连接 Shibboleth 作为 IdP 和 API Publisher 作为 SP
Connecting Shibboleth as a IdP and API Publisher as SP
计划
我们将 shibboleth 配置为 IdP,以便我们可以进行 SSO。我们已经为我们所做的许多其他事情配置了 shibboleth,例如电子邮件和帐户信息,但是当尝试将我们的 API 发布者添加到组合中时,我们似乎遇到了错误。我们认为这是一个 wso2 配置错误。我们一直在使用此 wso2 文档作为模板:如何将 Shibboleth IdP 配置为可信身份提供者
情况
到目前为止,我们能够进入登录屏幕并输入我们的凭据,但是当它尝试重定向我们时,我们收到错误 401:需要授权。
SAML 代码
<saml2p:Response
Destination="localhost"
ID="mbnfmmagbmefckldpefbmjopkadjahbkocadhmib"
InResponseTo="lihfmcpiofkdkhphfbahlndllmmemhldckammgaf"
IssueInstant="2016-12-05T16:20:37.939Z"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">IdsDev
</saml2:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference
URI="#mbnfmmagbmefckldpefbmjopkadjahbkocadhmib">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
PrefixList="xs"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>9xbWKA7A+
7k7Vaz6O18z8Xliqbo=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>kX11Q4eCUyME+VP5M7+5iI6D45kqQgE6MIqth7hNosSmfdSD3kZS0dwlcNwVlrzA64LMUZxclU256xP6w6nn0TqEqLjKy/tGXeQbKjaYrPcXx6336kIp8YGajqDiBh7IJswFDxugLoRx70APaKGthJi5VwRea1oT3lE4RHJoMgiN7o5FO1N+8IE34zEJLmTIpt+lYdXQPJanN29GY9YfIouFe2TGfHfXd9PT2nt7Dmf+M69DM3giEyizbzljYHdkjJrTlqoYTlHBHNPq8NF/+1wwuL76SP0Bory4k/7JvelW6RSAz82pdjDc0ublBmuceTENza2GiC2sitVQPycl/
g==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIFejCCBGKgAwIBAgIQCKTAgWTgw/Ea7HQ+L665tTANBgkqhkiG9w0BAQsFADBwMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNzdXJhbmNlIFNlcnZlciBDQTAeFw0xNjA5MjYwMDAwMDBaFw0xOTEwMDExMjAwMDBaMHIxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIEwVJZGFobzEQMA4GA1UEBxMHUmV4YnVyZzEnMCUGA1UEChMeQnJpZ2hhbSBZb3VuZyBVbml2ZXJzaXR5LUlkYWhvMRgwFgYDVQQDEw9pZHNkZXYuYnl1aS5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCeLpdcJnXbGKRYujiUIoCOFrjR3PZ2E+BmzGNNTSTbnxjRPCJpjoI/5OWXPV/59I4s+b/lMaVuth5G8FD/yGDE/cyOKHM79G8UR399aqflqVWCfBc5Kqf7oKByBiost5JQyLGUTlXOvOKvLNTSHEC1gZUYP6Sn9m7/HOtcaMji32N0Pr22NYk92LSbUZqwVUM5e71q7Yze4OTiAv/Sd3Us1M4YgD+qJpy15Rph5Uo7jq1J9YE38dVmznJKD5xKt6G5Bn/b7pWipnhfG9gNJhjkpP/IVOfkpsDIm4QDXOArjzV/qLck8GF6zr8+PiUM4k/peottkvq6UV0AKPiv/DPJAgMBAAGjggIMMIICCDAfBgNVHSMEGDAWgBRRaP+QrwIHdTzM2WVkYqISuFlyOzAdBgNVHQ4EFgQUgpnRRipdTainSlDqezFYUGdyKWgwPgYDVR0RBDcwNYIPaWRzZGV2LmJ5dWkuZWR1ghBJZHNEZXYxLmJ5dWkuZWR1ghBJZHNEZXYyLmJ5dWkuZWR1MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0fBG4wbDA0oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTItaGEtc2VydmVyLWc1LmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTItaGEtc2VydmVyLWc1LmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjCBgwYIKwYBBQUHAQEEdzB1MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wTQYIKwYBBQUHMAKGQWh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJIaWdoQXNzdXJhbmNlU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBADAayQq4l5DqWmgste9KgnqWOkOkjWw7bxu7WOh++oPyaNlyzieaz2ZJXrf4bHHeF5pCA9FUzhpdwGg+iWzt5Wd8L3G50mEUBJKjKgAzkOr9ywoGlPio/GaqqNrMmKhmLQDz6hcIoCk3SXAR5GDzRCjn5PZvboL9l+uTCE0h6Sg8qCRjgIYvOHbN8FhMla2opx2B7mnX5jAnfzfnJgGQZERLDSy8dvYhtXBaxaCzDqfYwZFQjec+IRjHHHLQpAPKzB5ARNe5IYlSMfkbi71kNpaFQ1WAJtAO+9pld5zgA/
OvSamgXd5RBJbXq376LX3r9jcYGpQwJT3hqMl9Qa1B0pY=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion
ID="gihomiibdbpcojhdmjofkecelaibhdcdonghhkpm"
IssueInstant="2016-12-05T16:20:37.939Z"
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">IdsDev
</saml2:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference
URI="#gihomiibdbpcojhdmjofkecelaibhdcdonghhkpm">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
PrefixList="xs"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>Z7DIvjwTk4JpF0TRMNzo3Z/
4sfc=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>h1Stjkbw306VU7TN5OEou2XII3nzvhr34GVbced5Gk7q+EZailZusYISkC11eJjk4Y+CejMa4RODelwnMAdpfeWmMYz6ukk0jh9RH97/uWPOWKfOp4n/oXVnYE3rdImGcb1egas/zprqM7Pl8mbwI7vK3ScMUagBg6Td1sxHfRgVBk6r8C+40sgTAG8LsOd+q8LKNYj5mSeZ5K34SBdkmMWNpAS9mOT9CSJfWOrd9uAvFXHeuWN31MbIgVV5seEMfUzC18I/4s3qXwWqIvQxIsF8l9WuIuMYsFPT+oQJBU/ltQVf54w29k50tvN+LyvmNbZCZANf+
3JXwygyImc2Yg==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIFejCCBGKgAwIBAgIQCKTAgWTgw/Ea7HQ+L665tTANBgkqhkiG9w0BAQsFADBwMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNzdXJhbmNlIFNlcnZlciBDQTAeFw0xNjA5MjYwMDAwMDBaFw0xOTEwMDExMjAwMDBaMHIxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIEwVJZGFobzEQMA4GA1UEBxMHUmV4YnVyZzEnMCUGA1UEChMeQnJpZ2hhbSBZb3VuZyBVbml2ZXJzaXR5LUlkYWhvMRgwFgYDVQQDEw9pZHNkZXYuYnl1aS5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCeLpdcJnXbGKRYujiUIoCOFrjR3PZ2E+BmzGNNTSTbnxjRPCJpjoI/5OWXPV/59I4s+b/lMaVuth5G8FD/yGDE/cyOKHM79G8UR399aqflqVWCfBc5Kqf7oKByBiost5JQyLGUTlXOvOKvLNTSHEC1gZUYP6Sn9m7/HOtcaMji32N0Pr22NYk92LSbUZqwVUM5e71q7Yze4OTiAv/Sd3Us1M4YgD+qJpy15Rph5Uo7jq1J9YE38dVmznJKD5xKt6G5Bn/b7pWipnhfG9gNJhjkpP/IVOfkpsDIm4QDXOArjzV/qLck8GF6zr8+PiUM4k/peottkvq6UV0AKPiv/DPJAgMBAAGjggIMMIICCDAfBgNVHSMEGDAWgBRRaP+QrwIHdTzM2WVkYqISuFlyOzAdBgNVHQ4EFgQUgpnRRipdTainSlDqezFYUGdyKWgwPgYDVR0RBDcwNYIPaWRzZGV2LmJ5dWkuZWR1ghBJZHNEZXYxLmJ5dWkuZWR1ghBJZHNEZXYyLmJ5dWkuZWR1MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0fBG4wbDA0oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTItaGEtc2VydmVyLWc1LmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTItaGEtc2VydmVyLWc1LmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjCBgwYIKwYBBQUHAQEEdzB1MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wTQYIKwYBBQUHMAKGQWh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJIaWdoQXNzdXJhbmNlU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBADAayQq4l5DqWmgste9KgnqWOkOkjWw7bxu7WOh++oPyaNlyzieaz2ZJXrf4bHHeF5pCA9FUzhpdwGg+iWzt5Wd8L3G50mEUBJKjKgAzkOr9ywoGlPio/GaqqNrMmKhmLQDz6hcIoCk3SXAR5GDzRCjn5PZvboL9l+uTCE0h6Sg8qCRjgIYvOHbN8FhMla2opx2B7mnX5jAnfzfnJgGQZERLDSy8dvYhtXBaxaCzDqfYwZFQjec+IRjHHHLQpAPKzB5ARNe5IYlSMfkbi71kNpaFQ1WAJtAO+9pld5zgA/
OvSamgXd5RBJbXq376LX3r9jcYGpQwJT3hqMl9Qa1B0pY=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">username
</saml2:NameID>
<saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData
InResponseTo="lihfmcpiofkdkhphfbahlndllmmemhldckammgaf"
NotOnOrAfter="2016-12-05T16:25:37.939Z"
Recipient="localhost"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions
NotBefore="2016-12-05T16:20:37.939Z"
NotOnOrAfter="2016-12-05T16:25:37.939Z">
<saml2:AudienceRestriction>
<saml2:Audience>API_PUBLISHER</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement
AuthnInstant="2016-12-05T16:20:37.941Z"
SessionIndex="cbc00514-954b-4de2-8e7b-b50edf9c5976">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute
Name="http://wso2.org/claims/fullname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">username
</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
IdP 配置
Shibboleth IDS configuration
Shibboleth IDS configuration
我们解决了问题!所以我们无法让 shibboleth 2 在 SAML 代码的 subject/nameID 中发送正确的信息,但是当我们尝试 shibboleth 3 时,nameID 的自定义更容易使用。无论如何,wso2 无法仅使用 subject/nameID 中的用户名授权访问,它还需要域并像这样格式化 domain/username.这样我们就可以使用 SSO 了。
计划
我们将 shibboleth 配置为 IdP,以便我们可以进行 SSO。我们已经为我们所做的许多其他事情配置了 shibboleth,例如电子邮件和帐户信息,但是当尝试将我们的 API 发布者添加到组合中时,我们似乎遇到了错误。我们认为这是一个 wso2 配置错误。我们一直在使用此 wso2 文档作为模板:如何将 Shibboleth IdP 配置为可信身份提供者
情况
到目前为止,我们能够进入登录屏幕并输入我们的凭据,但是当它尝试重定向我们时,我们收到错误 401:需要授权。
SAML 代码
<saml2p:Response
Destination="localhost"
ID="mbnfmmagbmefckldpefbmjopkadjahbkocadhmib"
InResponseTo="lihfmcpiofkdkhphfbahlndllmmemhldckammgaf"
IssueInstant="2016-12-05T16:20:37.939Z"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">IdsDev
</saml2:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference
URI="#mbnfmmagbmefckldpefbmjopkadjahbkocadhmib">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
PrefixList="xs"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>9xbWKA7A+
7k7Vaz6O18z8Xliqbo=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>kX11Q4eCUyME+VP5M7+5iI6D45kqQgE6MIqth7hNosSmfdSD3kZS0dwlcNwVlrzA64LMUZxclU256xP6w6nn0TqEqLjKy/tGXeQbKjaYrPcXx6336kIp8YGajqDiBh7IJswFDxugLoRx70APaKGthJi5VwRea1oT3lE4RHJoMgiN7o5FO1N+8IE34zEJLmTIpt+lYdXQPJanN29GY9YfIouFe2TGfHfXd9PT2nt7Dmf+M69DM3giEyizbzljYHdkjJrTlqoYTlHBHNPq8NF/+1wwuL76SP0Bory4k/7JvelW6RSAz82pdjDc0ublBmuceTENza2GiC2sitVQPycl/
g==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIFejCCBGKgAwIBAgIQCKTAgWTgw/Ea7HQ+L665tTANBgkqhkiG9w0BAQsFADBwMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNzdXJhbmNlIFNlcnZlciBDQTAeFw0xNjA5MjYwMDAwMDBaFw0xOTEwMDExMjAwMDBaMHIxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIEwVJZGFobzEQMA4GA1UEBxMHUmV4YnVyZzEnMCUGA1UEChMeQnJpZ2hhbSBZb3VuZyBVbml2ZXJzaXR5LUlkYWhvMRgwFgYDVQQDEw9pZHNkZXYuYnl1aS5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCeLpdcJnXbGKRYujiUIoCOFrjR3PZ2E+BmzGNNTSTbnxjRPCJpjoI/5OWXPV/59I4s+b/lMaVuth5G8FD/yGDE/cyOKHM79G8UR399aqflqVWCfBc5Kqf7oKByBiost5JQyLGUTlXOvOKvLNTSHEC1gZUYP6Sn9m7/HOtcaMji32N0Pr22NYk92LSbUZqwVUM5e71q7Yze4OTiAv/Sd3Us1M4YgD+qJpy15Rph5Uo7jq1J9YE38dVmznJKD5xKt6G5Bn/b7pWipnhfG9gNJhjkpP/IVOfkpsDIm4QDXOArjzV/qLck8GF6zr8+PiUM4k/peottkvq6UV0AKPiv/DPJAgMBAAGjggIMMIICCDAfBgNVHSMEGDAWgBRRaP+QrwIHdTzM2WVkYqISuFlyOzAdBgNVHQ4EFgQUgpnRRipdTainSlDqezFYUGdyKWgwPgYDVR0RBDcwNYIPaWRzZGV2LmJ5dWkuZWR1ghBJZHNEZXYxLmJ5dWkuZWR1ghBJZHNEZXYyLmJ5dWkuZWR1MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0fBG4wbDA0oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTItaGEtc2VydmVyLWc1LmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTItaGEtc2VydmVyLWc1LmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjCBgwYIKwYBBQUHAQEEdzB1MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wTQYIKwYBBQUHMAKGQWh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJIaWdoQXNzdXJhbmNlU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBADAayQq4l5DqWmgste9KgnqWOkOkjWw7bxu7WOh++oPyaNlyzieaz2ZJXrf4bHHeF5pCA9FUzhpdwGg+iWzt5Wd8L3G50mEUBJKjKgAzkOr9ywoGlPio/GaqqNrMmKhmLQDz6hcIoCk3SXAR5GDzRCjn5PZvboL9l+uTCE0h6Sg8qCRjgIYvOHbN8FhMla2opx2B7mnX5jAnfzfnJgGQZERLDSy8dvYhtXBaxaCzDqfYwZFQjec+IRjHHHLQpAPKzB5ARNe5IYlSMfkbi71kNpaFQ1WAJtAO+9pld5zgA/
OvSamgXd5RBJbXq376LX3r9jcYGpQwJT3hqMl9Qa1B0pY=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion
ID="gihomiibdbpcojhdmjofkecelaibhdcdonghhkpm"
IssueInstant="2016-12-05T16:20:37.939Z"
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">IdsDev
</saml2:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference
URI="#gihomiibdbpcojhdmjofkecelaibhdcdonghhkpm">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
PrefixList="xs"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>Z7DIvjwTk4JpF0TRMNzo3Z/
4sfc=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>h1Stjkbw306VU7TN5OEou2XII3nzvhr34GVbced5Gk7q+EZailZusYISkC11eJjk4Y+CejMa4RODelwnMAdpfeWmMYz6ukk0jh9RH97/uWPOWKfOp4n/oXVnYE3rdImGcb1egas/zprqM7Pl8mbwI7vK3ScMUagBg6Td1sxHfRgVBk6r8C+40sgTAG8LsOd+q8LKNYj5mSeZ5K34SBdkmMWNpAS9mOT9CSJfWOrd9uAvFXHeuWN31MbIgVV5seEMfUzC18I/4s3qXwWqIvQxIsF8l9WuIuMYsFPT+oQJBU/ltQVf54w29k50tvN+LyvmNbZCZANf+
3JXwygyImc2Yg==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIFejCCBGKgAwIBAgIQCKTAgWTgw/Ea7HQ+L665tTANBgkqhkiG9w0BAQsFADBwMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNzdXJhbmNlIFNlcnZlciBDQTAeFw0xNjA5MjYwMDAwMDBaFw0xOTEwMDExMjAwMDBaMHIxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIEwVJZGFobzEQMA4GA1UEBxMHUmV4YnVyZzEnMCUGA1UEChMeQnJpZ2hhbSBZb3VuZyBVbml2ZXJzaXR5LUlkYWhvMRgwFgYDVQQDEw9pZHNkZXYuYnl1aS5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCeLpdcJnXbGKRYujiUIoCOFrjR3PZ2E+BmzGNNTSTbnxjRPCJpjoI/5OWXPV/59I4s+b/lMaVuth5G8FD/yGDE/cyOKHM79G8UR399aqflqVWCfBc5Kqf7oKByBiost5JQyLGUTlXOvOKvLNTSHEC1gZUYP6Sn9m7/HOtcaMji32N0Pr22NYk92LSbUZqwVUM5e71q7Yze4OTiAv/Sd3Us1M4YgD+qJpy15Rph5Uo7jq1J9YE38dVmznJKD5xKt6G5Bn/b7pWipnhfG9gNJhjkpP/IVOfkpsDIm4QDXOArjzV/qLck8GF6zr8+PiUM4k/peottkvq6UV0AKPiv/DPJAgMBAAGjggIMMIICCDAfBgNVHSMEGDAWgBRRaP+QrwIHdTzM2WVkYqISuFlyOzAdBgNVHQ4EFgQUgpnRRipdTainSlDqezFYUGdyKWgwPgYDVR0RBDcwNYIPaWRzZGV2LmJ5dWkuZWR1ghBJZHNEZXYxLmJ5dWkuZWR1ghBJZHNEZXYyLmJ5dWkuZWR1MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0fBG4wbDA0oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTItaGEtc2VydmVyLWc1LmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTItaGEtc2VydmVyLWc1LmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjCBgwYIKwYBBQUHAQEEdzB1MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wTQYIKwYBBQUHMAKGQWh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJIaWdoQXNzdXJhbmNlU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBADAayQq4l5DqWmgste9KgnqWOkOkjWw7bxu7WOh++oPyaNlyzieaz2ZJXrf4bHHeF5pCA9FUzhpdwGg+iWzt5Wd8L3G50mEUBJKjKgAzkOr9ywoGlPio/GaqqNrMmKhmLQDz6hcIoCk3SXAR5GDzRCjn5PZvboL9l+uTCE0h6Sg8qCRjgIYvOHbN8FhMla2opx2B7mnX5jAnfzfnJgGQZERLDSy8dvYhtXBaxaCzDqfYwZFQjec+IRjHHHLQpAPKzB5ARNe5IYlSMfkbi71kNpaFQ1WAJtAO+9pld5zgA/
OvSamgXd5RBJbXq376LX3r9jcYGpQwJT3hqMl9Qa1B0pY=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">username
</saml2:NameID>
<saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData
InResponseTo="lihfmcpiofkdkhphfbahlndllmmemhldckammgaf"
NotOnOrAfter="2016-12-05T16:25:37.939Z"
Recipient="localhost"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions
NotBefore="2016-12-05T16:20:37.939Z"
NotOnOrAfter="2016-12-05T16:25:37.939Z">
<saml2:AudienceRestriction>
<saml2:Audience>API_PUBLISHER</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement
AuthnInstant="2016-12-05T16:20:37.941Z"
SessionIndex="cbc00514-954b-4de2-8e7b-b50edf9c5976">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute
Name="http://wso2.org/claims/fullname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">username
</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
IdP 配置
Shibboleth IDS configuration
Shibboleth IDS configuration
我们解决了问题!所以我们无法让 shibboleth 2 在 SAML 代码的 subject/nameID 中发送正确的信息,但是当我们尝试 shibboleth 3 时,nameID 的自定义更容易使用。无论如何,wso2 无法仅使用 subject/nameID 中的用户名授权访问,它还需要域并像这样格式化 domain/username.这样我们就可以使用 SSO 了。