ADFS SAML 身份提供商重定向到状态为 "Responder" 的服务提供商

ADFS SAML Identity provider redirects to service provider with status "Responder"

我正在使用 omniauth-saml 在 Rails 应用程序的 Ruby 上对用户进行身份验证。

身份验证一直运行良好,直到我们声明尝试与使用 ADFS (Windows Active Directory) 的公司合作。

我们的应用程序能够路由到 ADFS 登录屏幕,登录操作发生,当 ADFS 重定向回我们的应用程序时,我们看到错误消息:

The status code of the Response was not Success, was Responder

调试,我们可以看到生成此消息的是 omniauth-saml。

挖掘发送到我们应用程序的负载,"SAMLResponse" 属性包含一个 xml 文档,其中包含以下部分:

<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" /></samlp:Status>

我们认为这与 omniauth-saml 提供的错误消息有关。

ADFS 明显难以调试,但我们认为以下错误消息是导致此问题的原因:

Additional Data 

Protocol Name: 
Saml 

Relying Party: 
https://our-domain/users/auth/saml/metadata?attr1=123&attr2=432 

Exception details: 
Microsoft.IdentityModel.SecurityTokenService.InvalidScopeException: MSIS3055: The requested relying party trust 'https://our-domain/users/auth/saml/metadata' is unspecified or unsupported. If a relying party trust was specified, it is possible the user does not have permission to access the relying party trust. ---> Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.ScopeNotFoundPolicyRequestException: MSIS3020: The relying party trust with identifier 'https://our-domain/users/auth/saml/metadata' could not be located.
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
   at Microsoft.IdentityModel.Threading.TypedAsyncResult`1.End(IAsyncResult result)
   at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet, List`1 additionalClaims)
   at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, List`1 additionalClaims)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.ScopeNotFoundPolicyRequestException: MSIS3020: The relying party trust with identifier 'https://our-domain/users/auth/saml/metadata' could not be located.


Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="AD FS" Guid="{2ffb687a-1571-4ace-8550-47ab5ccae2bc}" />
    <EventID>364</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000001</Keywords>
    <TimeCreated SystemTime="2019-10-15T23:15:19.254339300Z" />
    <EventRecordID>1512764</EventRecordID>
    <Correlation ActivityID="{19de3423-ee29-40a8-890d-0080000000bf}" />
    <Execution ProcessID="752" ThreadID="4076" />
    <Channel>AD FS/Admin</Channel>
    <Computer>serve-name.domain</Computer>
    <Security UserID="S-1-5-21-1708537768-1844237615-682003330-107716" />
  </System>
  <UserData>
    <Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
      <EventData>
        <Data>Saml</Data>
        <Data>https://our-domain/users/auth/saml/metadata?attr1=123&amp;attr2=432</Data>
        <Data>Microsoft.IdentityModel.SecurityTokenService.InvalidScopeException: MSIS3055: The requested relying party trust 'https://our-domain/users/auth/saml/metadata' is unspecified or unsupported. If a relying party trust was specified, it is possible the user does not have permission to access the relying party trust. ---&gt; Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.ScopeNotFoundPolicyRequestException: MSIS3020: The relying party trust with identifier 'https://our-domain/users/auth/saml/metadata' could not be located.
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
   at Microsoft.IdentityModel.Threading.TypedAsyncResult`1.End(IAsyncResult result)
   at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1&amp; identityClaimSet, List`1 additionalClaims)
   at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, List`1 additionalClaims)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String&amp; newSamlSession, String&amp; samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String&amp; samlpSessionState, String&amp; samlpAuthenticationProvider)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.ScopeNotFoundPolicyRequestException: MSIS3020: The relying party trust with identifier 'https://our-domain/users/auth/saml/metadata' could not be located.

</Data>
      </EventData>
    </Event>
  </UserData>
</Event>

我对 ADFS 的理解有限,所以我不确定这些错误是由 ADFS 错误配置引起的,还是由我们需要添加到我们的应用程序以使其与 ADFS 一起工作的特定内容引起的...

非常感谢您的帮助!

ADFS 中不存在标识符为“https://our-domain/users/auth/saml/metadata”的 RP。

您是如何配置 ADFS RP 的?您使用元数据了吗?

当您通过 ADFS 向导查看时,RP 应该在 "Identifier" 选项卡中具有上述标识符。

事实证明,答案是为 ADFS 提供替代方案 url 从我们的系统中检索 SAML 元数据文件。

似乎 ADFS 无法处理将查询字符串放入其 "relying party trust" "Federation metadata file location"(这个 ADFS 行话让我很不舒服...)

无论如何,一旦 url 可以在没有查询字符串的情况下使用,一切正常。 我们将参数移动到 url:

的一部分

而不是

https://our-domain/users/auth/saml/metadata?attr1=123&attr2=432

我们猴子修补了 omniauth-saml 并使用了一个新的 url 因此我们可以提供与替代方案相同的功能 url:

https://our-domain/users/auth/saml/:attr1/:attr2/metadata