删除 SAML 2.0 和 ADFS 3.0 中的联合错误
Remove Federation Errors in SAML 2.0 and ADFS 3.0
我正在使用 Shibboleth 作为服务提供商 (SP) 设置 ADFS 3.0 和 SAML 2.0。我已成功将证书导入 ADFS。 ADFS Claims Provider(或 ADFS IDP)登录页面有效,因为用户被重定向到:
https://c-adfs01.contoso.com/Shibboleth.sso/SAML2/POST`
登录后:
https://c-adfs01.contoso.com/adfs/ls/idpinitiatedsignon
但是,每当我 运行 这个命令时:
systemctl restart shibd && systemctl restart httpd
我收到以下错误:
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 2732, message: grammar not found for namespace 'http://docs.oasis-open.org/wsfed/federation/200706'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 2732, message: attribute 'ServiceDisplayName' is not declared for element 'RoleDescriptor'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 3923, message: no declaration found for element 'fed:ClaimTypesRequested'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 24961, message: no declaration found for element 'fed:TargetScopes'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 25333, message: no declaration found for element 'fed:ApplicationServiceEndpoint'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 25536, message: no declaration found for element 'fed:PassiveRequestorEndpoint'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 25724, message: element 'fed:ClaimTypesRequested' is not allowed for content model '(Signature?,Extensions?,KeyDescriptor*,Organization?,ContactPerson*)'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 26099, message: grammar not found for namespace 'http://docs.oasis-open.org/wsfed/federation/200706'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 26099, message: attribute 'ServiceDisplayName' is not declared for element 'RoleDescriptor'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 27277, message: no declaration found for element 'fed:TokenTypesOffered'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 27444, message: no declaration found for element 'fed:ClaimTypesOffered'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 48496, message: no declaration found for element 'fed:SecurityTokenServiceEndpoint'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 49192, message: no declaration found for element 'fed:PassiveRequestorEndpoint'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 49380, message: element 'fed:TokenTypesOffered' is not allowed for content model '(Signature?,Extensions?,KeyDescriptor*,Organization?,ContactPerson*)'
2016-11-09 16:54:36 ERROR OpenSAML.MetadataProvider.XML : error while loading resource (https://c-adfs01.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml): XML error(s) during parsing, check log for specifics
2016-11-09 16:54:36 WARN OpenSAML.MetadataProvider.XML : adjusted reload interval to 600 seconds
2016-11-09 16:54:36 CRIT Shibboleth.Application : error initializing MetadataProvider: XML error(s) during parsing, check log for specifics
这是我的 shibboleth.xml 配置
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML::2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">
<!-- ADFS Extension -->
<OutOfProcess>
<Extensions>
<Library path="/usr/lib64/shibboleth/adfs.so" fatal="true"/>
</Extensions>
</OutOfProcess>
<InProcess logger="native.log" checkSpoofing="true">
<Extensions>
<Library path="/usr/lib64/shibboleth/adfs-lite.so" fatal="true"/>
</Extensions>
</InProcess>
<RequestMapper type="Native"
sessionError="/var/log/shibboleth/session_error.log"
metadataError="/var/log/shibboleth/metadata_error.log"
accessError="/var/log/shibboleth/access_error.log"
sslError="/var/log/shibboleth/ssl_error.log">
<RequestMap applicationId="default">
<Host name="c-app01">
<Path name="secure" authType="shibboleth" requireSession="true"/>
</Host>
</RequestMap>
</RequestMapper>
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
<ApplicationDefaults entityID="https://c-app01.contoso.com/Shibboleth.sso/Metadata.xml"
REMOTE_USER="eppn persistent-id targeted-id">
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="true" cookieProps="https">
<!-- Putting another SSO here will make shibd fail. There should only be one SSO. -->
<SSO>
SAML2 SAML1 ADFS
</SSO>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata.xml" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<Errors supportContact="root@localhost"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>
<!-- Example of remotely supplied batch of signed metadata. -->
<!-- using validate="true" will give errors in Federationmetadata.xml-->
<MetadataProvider type="XML" validate="true"
uri="https://c-adfs01.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml"
reloadInterval="3600">
<DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
attributeName="http://macedir.org/entity-category"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="http://refeds.org/category/hide-from-discovery" />
</MetadataProvider>
<!-- Example of locally maintained metadata. -->
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<!-- Use a SAML query if no attributes are supplied during SSO. -->
<AttributeResolver type="Query" subjectMatch="true"/>
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<!-- Simple file-based resolver for using a single keypair. -->
<CredentialResolver type="File" key="c-app01.contoso.com.key" certificate="c-app01.contoso.com.pem"/>
</ApplicationDefaults>
<!-- Policies that determine how to process and authenticate runtime messages. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<!-- Low-level configuration about protocols and bindings available for use. -->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
这是我的 Apache 配置:
LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so
ShibCompatValidUser Off
<Location /Shibboleth.sso>
SetHandler shib
AuthType None
Require all granted
</Location>
所以,我的问题是...如何配置服务提供商以获取 ClaimTypesOffered 等(在错误中)以消除错误?
配置 SP
因此,解决方案是在 shibboleth2.xml
内的 MetadataProvider 标签中使用 validate="false"
配置 IDP
电子邮件地址和phone号码应该在ADFS中填写。
此配置位于:AD FS Management > Service (right click) > Service Federation Properties > Organization
执行
经过上面的步骤,我去了SP,在使用link:
时能够重定向到IDP登录页面
https://c-app01.contoso.com/Shibboleth.sso/Login?entityID=https://c-adfs01.contoso.com/FederationMetadata.xml/2007-06/FederationMetadata.xml?target=https://c-app01.contoso.com/secure
IDP登录后成功重定向回target
其他注意事项:
确保联合身份验证服务标识符使用的 Metadata 位于:
AD FS Management > Service (right click) > Service Federation Properties > General
我的情况是https://c-adfs01.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml
我正在使用 Shibboleth 作为服务提供商 (SP) 设置 ADFS 3.0 和 SAML 2.0。我已成功将证书导入 ADFS。 ADFS Claims Provider(或 ADFS IDP)登录页面有效,因为用户被重定向到:
https://c-adfs01.contoso.com/Shibboleth.sso/SAML2/POST`
登录后:
https://c-adfs01.contoso.com/adfs/ls/idpinitiatedsignon
但是,每当我 运行 这个命令时:
systemctl restart shibd && systemctl restart httpd
我收到以下错误:
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 2732, message: grammar not found for namespace 'http://docs.oasis-open.org/wsfed/federation/200706'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 2732, message: attribute 'ServiceDisplayName' is not declared for element 'RoleDescriptor'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 3923, message: no declaration found for element 'fed:ClaimTypesRequested'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 24961, message: no declaration found for element 'fed:TargetScopes'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 25333, message: no declaration found for element 'fed:ApplicationServiceEndpoint'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 25536, message: no declaration found for element 'fed:PassiveRequestorEndpoint'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 25724, message: element 'fed:ClaimTypesRequested' is not allowed for content model '(Signature?,Extensions?,KeyDescriptor*,Organization?,ContactPerson*)'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 26099, message: grammar not found for namespace 'http://docs.oasis-open.org/wsfed/federation/200706'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 26099, message: attribute 'ServiceDisplayName' is not declared for element 'RoleDescriptor'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 27277, message: no declaration found for element 'fed:TokenTypesOffered'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 27444, message: no declaration found for element 'fed:ClaimTypesOffered'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 48496, message: no declaration found for element 'fed:SecurityTokenServiceEndpoint'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 49192, message: no declaration found for element 'fed:PassiveRequestorEndpoint'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 49380, message: element 'fed:TokenTypesOffered' is not allowed for content model '(Signature?,Extensions?,KeyDescriptor*,Organization?,ContactPerson*)'
2016-11-09 16:54:36 ERROR OpenSAML.MetadataProvider.XML : error while loading resource (https://c-adfs01.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml): XML error(s) during parsing, check log for specifics
2016-11-09 16:54:36 WARN OpenSAML.MetadataProvider.XML : adjusted reload interval to 600 seconds
2016-11-09 16:54:36 CRIT Shibboleth.Application : error initializing MetadataProvider: XML error(s) during parsing, check log for specifics
这是我的 shibboleth.xml 配置
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML::2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">
<!-- ADFS Extension -->
<OutOfProcess>
<Extensions>
<Library path="/usr/lib64/shibboleth/adfs.so" fatal="true"/>
</Extensions>
</OutOfProcess>
<InProcess logger="native.log" checkSpoofing="true">
<Extensions>
<Library path="/usr/lib64/shibboleth/adfs-lite.so" fatal="true"/>
</Extensions>
</InProcess>
<RequestMapper type="Native"
sessionError="/var/log/shibboleth/session_error.log"
metadataError="/var/log/shibboleth/metadata_error.log"
accessError="/var/log/shibboleth/access_error.log"
sslError="/var/log/shibboleth/ssl_error.log">
<RequestMap applicationId="default">
<Host name="c-app01">
<Path name="secure" authType="shibboleth" requireSession="true"/>
</Host>
</RequestMap>
</RequestMapper>
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
<ApplicationDefaults entityID="https://c-app01.contoso.com/Shibboleth.sso/Metadata.xml"
REMOTE_USER="eppn persistent-id targeted-id">
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="true" cookieProps="https">
<!-- Putting another SSO here will make shibd fail. There should only be one SSO. -->
<SSO>
SAML2 SAML1 ADFS
</SSO>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata.xml" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<Errors supportContact="root@localhost"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>
<!-- Example of remotely supplied batch of signed metadata. -->
<!-- using validate="true" will give errors in Federationmetadata.xml-->
<MetadataProvider type="XML" validate="true"
uri="https://c-adfs01.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml"
reloadInterval="3600">
<DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
attributeName="http://macedir.org/entity-category"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="http://refeds.org/category/hide-from-discovery" />
</MetadataProvider>
<!-- Example of locally maintained metadata. -->
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<!-- Use a SAML query if no attributes are supplied during SSO. -->
<AttributeResolver type="Query" subjectMatch="true"/>
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<!-- Simple file-based resolver for using a single keypair. -->
<CredentialResolver type="File" key="c-app01.contoso.com.key" certificate="c-app01.contoso.com.pem"/>
</ApplicationDefaults>
<!-- Policies that determine how to process and authenticate runtime messages. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<!-- Low-level configuration about protocols and bindings available for use. -->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
这是我的 Apache 配置:
LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so
ShibCompatValidUser Off
<Location /Shibboleth.sso>
SetHandler shib
AuthType None
Require all granted
</Location>
所以,我的问题是...如何配置服务提供商以获取 ClaimTypesOffered 等(在错误中)以消除错误?
配置 SP
因此,解决方案是在 shibboleth2.xml
MetadataProvider 标签中使用 validate="false"
配置 IDP
电子邮件地址和phone号码应该在ADFS中填写。
此配置位于:AD FS Management > Service (right click) > Service Federation Properties > Organization
执行
经过上面的步骤,我去了SP,在使用link:
时能够重定向到IDP登录页面https://c-app01.contoso.com/Shibboleth.sso/Login?entityID=https://c-adfs01.contoso.com/FederationMetadata.xml/2007-06/FederationMetadata.xml?target=https://c-app01.contoso.com/secure
IDP登录后成功重定向回target
其他注意事项:
确保联合身份验证服务标识符使用的 Metadata 位于:
AD FS Management > Service (right click) > Service Federation Properties > General
我的情况是https://c-adfs01.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml