2016-11-10 58 views
0

Shibbolethをサービスプロバイダ(SP)として使用してADFS 3.0とSAML 2.0を設定しています。 ADFSに証明書を正常にインポートしました。SAML 2.0とADFS 3.0のフェデレーションエラーを削除

:私は、このコマンドを実行するたびに、しかし

https://c-adfs01.contoso.com/adfs/ls/idpinitiatedsignon 

:にログインした後

https://c-adfs01.contoso.com/Shibboleth.sso/SAML2/POST` 

:ユーザーがにリダイレクトされるのでADFSは、プロバイダ(またはADFS IDP)ログインページの作品クレーム

systemctl restart shibd && systemctl restart httpd 

私は、次のエラーを取得:

2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 2732, message: grammar not found for namespace 'http://docs.oasis-open.org/wsfed/federation/200706' 
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 2732, message: attribute 'ServiceDisplayName' is not declared for element 'RoleDescriptor' 
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 3923, message: no declaration found for element 'fed:ClaimTypesRequested' 
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 24961, message: no declaration found for element 'fed:TargetScopes' 
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 25333, message: no declaration found for element 'fed:ApplicationServiceEndpoint' 
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 25536, message: no declaration found for element 'fed:PassiveRequestorEndpoint' 
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 25724, message: element 'fed:ClaimTypesRequested' is not allowed for content model '(Signature?,Extensions?,KeyDescriptor*,Organization?,ContactPerson*)' 
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 26099, message: grammar not found for namespace 'http://docs.oasis-open.org/wsfed/federation/200706' 
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 26099, message: attribute 'ServiceDisplayName' is not declared for element 'RoleDescriptor' 
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 27277, message: no declaration found for element 'fed:TokenTypesOffered' 
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 27444, message: no declaration found for element 'fed:ClaimTypesOffered' 
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 48496, message: no declaration found for element 'fed:SecurityTokenServiceEndpoint' 
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 49192, message: no declaration found for element 'fed:PassiveRequestorEndpoint' 
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 49380, message: element 'fed:TokenTypesOffered' is not allowed for content model '(Signature?,Extensions?,KeyDescriptor*,Organization?,ContactPerson*)' 
2016-11-09 16:54:36 ERROR OpenSAML.MetadataProvider.XML : error while loading resource (https://c-adfs01.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml): XML error(s) during parsing, check log for specifics 
2016-11-09 16:54:36 WARN OpenSAML.MetadataProvider.XML : adjusted reload interval to 600 seconds 
2016-11-09 16:54:36 CRIT Shibboleth.Application : error initializing MetadataProvider: XML error(s) during parsing, check log for specifics 

は、ここに私のshibboleth.xml構成は

<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" 
    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config" 
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
    xmlns:samlp="urn:oasis:names:tc:SAML::2.0:protocol" 
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
    clockSkew="180"> 


    <!-- ADFS Extension --> 
    <OutOfProcess> 
     <Extensions> 
      <Library path="/usr/lib64/shibboleth/adfs.so" fatal="true"/> 
     </Extensions> 
    </OutOfProcess> 
    <InProcess logger="native.log" checkSpoofing="true"> 
     <Extensions> 
      <Library path="/usr/lib64/shibboleth/adfs-lite.so" fatal="true"/> 
     </Extensions> 
    </InProcess> 
    <RequestMapper type="Native" 
     sessionError="/var/log/shibboleth/session_error.log" 
     metadataError="/var/log/shibboleth/metadata_error.log" 
     accessError="/var/log/shibboleth/access_error.log" 
     sslError="/var/log/shibboleth/ssl_error.log"> 
     <RequestMap applicationId="default"> 
      <Host name="c-app01"> 
       <Path name="secure" authType="shibboleth" requireSession="true"/> 
      </Host> 
     </RequestMap> 
    </RequestMapper> 

    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. --> 
    <ApplicationDefaults entityID="https://c-app01.contoso.com/Shibboleth.sso/Metadata.xml" 
      REMOTE_USER="eppn persistent-id targeted-id"> 
     <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" 
       checkAddress="false" handlerSSL="true" cookieProps="https"> 
      <!-- Putting another SSO here will make shibd fail. There should only be one SSO. --> 
      <SSO> 
       SAML2 SAML1 ADFS 
      </SSO> 
      <!-- SAML and local-only logout. --> 
      <Logout>SAML2 Local</Logout> 
      <!-- Extension service that generates "approximate" metadata based on SP configuration. --> 
      <Handler type="MetadataGenerator" Location="/Metadata.xml" signing="false"/> 
      <!-- Status reporting service. --> 
      <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/> 
      <!-- Session diagnostic service. --> 
      <Handler type="Session" Location="/Session" showAttributeValues="false"/> 
      <!-- JSON feed of discovery information. --> 
      <Handler type="DiscoveryFeed" Location="/DiscoFeed"/> 
     </Sessions> 
     <Errors supportContact="[email protected]" 
      helpLocation="/about.html" 
      styleSheet="/shibboleth-sp/main.css"/> 
     <!-- Example of remotely supplied batch of signed metadata. --> 


     <!-- using validate="true" will give errors in Federationmetadata.xml--> 
     <MetadataProvider type="XML" validate="true" 
      uri="https://c-adfs01.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml" 
      reloadInterval="3600"> 
      <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true" 
      attributeName="http://macedir.org/entity-category" 
      attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" 
      attributeValue="http://refeds.org/category/hide-from-discovery" /> 
     </MetadataProvider> 
     <!-- Example of locally maintained metadata. --> 
     <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/> 
     <!-- Use a SAML query if no attributes are supplied during SSO. --> 
     <AttributeResolver type="Query" subjectMatch="true"/> 
     <!-- Default filtering policy for recognized attributes, lets other data pass. --> 
     <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/> 
     <!-- Simple file-based resolver for using a single keypair. --> 
     <CredentialResolver type="File" key="c-app01.contoso.com.key" certificate="c-app01.contoso.com.pem"/> 
    </ApplicationDefaults> 


    <!-- Policies that determine how to process and authenticate runtime messages. --> 
    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/> 


    <!-- Low-level configuration about protocols and bindings available for use. --> 
    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/> 


</SPConfig> 

だここに私のApacheの設定です:

LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so 

ShibCompatValidUser Off 

<Location /Shibboleth.sso> 
    SetHandler shib 
    AuthType None 
    Require all granted 
</Location> 

だから、私の質問は、など、私はClaimTypesOfferedを取得するために、サービスプロバイダを設定するのですか...です(エラーで)エラーを削除するには?

答えて

0

設定SP

ので、溶液はshibboleth2.xml

設定IDP

MetadataProviderタグでvalidate="false"を使用するメールアドレスと電話番号がADFSで記入する必要がありました。この構成は、に位置しています

AD FS Management > Service (right click) > Service Federation Properties > Organization上記の手順の後

実行

、私はSPに行き、リンクを使用しているときIDPログインページにリダイレクトすることができました:

https://c-app01.contoso.com/Shibboleth.sso/Login?entityID=https://c-adfs01.contoso.com/FederationMetadata.xml/2007-06/FederationMetadata.xml?target=https://c-app01.contoso.com/secure

IDPログイン後、targetに正常にリダイレクトされます。

他の事は注意する:

は、フェデレーションサービス識別子は、に位置Metadata使用していることを確認してください:私の場合は

AD FS Management > Service (right click) > Service Federation Properties > General

が、それはhttps://c-adfs01.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml

関連する問題