如何设置 simplesamlphp 以使用 ADFS 2 作为 idp
我正在尝试让 simplesamlphp 1.8 使用 ADFS 2 作为 IdP。
现在,在获取浏览器 NTLM 身份验证对话框时,我遇到了严重的困难,该对话框不接受任何登录(选择“测试身份验证源”->“default-sp”后)。
在config/config.php中
'default-sp' => array(
'saml:SP',
'privatekey' => 'saml.pem',
'certificate' => 'saml.crt',
'idp' => 'http://fs.example.org/adfs/services/trust',
),
在metadata/saml20-idp-remote.php中(转换自 https://fs.example.com/FederationMetadata/2007-06/FederationMetadata.xml 和 /admin/metadata-converter.php)
$metadata['http://fs.example.com/adfs/services/trust'] = array (
'entityid' => 'http://fs.example.com/adfs/services/trust',
'contacts' =>
array (
),
'metadata-set' => 'saml20-idp-remote',
'SingleSignOnService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://fs.example.com/adfs/ls/',
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://fs.example.com/adfs/ls/',
),
),
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://fs.example.com/adfs/ls/',
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://fs.example.com/adfs/ls/',
),
),
'ArtifactResolutionService' =>
array (
),
'keys' =>
array (
0 =>
array (
'encryption' => true,
'signing' => false,
'type' => 'X509Certificate',
'X509Certificate' => 'MIIC3DCCA....',
),
1 =>
array (
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => 'MIIC1j....',
),
),
);
在 ADFS 声明规则中,我有“允许所有用户访问”和转换规则“电子邮件地址 -> 名称 ID”
有如何继续的想法吗?
I'm trying to get simplesamlphp 1.8 to use ADFS 2 as IdP.
Now I'm seriously stuck when getting browser NTLM authentication dialog, which does not accept any login (after selecting "Test authentication sources" -> "default-sp").
In config/config.php
'default-sp' => array(
'saml:SP',
'privatekey' => 'saml.pem',
'certificate' => 'saml.crt',
'idp' => 'http://fs.example.org/adfs/services/trust',
),
In metadata/saml20-idp-remote.php (Converted from https://fs.example.com/FederationMetadata/2007-06/FederationMetadata.xml with /admin/metadata-converter.php)
$metadata['http://fs.example.com/adfs/services/trust'] = array (
'entityid' => 'http://fs.example.com/adfs/services/trust',
'contacts' =>
array (
),
'metadata-set' => 'saml20-idp-remote',
'SingleSignOnService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://fs.example.com/adfs/ls/',
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://fs.example.com/adfs/ls/',
),
),
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://fs.example.com/adfs/ls/',
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://fs.example.com/adfs/ls/',
),
),
'ArtifactResolutionService' =>
array (
),
'keys' =>
array (
0 =>
array (
'encryption' => true,
'signing' => false,
'type' => 'X509Certificate',
'X509Certificate' => 'MIIC3DCCA....',
),
1 =>
array (
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => 'MIIC1j....',
),
),
);
In ADFS Claim Rules I have "Permit Access to All Users" and Transform rule "E-Mail-Address -> Name ID"
Any ideas how to proceed?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
实际问题是在设置 DNS 记录时,我创建了一个 CNAME fs.example.com 到 dc.exampledomain.com。将CNAME记录替换为A记录后,身份验证就通过了。
这并没有解决整个问题,但回答了卡住的部分:)
我还需要在依赖方属性中将 SHA-1 设置为安全哈希算法,而不是 SHA-256。
Actual problem was in that while setting DNS records I created a CNAME fs.example.com to dc.exampledomain.com. After replacing CNAME record to A record authentication went through.
This did not solved whole question but answered the getting stuck part :)
I also needed to set SHA-1 as secure hash algorithm in relying party properties instead of SHA-256.