onelogin SSO shibboleth ACS配置
我正试图让Shibboleth SP在我的实验室中使用OneLogin[SAML测试连接器(IdP w/attr)]。我能够使用testshib IdP实现所有功能,但当我更改元数据提供程序并更新SSO实体ID时,我只收到以下错误:
随POST一起传递到错误服务器URL的SAML邮件
当查看我的元数据文件时,我看到我的ACS是:
超文本传输协议://testserver/Shibboleth.sso/SAML2/POST
但是当这被放在我的OneLogin测试连接器中时,我得到的就是上面的错误。
下面是我的Shibboleth2.xml文件(删除了实体ID)
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="1800">
<!-- Windows RequestMapper -->
<!--
The RequestMap defines portions of the webspace to protect; testserver/secure here.
-->
<!--
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMap
-->
<InProcess logger="native.logger">
<ISAPI normalizeRequest="true" safeHeaderNames="false">
<!--
Maps IIS Instance ID values to the host scheme/name/port. The name is
required so that the proper <Host> in the request map above is found without
having to cover every possible DNS/IP combination the user might enter.
-->
<Site id="1" name="testserver"/>
<!--
When the port and scheme are omitted, the HTTP request's port and scheme are used.
If these are wrong because of virtualization, they can be explicitly set here to
ensure proper redirect generation.
-->
<!--
<Site id="42" name="virtual.example.org" scheme="https" port="443"/>
-->
</ISAPI>
</InProcess>
<RequestMapper type="Native">
<RequestMap applicationId="default">
<Host name="testserver">
<Path name="secure" authType="shibboleth" requireSession="true"/>
</Host>
</RequestMap>
</RequestMapper>
<!--
The entityID is the name TestShib made for your SP.
-->
<ApplicationDefaults entityID="" REMOTE_USER="eppn">
<!--
You should use secure cookies if at all possible. See cookieProps in this Wiki article.
-->
<!--
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions
-->
<Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="false">
<!--
Triggers a login request directly to the TestShib IdP.
-->
<!--
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO
-->
<SSO entityID="">SAML2</SSO>
<!-- SAML and local-only logout. -->
<!--
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceLogout
-->
<Logout>SAML2 Local</Logout>
<!--
Handlers allow you to interact with the SP and gather more information. Try them out!
Attribute values received by the SP through SAML will be visible at:
http://sdserver/Shibboleth.sso/Session
-->
<!--
Extension service that generates "approximate" metadata based on SP configuration.
-->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="true"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<!--
Error pages to display to yourself if something goes horribly wrong.
-->
<Errors supportContact="root@localhost" logoLocation="/shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css"/>
<!--
Loads and trusts a metadata file that describes only the Testshib IdP and how to communicate with it.
-->
<MetadataProvider type="XML" file="onelogin_metadata.xml"/>
<!--
Attribute and trust options you shouldn't need to change.
-->
<AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
<AttributeResolver type="Query" subjectMatch="true"/>
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<!--
Your SP generated these credentials. They're used to talk to IdP's.
-->
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
</ApplicationDefaults>
<!--
Security policies you shouldn't change unless you know what you're doing.
-->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<!--
Low-level configuration about protocols and bindings available for use.
-->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
元数据(再次删除敏感信息)
<?xml version="1.0"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://app.onelogin.com/saml/metadata/">
<IDPSSODescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate></ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://.onelogin.com/trust/saml2/http-post/sso/"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://.onelogin.com/trust/saml2/http-post/sso/"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://.onelogin.com/trust/saml2/soap/sso/"/>
</IDPSSODescriptor>
<ContactPerson contactType="technical">
<SurName>Support</SurName>
<EmailAddress>support@onelogin.com</EmailAddress>
</ContactPerson>
</EntityDescriptor>
连接器仅具有以下设置:
ACS(消费者)URL验证程序:^http://testserver/shibboleth.sso/SAML2/POST$
ACS(消费者)URLhttp://testserver/shibboleth.sso/SAML2/POST
共有1个答案
本指南向您解释如何配置OneLogin的连接器。
-
超文本传输协议shibboleth.sso/SAML2/POST
- 收件人:-
在Shibboleth:
编辑/etc/shibboleth/shibboleth2。xml将元数据url添加为元数据提供程序。
通过以管理员身份登录OneLogin并单击onTest Connector,我看到您已经获得了应用程序的元数据URL
并将其添加到文件中:
<MetadataProvider type="XML" file="onelogin_metadata.xml"/>
添加属性映射,编辑 /etc/shibboleth/attribute-map.xml并添加以下属性:
<!-- OneLogin attributes -->
<Attribute name="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" id="login">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
<Attribute name="User.Email" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="email">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
<Attribute name="User.FirstName" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="firstName">
<AttributeDecoder xsi:type="StringAttributeDecoder"/>
</Attribute>
<Attribute name="User.LastName" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="lastName">
<AttributeDecoder xsi:type="StringAttributeDecoder"/>
</Attribute>
您遇到的错误"SAML消息与POST传递到不正确的服务器URL"记录:
When a SAML message is addressed to a location inconsistent with where the SP believes it's running, this error will be thrown. The SP pulls much of this information from the web environment.
* Verify that the server name and port are properly set in accordance with the SP's metadata.
* Rewriting rules in effect for the Shibboleth.sso handler path must be consistent with the SP's metadata.
* The IdP needs to properly address the SAML response.
使用SAML跟踪工具记录SAML流,并验证是否使用HTTP-POST绑定将SAML响应发送到http://testserver/shibboleth.sso/SAML2/POST终点。
我不是一个陈词滥调专家,但可能与这里描述的从HTTPS发送到HTTP的事实有关,这里解释
-
exVim 的配色由三部分组成: 你自己的Vim配色, exVim 插件的语法高亮和插件的配色. 你可以按照以下步骤来定制你的配色: 安装你的配色 exVim 提供了三种方法安装你的自定义配色 方法1. 在 ex-colorscheme 中安装(推荐) 首选的方法是在 ex-colorschemes 中安装自己的配色, 这种方法仅仅需要你把自己的配色文件放到 vimfiles/bundle/ex-
-
目录: 在配置项目yml文件中: 问题: null 客户端YML: 有没有人知道我怎样才能在这两种情况下只带一个配置文件?
-
丰富的过滤器插件的存在是 logstash 威力如此强大的重要因素。名为过滤器,其实提供的不单单是过滤的功能。在本章我们就会重点介绍几个插件,它们扩展了进入过滤器的原始数据,进行复杂的逻辑处理,甚至可以无中生有的添加新的 logstash 事件到后续的流程中去!
-
Codec 是 logstash 从 1.3.0 版开始新引入的概念(Codec 来自 Coder/decoder 两个单词的首字母缩写)。 在此之前,logstash 只支持纯文本形式输入,然后以过滤器处理它。但现在,我们可以在输入 期处理不同类型的数据,这全是因为有了 codec 设置。 所以,这里需要纠正之前的一个概念。Logstash 不只是一个input | filter | outpu
-
在 “Hello World” 示例中,我们已经见到并介绍了 logstash 的运行流程和配置的基础语法。从这章开始,我们就要逐一介绍 logstash 流程中比较常用的一些插件,并在介绍中针对其主要适用的场景,推荐的配置,作一些说明。 限于篇幅,接下来内容中,配置示例不一定能贴完整。请记住一个原则:Logstash 配置一定要有一个 input 和一个 output。在演示过程中,如果没有写明
-
根据文档--不管应用程序名称如何,如果模式与*/development(即localhost:8888/user/development或localhost:8888/demo/development)匹配,配置服务器应该匹配配置文件模式并获取适当的属性。例如:http://localhost:8888/demo/development我应该从ssh://git@xxxgithub.com/dev