ADFS 登录出现错误 Microsoft.IdentityServer.Web.UnsupportedSamlRequestException
ADFS login gives error Microsoft.IdentityServer.Web.UnsupportedSamlRequestException
我正在尝试将 gitlab 连接到 ADFS 以进行单点登录 (SSO)。在 gitlab 配置中我定义了这些值。
assertion_consumer_service_url:'https://myhost/users/auth/saml/callback',
idp_cert_fingerprint: '',
idp_sso_target_url: 'https://myadfshost/adfs/ls',
issuer: 'https://myhost',
我在 ADFS 中添加了依赖方信任。并将用户添加到 AD 进行身份验证。
当我去https://mygitlabhost。我得到带有登录选项的 ADFS 页面。输入用户密码后,我被重定向到 gitlab 登录页面,并出现此错误:
Could not authenticate you from SAML because "The status code of the response was not success, was responder".
当我检查 ADFS 的事件日志时,出现此错误:
联合被动请求期间遇到错误。
Additional Data
Protocol Name:
Saml
Relying Party:
https://mygitlabhost
Exception details:
Microsoft.IdentityServer.Web.UnsupportedSamlRequestException: MSIS7076: The configured passive endpoint 'https://win-i52r11kn5sa.rohit.local/adfs/ls/' is not a prefix of the incoming SAML message Destination URI 'https://myadfshost/adfs/ls'.
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.ValidateIncomingSamlMessage(SamlMessage samlMessage)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
这可能是因为 ssl 证书配置错误吗?如果不是,扫管笏可能是问题所在?
这可能是因为元数据或配置。
您是否将 ADFS 元数据 URL 发送到 SAML 端?
SAML 端配置为发送到 https://myadfshost/adfs/ls。
配置的 ADFS 终结点是 https://win-i52r11kn5sa.rohit.local/adfs/ls/。
所以 SAML 端应该发送到 https://win-i52r11kn5sa.rohit.local/adfs/ls。
我正在尝试将 gitlab 连接到 ADFS 以进行单点登录 (SSO)。在 gitlab 配置中我定义了这些值。
assertion_consumer_service_url:'https://myhost/users/auth/saml/callback',
idp_cert_fingerprint: '',
idp_sso_target_url: 'https://myadfshost/adfs/ls',
issuer: 'https://myhost',
我在 ADFS 中添加了依赖方信任。并将用户添加到 AD 进行身份验证。 当我去https://mygitlabhost。我得到带有登录选项的 ADFS 页面。输入用户密码后,我被重定向到 gitlab 登录页面,并出现此错误:
Could not authenticate you from SAML because "The status code of the response was not success, was responder".
当我检查 ADFS 的事件日志时,出现此错误:
联合被动请求期间遇到错误。
Additional Data
Protocol Name:
Saml
Relying Party:
https://mygitlabhost
Exception details:
Microsoft.IdentityServer.Web.UnsupportedSamlRequestException: MSIS7076: The configured passive endpoint 'https://win-i52r11kn5sa.rohit.local/adfs/ls/' is not a prefix of the incoming SAML message Destination URI 'https://myadfshost/adfs/ls'.
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.ValidateIncomingSamlMessage(SamlMessage samlMessage)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
这可能是因为 ssl 证书配置错误吗?如果不是,扫管笏可能是问题所在?
这可能是因为元数据或配置。
您是否将 ADFS 元数据 URL 发送到 SAML 端?
SAML 端配置为发送到 https://myadfshost/adfs/ls。
配置的 ADFS 终结点是 https://win-i52r11kn5sa.rohit.local/adfs/ls/。
所以 SAML 端应该发送到 https://win-i52r11kn5sa.rohit.local/adfs/ls。