PingFederate 错误 - 忽略向 USER_KEY 的属性映射添加空值的尝试
PingFederate error - Ignoring attempt to add null value to attribute map for USER_KEY
我们有一个 PF 安装,我们正在尝试设置基于 OpenID Connect 的 SSO。我们将 PF IdP 连接到我们的内部 Windows AD。当我们尝试请求授权代码以执行基于浏览器的 SSO 时,我们会收到此异常:
Mapping into unique user key resulted in null or empty value from source attributes
这是日志文件中的内容
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.saml20.domain.LDAPUsernamePasswordCredentialValidator] search sAMAccountName=MYLOGIN
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.servlet.HttpServletRespProxy] adding lazy cookie Cookie{PF=v15OJ5PwavFr0TTQqGGPxWrOjzUTXlkVKfVCB2yceOXN; path=/; maxAge=-1; domain=null} replacing Cookie{PF=v15OJ5PwavFr0TTQqGGPxWv76zVxxdpyURw82xJJBtXK; path=/; maxAge=-1; domain=null}
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.saml20.service.impl.grouprpc.PreferredNodes] [] -> indices to addresses -> [IP1, IP2]
2016-04-26 10:42:26,912 DEBUG [org.sourceid.saml20.service.impl.localmemory.InterReqStateMgmtMapImpl] setAttr(oldKey: v76zVxxdpyURw82xJJBtXK, newKey: rOjzUTXlkVKfVCB2yceOXN, name: HtmlFormIdpAuthnAdapter:WatsonHTML:SESSION)
2016-04-26 10:42:26,912 DEBUG [org.sourceid.saml20.service.impl.localmemory.InterReqStateMgmtMapImpl] setAttr: new size of attribute map=110
2016-04-26 10:42:26,912 DEBUG [com.pingidentity.jgroups.MuxInvocationHandler] invocation of setAttr on InterReqStateMgmtMapImpl state map size:8 attributes map size110
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.saml20.service.impl.grouprpc.InterRequestStateMgmtGroupRpcImpl] called mode:GET_MAJORITY setAttr() on [IP1, IP2]
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.saml20.service.impl.grouprpc.PreferredNodes] [] -> indices to addresses -> [IP1, IP2]
2016-04-26 10:42:26,912 DEBUG [org.sourceid.saml20.service.impl.localmemory.InterReqStateMgmtMapImpl] setAttr(oldKey: rOjzUTXlkVKfVCB2yceOXN, newKey: rOjzUTXlkVKfVCB2yceOXN, name: HtmlFormIdpAuthnAdapter:WatsonHTML:last-activity)
2016-04-26 10:42:26,912 DEBUG [org.sourceid.saml20.service.impl.localmemory.InterReqStateMgmtMapImpl] setAttr: new size of attribute map=110
2016-04-26 10:42:26,912 DEBUG [com.pingidentity.jgroups.MuxInvocationHandler] invocation of setAttr on InterReqStateMgmtMapImpl state map size:8 attributes map size110
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.saml20.service.impl.grouprpc.InterRequestStateMgmtGroupRpcImpl] called mode:GET_MAJORITY setAttr() on [IP1, IP2]
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.saml20.service.impl.grouprpc.PreferredNodes] [] -> indices to addresses -> [IP1, IP2]
2016-04-26 10:42:26,912 DEBUG [org.sourceid.saml20.service.impl.localmemory.InterReqStateMgmtMapImpl] setAttr(oldKey: rOjzUTXlkVKfVCB2yceOXN, newKey: rOjzUTXlkVKfVCB2yceOXN, name: HtmlFormIdpAuthnAdapter:WatsonHTML:first-activity)
2016-04-26 10:42:26,912 DEBUG [org.sourceid.saml20.service.impl.localmemory.InterReqStateMgmtMapImpl] setAttr: new size of attribute map=110
2016-04-26 10:42:26,912 DEBUG [com.pingidentity.jgroups.MuxInvocationHandler] invocation of setAttr on InterReqStateMgmtMapImpl state map size:8 attributes map size110
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.saml20.service.impl.grouprpc.InterRequestStateMgmtGroupRpcImpl] called mode:GET_MAJORITY setAttr() on [IP1, IP2]
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.servlet.HttpServletRespProxy] adding lazy cookie Cookie{pf-hfa-WatsonHTML-rmu=; path=/; maxAge=0; domain=null} replacing null
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.websso.authn.AdapterAuthnProcessor] adapterResponse=SUCCESS
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.util.log.AttributeMap] Ignoring attempt to add null value to attribute map for context.TargetResource
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.util.log.AttributeMap] Ignoring attempt to add null value to attribute map for USER_KEY
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.util.log.AttributeMap] Ignoring attempt to add null value to attribute map for USER_NAME
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.saml20.domain.AttributeMapping] Source attributes:{context.ClientIp=CLIP, context.OAuthScopes=openid, username=MYLOGIN, DN=CN=My Name,OU=Users,OU=xx,OU=xx,DC=xx,DC=yy,DC=co,DC=uk, org.sourceid.saml20.adapter.idp.authn.authnInst=1461663746912, context.ClientId=UAT-Watson, context.HttpRequest=/as/Z3XeL/resume/as/authorization.ping} Resulting attributes:{}
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI ERROR [org.sourceid.oauth20.handlers.HandleAuthorizationRequest] Exception occurred during request processing
org.sourceid.websso.profiles.ProcessRuntimeException: Mapping into unique user key resulted in null or empty value from source attributes
at org.sourceid.oauth20.domain.UserKeyAttrMapping.execMapping(UserKeyAttrMapping.java:50) ~[pf-protocolengine.jar:?]
at org.sourceid.oauth20.domain.UserKeyAttrMapping.execMapping(UserKeyAttrMapping.java:38) ~[pf-protocolengine.jar:?]
尽管 IdP 适配器响应成功,但我对为什么 USER_KEY 和 USER_NAME 得到 NULL 值感到困惑。
有人可以帮忙吗?
谢谢
好的。我找到了解决方法。在我的 IdP 适配器映射中,我将 USER_NAME 从 Adapter 映射到 displayName。我将其更改为 ${username} 的 Text 值。这有帮助。但是,还是不明白how/why这是正确的做法。
我们有一个 PF 安装,我们正在尝试设置基于 OpenID Connect 的 SSO。我们将 PF IdP 连接到我们的内部 Windows AD。当我们尝试请求授权代码以执行基于浏览器的 SSO 时,我们会收到此异常:
Mapping into unique user key resulted in null or empty value from source attributes
这是日志文件中的内容
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.saml20.domain.LDAPUsernamePasswordCredentialValidator] search sAMAccountName=MYLOGIN
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.servlet.HttpServletRespProxy] adding lazy cookie Cookie{PF=v15OJ5PwavFr0TTQqGGPxWrOjzUTXlkVKfVCB2yceOXN; path=/; maxAge=-1; domain=null} replacing Cookie{PF=v15OJ5PwavFr0TTQqGGPxWv76zVxxdpyURw82xJJBtXK; path=/; maxAge=-1; domain=null}
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.saml20.service.impl.grouprpc.PreferredNodes] [] -> indices to addresses -> [IP1, IP2]
2016-04-26 10:42:26,912 DEBUG [org.sourceid.saml20.service.impl.localmemory.InterReqStateMgmtMapImpl] setAttr(oldKey: v76zVxxdpyURw82xJJBtXK, newKey: rOjzUTXlkVKfVCB2yceOXN, name: HtmlFormIdpAuthnAdapter:WatsonHTML:SESSION)
2016-04-26 10:42:26,912 DEBUG [org.sourceid.saml20.service.impl.localmemory.InterReqStateMgmtMapImpl] setAttr: new size of attribute map=110
2016-04-26 10:42:26,912 DEBUG [com.pingidentity.jgroups.MuxInvocationHandler] invocation of setAttr on InterReqStateMgmtMapImpl state map size:8 attributes map size110
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.saml20.service.impl.grouprpc.InterRequestStateMgmtGroupRpcImpl] called mode:GET_MAJORITY setAttr() on [IP1, IP2]
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.saml20.service.impl.grouprpc.PreferredNodes] [] -> indices to addresses -> [IP1, IP2]
2016-04-26 10:42:26,912 DEBUG [org.sourceid.saml20.service.impl.localmemory.InterReqStateMgmtMapImpl] setAttr(oldKey: rOjzUTXlkVKfVCB2yceOXN, newKey: rOjzUTXlkVKfVCB2yceOXN, name: HtmlFormIdpAuthnAdapter:WatsonHTML:last-activity)
2016-04-26 10:42:26,912 DEBUG [org.sourceid.saml20.service.impl.localmemory.InterReqStateMgmtMapImpl] setAttr: new size of attribute map=110
2016-04-26 10:42:26,912 DEBUG [com.pingidentity.jgroups.MuxInvocationHandler] invocation of setAttr on InterReqStateMgmtMapImpl state map size:8 attributes map size110
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.saml20.service.impl.grouprpc.InterRequestStateMgmtGroupRpcImpl] called mode:GET_MAJORITY setAttr() on [IP1, IP2]
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.saml20.service.impl.grouprpc.PreferredNodes] [] -> indices to addresses -> [IP1, IP2]
2016-04-26 10:42:26,912 DEBUG [org.sourceid.saml20.service.impl.localmemory.InterReqStateMgmtMapImpl] setAttr(oldKey: rOjzUTXlkVKfVCB2yceOXN, newKey: rOjzUTXlkVKfVCB2yceOXN, name: HtmlFormIdpAuthnAdapter:WatsonHTML:first-activity)
2016-04-26 10:42:26,912 DEBUG [org.sourceid.saml20.service.impl.localmemory.InterReqStateMgmtMapImpl] setAttr: new size of attribute map=110
2016-04-26 10:42:26,912 DEBUG [com.pingidentity.jgroups.MuxInvocationHandler] invocation of setAttr on InterReqStateMgmtMapImpl state map size:8 attributes map size110
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.saml20.service.impl.grouprpc.InterRequestStateMgmtGroupRpcImpl] called mode:GET_MAJORITY setAttr() on [IP1, IP2]
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.servlet.HttpServletRespProxy] adding lazy cookie Cookie{pf-hfa-WatsonHTML-rmu=; path=/; maxAge=0; domain=null} replacing null
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.websso.authn.AdapterAuthnProcessor] adapterResponse=SUCCESS
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.util.log.AttributeMap] Ignoring attempt to add null value to attribute map for context.TargetResource
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.util.log.AttributeMap] Ignoring attempt to add null value to attribute map for USER_KEY
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.util.log.AttributeMap] Ignoring attempt to add null value to attribute map for USER_NAME
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI DEBUG [org.sourceid.saml20.domain.AttributeMapping] Source attributes:{context.ClientIp=CLIP, context.OAuthScopes=openid, username=MYLOGIN, DN=CN=My Name,OU=Users,OU=xx,OU=xx,DC=xx,DC=yy,DC=co,DC=uk, org.sourceid.saml20.adapter.idp.authn.authnInst=1461663746912, context.ClientId=UAT-Watson, context.HttpRequest=/as/Z3XeL/resume/as/authorization.ping} Resulting attributes:{}
2016-04-26 10:42:26,912 tid:uWXoT4raO7G-Cx8LMtl6ioqtvuI ERROR [org.sourceid.oauth20.handlers.HandleAuthorizationRequest] Exception occurred during request processing
org.sourceid.websso.profiles.ProcessRuntimeException: Mapping into unique user key resulted in null or empty value from source attributes
at org.sourceid.oauth20.domain.UserKeyAttrMapping.execMapping(UserKeyAttrMapping.java:50) ~[pf-protocolengine.jar:?]
at org.sourceid.oauth20.domain.UserKeyAttrMapping.execMapping(UserKeyAttrMapping.java:38) ~[pf-protocolengine.jar:?]
尽管 IdP 适配器响应成功,但我对为什么 USER_KEY 和 USER_NAME 得到 NULL 值感到困惑。
有人可以帮忙吗?
谢谢
好的。我找到了解决方法。在我的 IdP 适配器映射中,我将 USER_NAME 从 Adapter 映射到 displayName。我将其更改为 ${username} 的 Text 值。这有帮助。但是,还是不明白how/why这是正确的做法。