity descriptor with an entity ID of http://localhost:8080/
22:08:45.062 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Metadata document did not contain a descriptor for entity http://localhost:8080/
22:08:45.063 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Metadata document did not contain any role descriptors of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor for entity http://localhost:8080/
22:08:45.063 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Metadata document does not contain a role of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor supporting protocol urn:oasis:names:tc:SAML:2.0:protocol for entity http://localhost:8080/
22:08:45.063 [DEBUG] o.o.s.m.p.ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: http://localhost:8080/
22:08:45.063 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Searching for entity descriptor with an entity ID of http://localhost:8080/
22:08:45.064 [DEBUG] o.o.x.s.c.KeyStoreCredentialResolver - Building credential from keystore entry for entityID apollo, usage type UNSPECIFIED
22:08:45.064 [DEBUG] o.o.x.s.c.KeyStoreCredentialResolver - Processing PrivateKeyEntry from keystore
22:08:45.064 [DEBUG] o.o.x.s.c.c.EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
22:08:45.065 [DEBUG] o.o.x.s.c.KeyStoreCredentialResolver - Building credential from keystore entry for entityID apollo, usage type UNSPECIFIED
22:08:45.065 [DEBUG] o.o.x.s.c.KeyStoreCredentialResolver - Processing PrivateKeyEntry from keystore
22:08:45.065 [DEBUG] o.o.x.s.c.c.EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
22:08:45.066 [DEBUG] o.o.x.p.StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://apache.org/xml/features/dom/defer-node-expansion'
22:08:45.068 [DEBUG] o.o.x.p.StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://javax.xml.XMLConstants/feature/secure-processing'
22:08:45.068 [DEBUG] o.o.x.p.StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://apache.org/xml/features/disallow-doctype-decl'
22:08:45.070 [DEBUG] o.o.s.m.p.ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: https://idp.server.com:443/fsso
22:08:45.070 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Searching for entity descriptor with an entity ID of https://idp.server.com:443/fsso
22:08:45.071 [DEBUG] o.o.w.m.e.BaseMessageEncoder - Beginning encode message to outbound transport of type: org.opensaml.ws.transport.http.HttpServletResponseAdapter
22:08:45.071 [DEBUG] o.o.s.b.e.HTTPRedirectDeflateEncoder - Deflating and Base64 encoding SAML message
22:08:45.071 [DEBUG] o.o.w.m.e.BaseMessageEncoder - Marshalling message
22:08:45.074 [DEBUG] o.o.s.b.e.HTTPRedirectDeflateEncoder - Building URL to redirect client to
22:08:45.074 [DEBUG] o.o.s.b.e.HTTPRedirectDeflateEncoder - Generating signature with key type 'RSA', algorithm URI 'http://www.w3.org/2000/09/xmldsig#rsa-sha1' over query string 'SAMLRequest=nZLbbtswDIbv9xSGbgvH8iG2I8QuWgQFjHVblrQF2jtaphMBtpSZctfHr5wsQ3dAge1GEAjyI%2F%2BfXF6%2B9J33jAMpowsWzjjzUEvTKL0r2P3djZ%2Bzy%2FLDkqDvooO4NTsz2g1%2BG5Gst3KP0mCPpXtrDySCAKQ0o7bkN%2Fg8%2B461ND3h4DrM3E8kSRy0RCaoVuttZzbYqAGlDXq0cNUpoMCVBao5MK9aFQwWKYZJmiDupIQ4rVOeIs%2F2ebpo3KQV0YiVJgvaFizi4dznsc%2BjuygUPBfJfMaz8Il5D2d90aTPKdYkTooKNg5aGCBFQkOPJKwU26tPt8KlisNgrJGmY%2BXJAHFsOLwlvA8Actonf1g5%2BePs6YyEbm%2FIipznPFgGb8HnNp8dqFp5N2bowb7fYYqoxm%2BPqcIOoEmhtsybGF9H6FSrcPjX9TBvu%2F4L4M%2F52X95ET%2FWLWYXcv1xk0WL6%2Fsv%2Bb6zPYYXa5WeHTl5UJ4vb4s0rbDSDb6UFKVtDUku87iGOosQQpnEnMdNNk9CcOwsalE2PPxB%2B63%2BZ%2FSXey5fAQ%3D%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1'
22:08:45.075 [DEBUG] o.o.x.s.SigningUtil - Computing signature over input using private key of type RSA and JCA algorithm ID SHA1withRSA
22:08:45.103 [DEBUG] o.o.x.s.SigningUtil - Computed signature: 2b169f61974c194392a165a727652977da7847dd011e46acf69f57372ee3e680953fa12a27b0611b658f020104dfa5a4e6edec36cbb02a4eaa68f490b5cc40a940d36792fea9c96e4e334e0d1ce4a7d41dcdf8590b8557805cd752aebd01e59d5575f6b55ab804e381a71c46523ff5cd72a3e783a31c008cc4a350a8348aaec161928344c286c96b3dffbec05d2652db602d4501c086cdc21896ee67125da4774795507ecd8e1e0fbdd76febefd5313d15d784f832b083ceed40b45e452daedeb732e81911e7e3319aa2af9a0c22fa4bfcf21c92ac35cb204f3a478d7ef5e8d52fc0bfe2ca21877c66f7cf3240b896eef3155ca3972a78fefd20341ee0db6f41
22:08:45.103 [DEBUG] o.o.s.b.e.HTTPRedirectDeflateEncoder - Generated digital signature value (base64-encoded) KxafYZdMGUOSoWWnJ2Upd9p4R90BHkas9p9XNy7j5oCVP6EqJ7BhG2WPAgEE36Wk5u3sNsuwKk6qaPSQtcxAqUDTZ5L+qcluTjNODRzkp9QdzfhZC4VXgFzXUq69AeWdVXX2tVq4BOOBpxxGUj/1zXKj54OjHACMxKNQqDSKrsFhkoNEwobJaz3/vsBdJlLbYC1FAcCGzcIYlu5nEl2kd0eVUH7Njh4Pvddv6+/VMT0V14T4MrCDzu1AtF5FLa7etzLoGRHn4zGaoq+aDCL6S/zyHJKsNcsgTzpHjX716NUvwL/iyiGHfGb3zzJAuJbu8xVco5cqeP79IDQe4NtvQQ==
22:08:45.105 [DEBUG] PROTOCOL_MESSAGE -
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:LogoutRequest
Destination="https://idp.server.com:443/fsso/IDPSloRedirect/metaAlias/dev/idp"
ID="a96e1464eegcca36b606e07h869d0"
IssueInstant="2015-03-02T21:08:45.071Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8080/</saml2:Issuer>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="https://idp.server.com:443/fsso"
SPNameQualifier="http://localhost:8080/" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">3Ybfe7+cPKR729BUO8hltme1+Pi6</saml2:NameID>
<saml2p:SessionIndex>s26fba48c83bab72ea1c43003d7541afe772fecd01</saml2p:SessionIndex>
</saml2p:LogoutRequest>
22:08:45.105 [DEBUG] o.o.w.m.e.BaseMessageEncoder - Successfully encoded message.
22:08:46.345 [DEBUG] o.o.s.m.p.ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: http://localhost:8080/
22:08:46.345 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Searching for entity descriptor with an entity ID of http://localhost:8080/
22:08:46.345 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Metadata document did not contain a descriptor for entity http://localhost:8080/
22:08:46.345 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Metadata document did not contain any role descriptors of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor for entity http://localhost:8080/
22:08:46.346 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Metadata document does not contain a role of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor supporting protocol urn:oasis:names:tc:SAML:2.0:protocol for entity http://localhost:8080/
22:08:46.346 [DEBUG] o.o.s.m.p.ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: http://localhost:8080/
22:08:46.346 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Searching for entity descriptor with an entity ID of http://localhost:8080/
22:08:46.347 [DEBUG] o.o.x.s.c.KeyStoreCredentialResolver - Building credential from keystore entry for entityID apollo, usage type UNSPECIFIED
22:08:46.347 [DEBUG] o.o.x.s.c.KeyStoreCredentialResolver - Processing PrivateKeyEntry from keystore
22:08:46.347 [DEBUG] o.o.x.s.c.c.EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
22:08:46.348 [DEBUG] o.o.x.s.c.KeyStoreCredentialResolver - Building credential from keystore entry for entityID apollo, usage type UNSPECIFIED
22:08:46.348 [DEBUG] o.o.x.s.c.KeyStoreCredentialResolver - Processing PrivateKeyEntry from keystore
22:08:46.348 [DEBUG] o.o.x.s.c.c.EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
22:08:46.349 [DEBUG] o.o.x.p.StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://apache.org/xml/features/dom/defer-node-expansion'
22:08:46.351 [DEBUG] o.o.x.p.StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://javax.xml.XMLConstants/feature/secure-processing'
22:08:46.352 [DEBUG] o.o.x.p.StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://apache.org/xml/features/disallow-doctype-decl'
22:08:46.354 [DEBUG] o.o.w.m.d.BaseMessageDecoder - Beginning to decode message from inbound transport of type: org.opensaml.ws.transport.http.HttpServletRequestAdapter
22:08:46.354 [DEBUG] o.o.s.b.d.HTTPRedirectDeflateDecoder - Decoded RelayState: null
22:08:46.354 [DEBUG] o.o.s.b.d.HTTPRedirectDeflateDecoder - Base64 decoding and inflating SAML message
22:08:46.354 [DEBUG] o.o.w.m.d.BaseMessageDecoder - Parsing message stream into DOM document
22:08:46.355 [DEBUG] o.o.w.m.d.BaseMessageDecoder - Unmarshalling message DOM
22:08:46.356 [DEBUG] o.o.w.m.d.BaseMessageDecoder - Message succesfully unmarshalled
22:08:46.357 [DEBUG] o.o.s.b.d.HTTPRedirectDeflateDecoder - Decoded SAML message
22:08:46.357 [DEBUG] o.o.s.b.d.BaseSAML2MessageDecoder - Extracting ID, issuer and issue instant from status response
22:08:46.358 [DEBUG] PROTOCOL_MESSAGE -
<?xml version="1.0" encoding="UTF-8"?>
<samlp:LogoutResponse
Destination="http://localhost:8080//saml/SingleLogout"
ID="s8ce9d2c8fd0758d2755ed7256479469b8c686665"
InResponseTo="a96e1464eegcca36b606e07h869d0"
IssueInstant="2015-03-02T21:08:45Z" Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.server.com:443/fsso</saml:Issuer>
<samlp:Status
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
</samlp:StatusCode>
</samlp:Status>
</samlp:LogoutResponse>
22:08:46.358 [DEBUG] o.o.w.m.d.BaseMessageDecoder - Evaluating security policy of type 'org.opensaml.ws.security.provider.BasicSecurityPolicy' for decoded message
22:08:46.358 [DEBUG] o.o.c.b.s.BaseSAMLSimpleSignatureSecurityPolicyRule - Evaluating simple signature rule of type: org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule
22:08:46.358 [DEBUG] o.o.c.b.s.BaseSAMLSimpleSignatureSecurityPolicyRule - HTTP request was not signed via simple signature mechanism, skipping
22:08:46.358 [INFO] o.o.c.b.s.SAMLProtocolMessageXMLSignatureSecurityPolicyRule - SAML protocol message was not signed, skipping XML signature processing
22:08:46.358 [DEBUG] o.o.w.m.d.BaseMessageDecoder - Successfully decoded message.
22:08:46.358 [DEBUG] o.o.c.b.d.BaseSAMLMessageDecoder - Checking SAML message intended destination endpoint against receiver endpoint
22:08:46.358 [DEBUG] o.o.c.b.d.BaseSAMLMessageDecoder - Intended message destination endpoint: http://localhost:8080//saml/SingleLogout
22:08:46.358 [DEBUG] o.o.c.b.d.BaseSAMLMessageDecoder - Actual message receiver endpoint: http://localhost:8080//saml/SingleLogout
22:08:46.358 [DEBUG] o.o.c.b.d.BaseSAMLMessageDecoder - SAML message intended destination endpoint matched recipient endpoint
22:08:48.145 [DEBUG] c.c.c.s.Http401UnauthorizedEntryPoint - Pre-authenticated entry point called. Rejecting access
有人能帮我设置配置吗
谢啦
共有1个答案
章飞虎
Spring SAML应该在成功的单次注销后调用您的bean成功LogoutHandler()。您可以将属性defaultTargetUrl设置为IDP登录页面的URL,并将alwaysUseDefaultTargetUrl设置为true,因此用户总是在注销后发送到那里。
类似资料:
-
我有一个使用spring security和mvc框架开发的门户应用程序。此门户应用程序连接到IDP(使用Spring security和Spring saml开发)进行身份验证。如果用户身份验证成功,用户将被导航到主页,其中为外部应用程序提供了多个链接……当用户单击应用程序链接时,用户应成功导航到相应的应用程序,而无需质疑登录页面。 其他应用程序是使用strut和Spring Security开
-
我正试图在我的java webapp中实现WSO2单点注销功能<我无法理解这件事: 然后我为第一个服务提供商(SP)调用注销,IdP使用SAML响应将其重定向到某个注销url,SP收到此请求并使超文本传输协议会话无效。 第二个SP也使用SAML响应从IdP获取请求,但此请求中的http会话是IdP和SP之间的会话,我需要使web浏览器和SP之间的会话无效。我如何获取此会话?
-
我有一个关于SAML 2.0和SLO的问题<在SLO过程中,作为Idp,我们启动注销并向SP发送注销请求,SP则返回注销响应。我们在IDP端部分注销,用户在IDP端注销,但是如果我返回SP站点,我仍然登录<这是IdP侧还是SP侧的问题?我的意思是SP应该终止会话并向IDP发送注销响应,还是IDP的任务是终止双方的会话? 谢啦
-
您好,我在ADFS 2.0中面临以下单一注销问题。 我使用ADFS 2.0作为RST,另一个ADFS 2.0注册为声明提供程序,并配置为表单身份验证。 我有4个依赖方(RPs)托管在另一台IIS服务器上。 在对索赔提供者进行身份验证后,我正在打开IE中的所有4个RPs。注销第一次运行得非常好。但如果我再次登录并单击注销,则刷新后任何一个RP应用程序都会保持登录状态。我还可以看到,在ADFS/LS站
-
我试图在我的spring boot应用程序中使用keycloak和OpenID实现一次注销。 是否有一种方法可以使用OpenID和Spring Boot实现单次注销?
-
我成功地将OneLogin java saml库用于saml SSO。但Active Directory联合身份验证服务(ADFS)的SLO(单次注销)存在问题。ADFS拒绝库创建的LogoutRequest,而SimpleSAMLphp IdP接受它。我在LogoutRequest创建时传递从ADFS接收的nameId和sessionIndex。 以下是生成的请求和收到的响应: 授权请求: 答复