SAML Service Provider 如何匹配 IDP 元数据信息?

How does a SAML Service Provider match an IDP metadata information?

我正在使用 TestShib and Python Social Auth SAML backend 在 Django 应用程序上实施服务提供商。

我已经能够配置我的应用程序,并构建元数据文件。

TestShib 允许上传我的元数据文件 here

我已经正确配置了 TestShib 的元数据,并建立了一个指向 TestShib 端点的测试按钮。

当我单击该按钮时,我被重定向到 TestShib,然后提供测试凭据,然后我收到错误消息,因为元数据与重定向不匹配。

TestShib 或与此相关的任何其他 IDP 如何在传入的身份验证请求后设法找到正确的元数据(在多个 SP 中)? EntityID 是否必须与服务提供商的 URL 匹配?

编辑:(添加了更多信息)

SP 的元数据(之前上传到 TestShib):

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" cacheDuration="P10D" entityID="https://www.example.com">
    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:KeyDescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" use="signing">
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIIDBDC .. QltX1icsr0=</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:KeyDescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" use="encryption">
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIIDBDC .. QltX1icsr0=</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://staging.example.com/complete/xx-saml/" index="1" />
    </md:SPSSODescriptor>
    <md:Organization>
        <md:OrganizationName xml:lang="en-US">example</md:OrganizationName>
        <md:OrganizationDisplayName xml:lang="en-US">Example</md:OrganizationDisplayName>
        <md:OrganizationURL xml:lang="en-US">https://www.example.com</md:OrganizationURL>
    </md:Organization>
    <md:ContactPerson contactType="technical">
        <md:GivenName>John Doe</md:GivenName>
        <md:EmailAddress>johndoe@example.com</md:EmailAddress>
    </md:ContactPerson>
    <md:ContactPerson contactType="support">
        <md:GivenName>John Doe</md:GivenName>
        <md:EmailAddress>johndoe@example.com</md:EmailAddress>
    </md:ContactPerson>
</md:EntityDescriptor>

要求:

https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO?SAMLRequest=fVNN ...

<samlp:AuthnRequest
    AssertionConsumerServiceURL="https://staging.example.com/complete/saml/"
    Destination="https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO"
    ID="ONELOGIN_973a7f348c282cc6dedd4410f900efcf9538dcda" IssueInstant="2016-08-22T14:12:11Z"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="Example"
    Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml:Issuer>https://www.example.com</saml:Issuer>
    <samlp:NameIDPolicy AllowCreate="true"
        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
    <samlp:RequestedAuthnContext Comparison="exact">
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

错误:

    10:10:39.009 - WARN [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:206] - Relying party 'https://www.example.com' requested the response to be returned to endpoint with ACS URL 'https://staging.example.com/complete/saml/'  and binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' however no endpoint, with that URL and using a supported binding,  can be found in the relying party's metadata 
    10:10:39.009 - ERROR [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:447]
    - No return endpoint available for relying party https://www.example.com

https://staging.example.com/complete/saml/ 可用,因此问题似乎是 TestShib 未找到元数据信息。实体 ID 和发行者似乎匹配..

AuthN Request(https://staging.example.com/complete/saml/) doesn't match the one in the metadata (https://staging.example.com/complete/xx-saml/)中的Assertion Consumer Service URL,也符合IdP抛出的错误。

最快的解决方法是编辑元数据并更正 元素,使其反映要使用的实际 ACS。