为什么Cognito拒绝我的SAML断言？

本文介绍了为什么Cognito拒绝我的SAML断言？的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！问题描述我正在做有关将SAML联合到Cognito的概念证明。我已经设置了Shibboleth v3，并且一旦我最终设置了日志级别，就可以看到SAML发送回Cognito，后者只是使用重定向到我的配置页面？error_description = Error + in + SAML URL中的+ response + processing％3A + Invalid + SAML +元数据。+& error = server_error 。 Cognito中的用户池设置为需要一个电子邮件地址，我认为我已经正确设置了属性映射，但是说起来并不容易。这是我在日志中看到的SAML（为匿名起见，减去了两个URL）：I'm doing a proof of concept for federating SAML into Cognito. I've setup Shibboleth v3, and once I finally got the log level set, I can see the SAML being sent back to Cognito, which just redirects to my configured page with ?error_description=Error+in+SAML+response+processing%3A+Invalid+SAML+metadata.+&error=server_error in the URL. The user pool in Cognito is set to require an email address, and I think I've got the attribute mapping set correctly, but it's not really easy to tell. Here's the SAML I'm seeing in the logs (minus a couple of URLs for anonymization's sake):<?xml version="1.0" encoding="UTF-8"?><saml2p:Response Destination="https://{DOMAIN}.auth.us-east-1.amazoncognito.com/saml2/idpresponse" ID="_cc28aebe7ae433f549a7df77e8a2fbaa" InResponseTo="_d34b0821-c6eb-408d-b687-5fb2b71422dd" IssueInstant="2019-06-10T18:00:23.314Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp1.example.com:8443/idp/shibboleth </saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="#_cc28aebe7ae433f549a7df77e8a2fbaa"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces PrefixList="xsd" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>3wL9vw0MsEuSGO+0bir/6GQV1FVNQHw4fLgAXteHQK0=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> LvCSLdm87hWsK480jhv/8JXBciPmGmAeUVxkGpAKUal5omnmpASXflSBHutkRwyPzD6mXMgSk3xL f0IfWwspbA3ixmbbeEwQciel+2Y4WxwPpWreV1aLHMLYSj8x8ZdiDSioczMwRpQSqVo6RCX98ayo riTBwTaoIQTHcE6xdDb98zDVCL+tCvrgkT3fhl0Z9HBxDvdy/YyrEuv0QVTj9SHiTI6heY5AhvA8 3qCAaGdbsNc0jqvy6AUAp1VBy8QJGpWMvChXJnO8srUEKkVBhGRfScCaO2uDcpa90zAlSuD1B7Q7 vVVrahRCB2lJHEmAyM2XeNNwN+DbyFU2Lcz4Kg== </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIDVDCCAjygAwIBAgIUIBWSFzIstjdAx2yVXLC40xKOIYAwDQYJKoZIhvcNAQELBQAwJzElMCMG A1UEAwwcaXAtMTAtMjAzLTEwLTkxLmVjMi5pbnRlcm5hbDAeFw0xOTA2MDQyMTU1MDhaFw0zOTA2 MDQyMTU1MDhaMCcxJTAjBgNVBAMMHGlwLTEwLTIwMy0xMC05MS5lYzIuaW50ZXJuYWwwggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaaLJ5lqB8eWuIiKPhDVsxOBncTnVS7wjjQOJ6pkSJ El8G1MnMIb5xaQBv9luwq88+EcmWIZDzt4Yj326tmz4lwweWa4VI3iVfk6eZl7Zpwlcj57dtvA8B MhcmbqX56Kb3pmTLf4VAI8hPoHdmKNYFapy+uM4b6ubvLx1NxlzgWfZ3o0ZrTuOpNpFgXJB+FGMS au4lOCvOVchU7ymch2qwP/iFSUnNcviL9k/M4tSIkbf+Tb9o9SQrJhwcBMdQDfsLKnDhEtvovX12 H70smzVCg/H3AVUE+Qne5Cget90xKKRtQcSV2Q4jIS0mRGc5XVEQEiVzOLvx6DyLXUs926JxAgMB AAGjeDB2MB0GA1UdDgQWBBT0+FXPDXOe+gtZsNA+dnzPvJysWzBVBgNVHREETjBMghxpcC0xMC0y MDMtMTAtOTEuZWMyLmludGVybmFshixodHRwczovL2lkcDEuZXhhbXBsZS5jb206ODQ0My9pZHAv c2hpYmJvbGV0aDANBgkqhkiG9w0BAQsFAAOCAQEAaM1kS0CoKBy4l1wRihbvsfX78FCmKk4woWEk a0st/c42ntf7nU8b/4C6SV9Jl7rhij18um6tF6dv+pVsH5KrDQbdH3xwF24ekDqosEaHSxcmY79k 1TePd00xH8/udeKRFc+78LnkygnzulZZ748XKj9/ehUkfbrhWhGP3333Nruj5Ptlv7d4upCxtQ+g dYmHIzFt26MHR5jxcwYWPd/4M1ElakevscWOBjKTpScOnMYOikzyZpS+p7hD5/z4OfKv6AWLPdek eWVXGlZhRKhtp15tRrUpQucZFMh+YNOm9IlBRBeh5Qw4KQgg1KvkNy1+iA9vfptn+f2CtPhF+cxx 3Q== </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </saml2p:Status> <saml2:Assertion ID="_4df74e3ced3d853e5a0c329e0f7c83cb" IssueInstant="2019-06-10T18:00:23.314Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:Issuer>https://idp1.example.com:8443/idp/shibboleth</saml2:Issuer> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://idp1.example.com:8443/idp/shibboleth" SPNameQualifier="urn:amazon:cognito:sp:us-east-1_MyLIE83bf">AAdzZWNyZXQxrczu0aLzz4zQafYgy5VN8rTutrL827I6iPTAGPVAGJlJKAcQIHAdkWP1uqtsYqAccnsy0GPpTNx8GgTudWw6Q5ovEh/zSlYq+A/eExrAuT5sJlatEGua7boJDq63t1fESo4qOmz3uW+Pbik= </saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData Address="10.203.10.25" InResponseTo="_d34b0821-c6eb-408d-b687-5fb2b71422dd" NotOnOrAfter="2019-06-10T18:05:23.730Z" Recipient="https://{DOMAIN}.auth.us-east-1.amazoncognito.com/saml2/idpresponse"/> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2019-06-10T18:00:23.314Z" NotOnOrAfter="2019-06-10T18:05:23.314Z"> <saml2:AudienceRestriction> <saml2:Audience>urn:amazon:cognito:sp:us-east-1_MyLIE83bf</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2019-06-10T18:00:12.508Z" SessionIndex="_c1e143fa5c01b3642d1ce4573bfe9465"> <saml2:SubjectLocality Address="10.203.10.25"/> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <saml2:AttributeStatement> <saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue>[email protected]</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="Role" Name="https://aws.amazon.com/SAML/Attributes/Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">arn:aws:iam::{ACCOUNT}:role/FederationWorkshop-ReadOnly,arn:aws:iam::{ACCOUNT}:saml-provider/idp1 </saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="RoleSessionName" Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">bob</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion></saml2p:Response>是否缺少一些简单的东西（SAML和SSO的复杂性肯定是我的操舵室）。Is there something simple I'm missing (the intricacies of SAML and SSO are definitely not my wheelhouse at this point in time).推荐答案问题：为什么Cognito拒绝我的SAML断言？Question: "Why is Cognito rejecting my SAML assertion?" 快速响应：此问题的三个潜在根本原因：Quick Response:Three potential root causes of this issue:（1）您的SAML声明未包含/传递Cognito所需的所有属性（请参见下面的详细答案和解决方案）。(1) Your SAML assertion does NOT carry/deliver all the attributes required by Cognito (see the detailed answer and resolution below).（2）属性不符合Cognito要求的格式。(2) Attributes do NOT meet the format required by Cognito.例如，（请注意，请用您由Amazon AWS分配的AWS ID（例如123456789012）替换 ACCOUNT_NUMBER）For example, (Note that please replace "ACCOUNT_NUMBER" with your aws id assigned by Amazon AWS (e.g., 123456789012))attribute #1: awsRolesattribute #1 value: arn:aws:iam::ACCOUNT_NUMBER:role/shibbolethidp,arn:aws:iam::ACCOUNT_NUMBER:saml-provider/Shibboleth-IdPattribute #2: awsRoleSessionNameattribute #2 value: [email protected]（3）属性值未通过Amazon AWS的ADMIN控制台在Cognito上注册（请参阅（II）关于角色的重要说明）(3) Attribute values do NOT registered at Cognito through ADMIN console of Amazon AWS (see (II) Important Remarks on Role later on). 备注（1）向用户池添加SAML身份提供程序指出，受众URI / SP实体ID为用户池（否身份池）是urn：amazon：cognito：sp：您的用户池ID。Remarks(1) Adding SAML Identity Providers to a User Pool states that Audience URI/SP Entity ID of User Pool (NOT Identity Pool) is urn:amazon:cognito:sp:your-User-Pool-ID.（2）如何启用使用AWS Single Sign-On安全访问Kibana 介绍了如何使用AWS SSO访问Kibana（Amazon Elasticsearch Service，一种AWS内部服务）。(2) How to enable secure access to Kibana using AWS Single Sign-On describes how to utilize AWS SSO to access Kibana (Amazon Elasticsearch Service, an AWS internal service).下面提供了用户池（NOT身份池）的两个重要SAML SP参数示例。An example of two important SAML SP parameters for User Pool (NOT Identity Pool) is provided below.(I) Application ACS URL: https://<Elasticsearch domain name>.auth.<AWS region>.amazoncognito.com/saml2/idpresponse(II) Application SAML audience: urn:amazon:cognito:sp:<user pool id> 问题： Cognito中的用户池设置为需要电子邮件地址，我想我已经正确设置了属性映射，但是说起来并不容易。Question: "The user pool in Cognito is set to require an email address, and I think I've got the attribute mapping set correctly, but it's not really easy to tell." 答案：您的SAML响应表明您的属性映射设置不正确。Answer:Your SAML response indicates that your attribute mapping is NOT set correctly.（1）Shibboleth IdP v3 SAML响应对Cognito的属性 RoleSessionName(1) Attribute "RoleSessionName" carried by your Shibboleth IdP v3 SAML response to Cognito is NOT required by Cognito.<saml2:Attribute FriendlyName="RoleSessionName" Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">bob</saml2:AttributeValue></saml2:Attribute> Shibboleth IdP v3对Cognito的SAML响应携带的正确属性 RoleSessionName应该是您的电子邮件地址 [email protected]而不是您的给定名称 bob。The correct attribute "RoleSessionName" carried by Shibboleth IdP v3 SAML response to Cognito should be your E-mail address "[email protected]" instead of your given name "bob".<saml2:Attribute FriendlyName="RoleSessionName" Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">[email protected]</saml2:AttributeValue> </saml2:Attribute>（2）解决方案：（根据您的数据存储库（例如LDAP）可能需要进行较小的修订）(2) Resolution:(minor revision may be required depending on your data repository such as LDAP)添加属性解析 <resolver:AttributeDefinition id="awsRoles" xsi:type="ad:Simple" sourceAttributeID="employeeType"> <resolver:Dependency ref="myLDAP"/> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="https://aws.amazon.com/SAML/Attributes/Role" friendlyName="Role" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="awsRoleSessionName" xsi:type="ad:Simple" sourceAttributeID="mail"> <resolver:Dependency ref="myLDAP"/> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="https://aws.amazon.com/SAML/Attributes/RoleSessionName" friendlyName="RoleSessionName" /> </resolver:AttributeDefinition>转换为 attribute-resolver-full.xml或 attribute-resolver.xml（取决于您的Shibboleth IdP配置）。 Shibboleth IdP属性解析器示例。into "attribute-resolver-full.xml" or "attribute-resolver.xml" (depending on your Shibboleth IdP configuration). Shibboleth IdP Attribute Resolver Example.请注意，OpenLDAP属性 employeeType用于承担Amazon AWS的角色。您的数据存储/存储库可能使用不同的属性来担当Amazon AWS的角色。Note that OpenLDAP attribute "employeeType" is used to carry the role of Amazon AWS. Your data store/repository may use different attribute to carry the role of Amazon AWS.（I）已通过AWS管理控制台将以下OpenLDAP属性映射到AWS配置。(I) The following OpenLDAP attributes have been mapped with AWS configuration through AWS administration console.mail: [email protected]: arn:aws:iam::ACCOUNT_NUMBER:role/shibbolethidp,arn:aws:iam::ACCOUNT_NUMBER:saml-provider/Shibboleth-IdP（II）我们提供了使用Google G Suite配置Amazon AWS来描述SAML IdP的官方链接配置步骤（通过AWS管理控制台执行）：(II) We provide the official link of configuring Amazon AWS with Google G Suite to describe SAML IdP configuration steps (performed through AWS administration console): 为SAML提供程序认知配置身份池指出Before configuring your identity pool to support a SAML provider, you must first configure the SAML identity provider in the IAM console. For more information, see Integrating third-party SAML solution providers with AWS in the IAM User Guide. 将第三方SAML解决方案提供商与AWS集成指出Amazon Web Services cloud application – This article on the Google G Suite Administrator Help site describes how to configure G Suite as a SAML 2.0 IdP with AWS as the service provider.访问Google G Suite的链接 Amazon Web Services云应用程序，然后单击步骤1：将Amazon Web Services设置为SAML 2.0服务提供商（SP），您可以获得以下是Amazon AWS for Cognito的以下SAML配置步骤。Access the link of Google G Suite Amazon Web Services cloud application, and then Click "Step 1: Set up Amazon Web Services as a SAML 2.0 service provider (SP)", you can get the following SAML configuration steps of Amazon AWS for Cognito.4. log in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.5. In the navigation pane, select identity providers and then click Create SAML Provider.6. Select SAML as the Provider Type, and give it a name such as GoogleApps.7. Upload the IDP metadata you saved earlier from the Google Admin console SAML settings.8. Click Next Step and on the following page, click Create.9. Click the Roles tab on the left sidebar and click Create a New Role to create a role which will define the permissions.10. Select Set role name. This name will be displayed next to the login name on the AWS console.11. Select Role for Identity Provider Access.12. Select Grant Web Single Sign-On (WebSSO) access to SAML providers. Click Next Step.13. Leave the Establish trust settings as they are. Click Next Step.14. Use the Attach policy settings to define the policies your Federated Users will have. Click Next Step.15. On the following page, review your settings, then click Create the Role.16. Select your Google service from the identity providers list and note the Provider ARN. This contains your AWS Account ID and the name of the provider (example: arn:aws:iam::ACCOUNT_NUMBER:saml-provider/GoogleApps).17. Click Save to save the Federated Web single sign-on configuration details. 重要的角色说明（a） OpenLDAP属性 employeeType是我使用AWS控制台进行的验证实验中的角色。Important Remarks on Role(a) OpenLDAP attribute "employeeType" is Role in my validation experiment with AWS console.（b）确保OpenLDAP属性 employeeType已与您的AWS配置设置角色映射。 **(b) Ensure that OpenLDAP attribute "employeeType" is mapped with your AWS configuration setting "Role"**（c）将提供商类型的 GoogleApps替换为 Shibboleth-IdP（d）设置角色名称（例如shibbolethidp或googleapps，它们将由AWS转换为arn：aws：iam :: ACCOUNT_NUMBER：role / shibbolethidp或arn：aws：iam :: ACCOUNT_NUMBER：role / googleapps）(d) Set role name (e.g., shibbolethidp or googleapps, which will be converted by AWS into arn:aws:iam::ACCOUNT_NUMBER:role/shibbolethidp or arn:aws:iam::ACCOUNT_NUMBER:role/googleapps)（III）为了方便起见，我进行了第9次提交，将Amazon AWS SP元数据和相应的SAML配置上传到如何使用Docker容器构建和运行Shibboleth SAML IdP和SP 。请注意，我已登录A使用用户名 [email protected]的mazon AWS帐户（ ACCOUNT_NUMBER，例如123456789012）成功使用与Docker容器一起运行的Shibboleth IdP 与第9次提交。(III) For your convenience, I have made the 9th commit to upload the Amazon AWS SP metadata and corresponding SAML configuration to How to build and run Shibboleth SAML IdP and SP using Docker container.Note that I have logged in to Amazon AWS account ("ACCOUNT_NUMBER", e.g., 123456789012) with username "[email protected]" successfully using Shibboleth IdP running with Docker Container with the 9th commit.通过执行Shibboleth SAML IdP配置并参考第9次提交到如何使用Docker容器构建和运行Shibboleth SAML IdP和SP ，您可以使用以下命令登录到您的Amazon AWS帐户（ ACCOUNT_NUMBER，例如123456789012）您的用户名（例如 [email protected]）By performing the Shibboleth SAML IdP configuration with reference to the 9th commit to How to build and run Shibboleth SAML IdP and SP using Docker container, you can log in to your Amazon AWS account ("ACCOUNT_NUMBER", e.g., 123456789012) with your username (such as "[email protected]") federated by Shibboleth IdP..（IV）下面提供了我成功登录AWS的SAML响应供您参考。(IV) My SAML response for successful login to AWS is provided below for your reference.<saml2p:Response Destination="https://signin.aws.amazon.com/saml" ID="_fc89710799c4c2c540341e94bf7132d5" IssueInstant="2019-06-11T18:49:38.300Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" > <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.example.com/idp/shibboleth</saml2:Issuer> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </saml2p:Status> <saml2:Assertion ID="_91749d5ecb8512c0c5d658a77cb25928" IssueInstant="2019-06-11T18:49:38.300Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsd="http://www.w3.org/2001/XMLSchema" > <saml2:Issuer>https://idp.example.com/idp/shibboleth</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <ds:Reference URI="#_91749d5ecb8512c0c5d658a77cb25928"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces PrefixList="xsd" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <ds:DigestValue>mDAgwb9ZJxc+01sC99lAlAIAOEoiTgzHVTm4F9bdn/0=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>LWiL3+CdU6y86zBLx3vG6na1o46EUgiN7iV+b4J2lPvZK7+Oeu6XSenJlzo/cUMT19pYYrDMM6523lDAJCuOKPx4zTRIcabGrgzTKgmen0SHqWPxeL7t23RB6+v5AUvVw02tXqQhlggKEe3H+1T1k5q0cGc1xw5CQtI8zE6GK7nG1INnU7mo872H9x+zM1zy3yyvrWOkHHhVFqQQ1Tu+0ev4BIhTQaVgC+pM/ZvpctNjDMl1q4RSt1qumC+KFsYZlbrsLG7AvGJuR39wt/HV7F8Je3AUGGwMtGjkpRDuN1lIHrMqVzFf/5eKUv20rEk3aOxoV/sMfcuhWo27+NjE1g==</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIDPDCCAiSgAwIBAgIVALPPoC598LJ6ZJJJXCA2ESASlN4AMA0GCSqGSIb3DQEBCwUAMB8xHTAbBgNVBAMMFGlkcXNhbWwuaWRxdWFudGEuY29tMB4XDTE3MDYwMjIxNDI0NloXDTM3MDYwMjIxNDI0NlowHzEdMBsGA1UEAwwUaWRxc2FtbC5pZHF1YW50YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAs4ml4G592b059YDgyD/MLWQKaKrc0/24Ufbl/JY7wOI1RpxW8DlbCvibzQge6Tu/8LVy4GIDb8QLxmCfFKYn97HC68TgXVJ+m+sQm+e4SVg6V2q+JY94LLcoFVe8+78ZIYT23KLkTv2RlHzes/sL1YaPSK4UuN+/ezppyX2t9BGNfuiUKA0KCf7wMFuQ07Fr65FTcGXQyxhPyaNrXjrNMJaLqwpCaesVdVzoqPevYVN3+nzAvOWoEbi6IcwnF07D0FYren/GPRXPAk5sP6fF3X0rJCkSq+d5t5P0gWONlvm9WlUrKadmeiibCtR2lGQ/dZGmyUzIILsuOwu4yp/EsI3AgMBAAGjbzBtMB0GA1UdDgQWBBREpZrZlnm8YrbSFcl59WRR5IY2FTBMBgNVHREERTBDghRpZHFzYW1sLmlkcXVhbnRhLmNvbYYraHR0cHM6Ly9pZHFzYWQCV63ubc+tsfzCvL48k35RzLAD15DIdbS9pZHAvc2hpYmJvbGV0aDANBgkAAOCAQEAEvrdnSvK2C2rcRr7kXn4Q/NaEovuUeqaNs1k/2+dSqs8rroM+m3Iq8RlBcmKnP/+mET3wwUaWRxc2FtbC5pZHF1YW50YS5jb20wggEiLRXay9y1uJXyZx37RDkGu8SD7+zf8znM+TCsX/qAP6Ve95WAeX4uB8Aeol3LULe1dePsRb/1RNpKsm8NomVzCwBXK9vyv8t3IVN40jZMaaTtR0YR22fTuqTyIMarMPO0Eh0f1FHraYaXfyop1OJcYlISpYe+c4vNvAXwEtHkZD2Iu/2aEMGcvBo3uq6OYVDXOfI3CvoB7sRtxURtj+vVSZKjDe6s7+lRcE1tpDkwOEEuDzA==</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://idp.example.com/idp/shibboleth" SPNameQualifier="urn:amazon:webservices" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >AAdzZWNyZXQx/wu+MEcVaUwjGOXhDKAO/5KXLD2AcDGnu1DyoP2C4ztOF01Su6tTJDytykrsv7W2dSV4FkL42ORYDiipBEuwiRSbnvViKbFBkHYN4YUmQzttx3DPNW/w42tMjLrY2iyn7sAUgQSVNGRHyMAH</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData Address="192.168.150.10" NotOnOrAfter="2019-06-11T18:54:38.412Z" Recipient="https://signin.aws.amazon.com/saml" /> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2019-06-11T18:49:38.300Z" NotOnOrAfter="2019-06-11T18:54:38.300Z" > <saml2:AudienceRestriction> <saml2:Audience>urn:amazon:webservices</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2019-06-11T18:49:38.041Z" SessionIndex="_79ee919a4e3fcd2f6d13702b60bfd357" > <saml2:SubjectLocality Address="192.168.150.10" /> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <saml2:AttributeStatement> <saml2:Attribute FriendlyName="Role" Name="https://aws.amazon.com/SAML/Attributes/Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string" >arn:aws:iam::my-aws-id:role/shibbolethidp,arn:aws:iam::my-aws-id:saml-provider/Shibboleth-IdP</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="RoleSessionName" Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string" >[email protected]</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion></saml2p:Response>（3）Amazon AWS提供了配置指南如何使用Shibboleth进行单点登录到AWS管理控制台。(3) Amazon AWS provides the configuration guide How to Use Shibboleth for Single Sign-On to the AWS Management Console. Shibboleth提供了配置指南使用Amazon Cognito的Shibboleth IdPShibboleth provides the configuration guide Shibboleth IdP with Amazon Cognito（4）如何在GitHub存储库中使用Docker容器构建和运行Shibboleth SAML IdP和SP 提供了有关构建SAML的说明Shibboleth SAML IdP和OpenLDAP的基于身份的身份验证/授权提供程序。(4) How to build and run Shibboleth SAML IdP and SP using Docker container at GitHub repository provides the instruction on building a SAML-based Authentication/Authorization Provider using Shibboleth SAML IdP and OpenLDAP. Shibboleth SAML IdP负责身份联合。Shibboleth SAML IdP is responsible for identity federation. OpenLDAP负责身份验证。OpenLDAP is responsible for identity authentication.（I）我已经验证了由运行Docker的Shibboleth SAML IdP提供的SAML单一登录（SSO）。 Identity Provider）和OpenLDAP用于以下企业应用程序。换句话说，我利用运行Docker的Shibboleth SAML IdP和OpenLDAP成功登录到以下企业应用程序。(I) I have validated SAML Single Sign-On (SSO) provided by Docker-running Shibboleth SAML IdP (Identity Provider) and OpenLDAP for the following enterprise applications. In other words, I leveraged Docker-running Shibboleth SAML IdP and OpenLDAP to log in to the following enterprise applications successfully.Microsoft Office 365Google G SuiteSalesforceDropboxBoxAmazon AWSOpenStackCitrix NetScalerVMware vCloud DirectorOracle NetSuite（II）我已验证 Shibboleth IdP 与 Amazon AWS管理控制台参考如何使用Shibboleth单一登录AWS管理控制台(II) I have validated Shibboleth IdP with Amazon AWS Management Console with reference to How to Use Shibboleth for Single Sign-On to the AWS Management Console d是我们以前版本的零密码验证和授权系统使用 Java 并利用Shibboleth IdP为企业应用程序提供SAML SSO。(III) We developed our former version of Zero-Password Authentication and Authorization System in Java and leveraged Shibboleth IdP to provide SAML SSO for enterprise applications.我们开发了当前版本的零密码认证和授权系统，在中具有可扩展性和高可用性Scala 可为没有Shibboleth IdP的企业应用程序本地提供SAML SSO。We developed our current version of Zero-Password Authentication and Authorization System with scalability and high availability in Scala to provide SAML SSO natively for enterprise applications without Shibboleth IdP.另一个StackOverflow问题设置新的Shibboleth IdP以与现有SAML SP一起使用提供了关于Shibboleth SA的宝贵信息和讨论ML配置。Another StackOverflow question "Setting up a new Shibboleth IdP to work with an existing SAML SP" provides valuable information and discussions on Shibboleth SAML configuration. 这篇关于为什么Cognito拒绝我的SAML断言？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！