使用 SSP 和 ADFS 作为 IdP 代理的 WordPress 单点登录
WordPress Single Sign On using SSP and ADFS as IdP proxy
好吧,我已经被困了好几天了,所以这是我唯一的希望。
我已经用 ADFS 3.0 配置了 Windows 2012 r2,用 SAML 2.0 单点登录插件配置了 bitnami Wordpress (4.2.2),用 SimpleSAMLphp 1.13 配置了 Ubuntu 服务器。
Wordpress configuration looks like this:
WordPress NameID 政策:
WordPress 属性:
对于身份验证源,我使用的是 SSP 的文件模块。它具有以下属性:
User-Name 用于用户 ID,mail 用于用户的电子邮件地址,Filter-Id 用于用户组。
At ADFS side, I have configured claims provider trust as SSP and relying party's trust as WP.
这些的声明规则是:
SSP:
规则 1:转换名称 ID 策略。如果未设置此规则,WP 的 SSP 会给出 NameIDPolicy 无效错误。
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] == "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);
规则 2:通过所有声明
c:[Type == "https://example.com/simplesamlphp/saml2/idp/metadata.php"]
=> issue(claim = c);
WordPress:
规则一:将name属性转换为WP的属性
c:[Type == "User-Name"]
=> add(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Value = c.Value);
规则 2:转换邮件属性
c:[Type == "mail"]
=> add(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/emailaddress", Value = c.Value);
规则 3:转换组属性
c:[Type == "Filter-Id"]
=> add(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/Group", Value = c.Value);
规则 4:转换为 Givenname 属性
c:[Type == "User-Name"]
=> add(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/givenname", Value = c.Value);
规则 5:转换为姓氏属性
c:[Type == "User-Name"]
=> add(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/surname", Value = c.Value);
规则 6:转换名称 ID 政策并发布所有声明
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
用户成功通过身份验证 (SP/IdP-Initiated)。但是在 WP 端我收到错误提示 Username was not provided.
ADFS 跟踪器日志显示 SSO token is null or empty. Cannot write SSO token to Cookies.
我检查了用户登录的 IdP,它显示用户已登录。跟踪日志还显示 Valid assertion returned from 'https://example.com/simplesamlphp/saml2/idp/metadata.php'
我猜索赔规则有问题,但我不确定,因为配置看起来和工作正常。
欢迎指点!
谢谢!
所以链是 WP --> ADFS --> SSP
通常对于 NameID,您使用转换规则,例如
将电子邮件转换为具有电子邮件格式的 NameID。
对于 CP,您需要每个属性的传递规则。
这条规则"c:[Type == "https://example.com/simplesamlphp/saml2/idp/metadata.php"]
=> issue(claim = c);" 不会传递所有规则 - 最好单独进行。
RP 规则看起来正确,但 NameID 规则的格式为电子邮件,因此它应该来自电子邮件,而不是姓名。
好吧,我已经被困了好几天了,所以这是我唯一的希望。
我已经用 ADFS 3.0 配置了 Windows 2012 r2,用 SAML 2.0 单点登录插件配置了 bitnami Wordpress (4.2.2),用 SimpleSAMLphp 1.13 配置了 Ubuntu 服务器。
Wordpress configuration looks like this:
WordPress NameID 政策:
WordPress 属性:
对于身份验证源,我使用的是 SSP 的文件模块。它具有以下属性:
User-Name 用于用户 ID,mail 用于用户的电子邮件地址,Filter-Id 用于用户组。
At ADFS side, I have configured claims provider trust as SSP and relying party's trust as WP.
这些的声明规则是:
SSP:
规则 1:转换名称 ID 策略。如果未设置此规则,WP 的 SSP 会给出 NameIDPolicy 无效错误。
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] == "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);
规则 2:通过所有声明
c:[Type == "https://example.com/simplesamlphp/saml2/idp/metadata.php"]
=> issue(claim = c);
WordPress:
规则一:将name属性转换为WP的属性
c:[Type == "User-Name"]
=> add(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Value = c.Value);
规则 2:转换邮件属性
c:[Type == "mail"]
=> add(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/emailaddress", Value = c.Value);
规则 3:转换组属性
c:[Type == "Filter-Id"]
=> add(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/Group", Value = c.Value);
规则 4:转换为 Givenname 属性
c:[Type == "User-Name"]
=> add(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/givenname", Value = c.Value);
规则 5:转换为姓氏属性
c:[Type == "User-Name"]
=> add(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/surname", Value = c.Value);
规则 6:转换名称 ID 政策并发布所有声明
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
用户成功通过身份验证 (SP/IdP-Initiated)。但是在 WP 端我收到错误提示 Username was not provided.
ADFS 跟踪器日志显示 SSO token is null or empty. Cannot write SSO token to Cookies.
我检查了用户登录的 IdP,它显示用户已登录。跟踪日志还显示 Valid assertion returned from 'https://example.com/simplesamlphp/saml2/idp/metadata.php'
我猜索赔规则有问题,但我不确定,因为配置看起来和工作正常。
欢迎指点!
谢谢!
所以链是 WP --> ADFS --> SSP
通常对于 NameID,您使用转换规则,例如
将电子邮件转换为具有电子邮件格式的 NameID。
对于 CP,您需要每个属性的传递规则。
这条规则"c:[Type == "https://example.com/simplesamlphp/saml2/idp/metadata.php"] => issue(claim = c);" 不会传递所有规则 - 最好单独进行。
RP 规则看起来正确,但 NameID 规则的格式为电子邮件,因此它应该来自电子邮件,而不是姓名。