Shibboleth SP 将错误的用户身份传递给应用程序
我有一个使用 Shibboleth SP(最新版本 - 2.4.2)进行 Shibbolized 的 Rails 应用程序。我将它与 Apache 2.2 一起使用。我的 IdP 是 MS AD FS 2.0 服务器。
一切似乎都运行良好 - 用户访问该站点,被重定向到 AD FS,获得身份验证,然后返回并登录到该站点。
问题是,一旦完成此操作,几乎不可能及时以其他用户身份登录。您可以清除所有 cookie(我在 Mac 上使用 Safari 和 Chrome 尝试此操作)并重新启动浏览器,但如果我首先以 Alice 身份进行身份验证,然后尝试以 Carol 身份登录,我仍然会登录到该应用程序作为爱丽丝。
清除 cookie 后 shibd 收到的 SAML 响应中包含正确的身份:
<AttributeStatement>
<Attribute Name="http://schemas.xmlsoap.org/claims/CommonName">
<AttributeValue>Carol</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue>[email protected]</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn">
<AttributeValue>[email protected]</AttributeValue>
</Attribute>
</AttributeStatement>
但是当 Shibboleth SP 将环境变量传递给我的应用程序时,它会发送错误的凭据:
[DEBUG 05/19 16:30:09] ENV: Shib-Session-ID => _615014991ed1b7dcc43f647ceb1f4944
[DEBUG 05/19 16:30:09] ENV: Shib-Identity-Provider => http://REDACTED/adfs/services/trust
[DEBUG 05/19 16:30:09] ENV: Shib-Authentication-Instant => 2011-05-19T21:17:23.861Z
[DEBUG 05/19 16:30:09] ENV: Shib-Authentication-Method => urn:federation:authentication:windows
[DEBUG 05/19 16:30:09] ENV: Shib-AuthnContext-Class => urn:federation:authentication:windows
[DEBUG 05/19 16:30:09] ENV: Shib-Session-Index => _cadfb4e6-ffb2-45f9-aab5-6bce8c3bc17a
[DEBUG 05/19 16:30:09] ENV: cn => alice
[DEBUG 05/19 16:30:09] ENV: email => [email protected]
[DEBUG 05/19 16:30:09] ENV: principal => [email protected]
尽管已经删除了所有 cookie,但 Shib-Session-ID 将是相同的。不知何故,它似乎关联了两个交互并重新建立现有会话,而不是使用 SAML 响应中的帐户信息创建新会话。
我已将所有能找到的缓存超时值设置为 60 秒,但在浏览器关闭的情况下等待 2-3 分钟不足以让它创建新会话。
<StorageService type="Memory" id="mem" cleanupInterval="60"/>
<SessionCache type="StorageService" StorageService="mem" cacheTimeout="60"
inprocTimeout="60" cleanupInterval="60" />
...
<Sessions lifetime="60" timeout="60" checkAddress="false" relayState="ss:mem"
handlerSSL="false">
重新启动 apache 和 shibd 可以工作,就像关闭浏览器并让它静置很长时间(10-15 分钟?)一样,我没有确切地了解它需要多长时间。
我缺少什么?我还应该寻求哪些其他途径?
I have a Rails app that I've Shibbolized using Shibboleth SP (latest version - 2.4.2). I'm using it with Apache 2.2. My IdP is an MS AD FS 2.0 server.
Everything seems to work well - users hit the site, are redirected to AD FS, get authenticated and then come back and are logged into the site.
The problem is that once you've done that, it's almost impossible to log in as a different user in a timely fashion. You can clear all your cookies (I'm trying this with Safari and Chrome on Mac) and restart the browser, but if I'm first authenticated as Alice and then try to log in as Carol I'll still get logged into the application as Alice.
The SAML response received by shibd after clearing cookies has the correct identity in it:
<AttributeStatement>
<Attribute Name="http://schemas.xmlsoap.org/claims/CommonName">
<AttributeValue>Carol</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue>[email protected]</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn">
<AttributeValue>[email protected]</AttributeValue>
</Attribute>
</AttributeStatement>
But when Shibboleth SP passes environment variables to my app, it instead sends the wrong credentials:
[DEBUG 05/19 16:30:09] ENV: Shib-Session-ID => _615014991ed1b7dcc43f647ceb1f4944
[DEBUG 05/19 16:30:09] ENV: Shib-Identity-Provider => http://REDACTED/adfs/services/trust
[DEBUG 05/19 16:30:09] ENV: Shib-Authentication-Instant => 2011-05-19T21:17:23.861Z
[DEBUG 05/19 16:30:09] ENV: Shib-Authentication-Method => urn:federation:authentication:windows
[DEBUG 05/19 16:30:09] ENV: Shib-AuthnContext-Class => urn:federation:authentication:windows
[DEBUG 05/19 16:30:09] ENV: Shib-Session-Index => _cadfb4e6-ffb2-45f9-aab5-6bce8c3bc17a
[DEBUG 05/19 16:30:09] ENV: cn => alice
[DEBUG 05/19 16:30:09] ENV: email => [email protected]
[DEBUG 05/19 16:30:09] ENV: principal => [email protected]
Despite having nuked all cookies, the Shib-Session-ID will be the same. Somehow it seems to be associating the two interactions and re-establishing the existing session rather than making a new session with the account info from the SAML response.
I've set all the cache timeout values I can find to 60 seconds, but waiting 2-3 minutes with browser closed isn't enough to get it to make a new session.
<StorageService type="Memory" id="mem" cleanupInterval="60"/>
<SessionCache type="StorageService" StorageService="mem" cacheTimeout="60"
inprocTimeout="60" cleanupInterval="60" />
...
<Sessions lifetime="60" timeout="60" checkAddress="false" relayState="ss:mem"
handlerSSL="false">
Restarting apache and shibd works, as does closing the browser and letting it sit for a long time (10-15 minutes?) I don't have a solid read on exactly how long it takes.
What am I missing? What other avenues should I pursue?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
关键是我们的应用程序是一个 Rails 应用程序,使用 Passenger 部署。看起来 Passenger 在第一次调用后没有更新环境变量,因此您最终可能会得到旧数据。
切换到通过标头传递用户信息(ShibUseHeaders 打开)解决了这个问题。
The key is that our app is a Rails app, deployed using Passenger. It looks like Passenger wasn't updating environment variables after the first call, so you could end up with old data.
Switching to passing user information via headers (ShibUseHeaders on) solved the problem.