Rails omniauth-saml + 设计 + ADFS 问题
Rails omniauth-saml + devise + ADFS issue
我正在尝试将我们的 ADFS 登录与我们的应用程序集成,该应用程序结合使用 ActiveAdmin 和 Devise。为此,我成功添加了 omniauth-saml。应用程序现在重定向到 ADFS,登录成功但回调失败。我收到错误 Invalid ticket.
当我尝试在 omniauth-saml 库中查看服务器上的响应时,我可以看到它说:@document=<UNDEFINED> ... </> 和 @decrypted_document=<UNDEFINED> ... </>
initializers/devise.rb 内容为:
config.omniauth :saml,
assertion_consumer_service_url: 'https://my_server/admin/auth/saml/callback',
issuer: 'https://my_server/',
authn_context: 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport',
idp_sso_target_url: 'https://my_adfs_server/adfs/ls/',
assertion_consumer_service_binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
assertion_consumer_logout_service_binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
idp_sso_target_url_runtime_params: {original_request_param: :mapped_idp_param},
name_identifier_format: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
idp_cert: idp_certificate,
request_attributes: {},
attribute_statements: {email: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'],
name: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'],
first_name: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname'],
last_name: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname']},
private_key: sp_key,
certificate: sp_certificate,
security: {authn_requests_signed: true,
logout_requests_signed: true,
logout_responses_signed: true,
metadata_signed: true,
digest_method: XMLSecurity::Document::SHA1,
signature_method: XMLSecurity::Document::RSA_SHA1,
embed_sign: false}
我该如何解决这个问题?
加法:
REXML::Document 似乎无法解密 SAML 响应中的 Cypher。它无法在没有错误的情况下这样做。当我尝试使用 https://www.samltool.com/decrypt.php 自己完成时,我发现它没有问题。
我从 ADFS 元数据中选择了错误的证书 xml。需要选择签名,不是加密证书。
通过使用 https://www.samltool.com/validate_response.php 进行调试找到了这个。
我正在尝试将我们的 ADFS 登录与我们的应用程序集成,该应用程序结合使用 ActiveAdmin 和 Devise。为此,我成功添加了 omniauth-saml。应用程序现在重定向到 ADFS,登录成功但回调失败。我收到错误 Invalid ticket.
当我尝试在 omniauth-saml 库中查看服务器上的响应时,我可以看到它说:@document=<UNDEFINED> ... </> 和 @decrypted_document=<UNDEFINED> ... </>
initializers/devise.rb 内容为:
config.omniauth :saml,
assertion_consumer_service_url: 'https://my_server/admin/auth/saml/callback',
issuer: 'https://my_server/',
authn_context: 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport',
idp_sso_target_url: 'https://my_adfs_server/adfs/ls/',
assertion_consumer_service_binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
assertion_consumer_logout_service_binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
idp_sso_target_url_runtime_params: {original_request_param: :mapped_idp_param},
name_identifier_format: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
idp_cert: idp_certificate,
request_attributes: {},
attribute_statements: {email: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'],
name: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'],
first_name: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname'],
last_name: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname']},
private_key: sp_key,
certificate: sp_certificate,
security: {authn_requests_signed: true,
logout_requests_signed: true,
logout_responses_signed: true,
metadata_signed: true,
digest_method: XMLSecurity::Document::SHA1,
signature_method: XMLSecurity::Document::RSA_SHA1,
embed_sign: false}
我该如何解决这个问题?
加法: REXML::Document 似乎无法解密 SAML 响应中的 Cypher。它无法在没有错误的情况下这样做。当我尝试使用 https://www.samltool.com/decrypt.php 自己完成时,我发现它没有问题。
我从 ADFS 元数据中选择了错误的证书 xml。需要选择签名,不是加密证书。
通过使用 https://www.samltool.com/validate_response.php 进行调试找到了这个。