问题描述
我已经配置了依赖方信任的ADFS的应用程序,这样我就可以使用ADFS / SSO登录。在此之后i'va安装simplesamlphp处理的登录和处理响应SAML。
I've configured an app on the adfs relying party trusts, so I can login using adfs/sso.After that i'va installed simplesamlphp to deal with that login, and process the response saml.
这是我authsources配置:
this is my authsources config:
'myauth' => array(
'saml:SP',
'idp' => 'http://domain/adfs/services/trust',
'privatekey' => 'saml.key',
'certificate' => 'saml.crt',
),
但登录后,在返回后我收到以下错误:
but after the login, on the return post i get the following error:
例外期间登录:sspmod_saml_Error: 申请人/ InvalidNameIDPolicy回溯:3 /home/......../adfs/simplesamlphp/modules/saml/lib/Message.php:376 (sspmod_saml_Message :: getResponseError)2 /home/......../adfs/simplesamlphp/modules/saml/lib/Message.php:503 (sspmod_saml_Message :: processResponse)1 /home/......../adfs/simplesamlphp/modules/saml/www/sp/saml2-acs.php:81 (要求)0 /home/......../adfs/simplesamlphp/www/module.php:135 (N / A)
我失去了一些东西?我怎样才能得到这个名字的ID政策?凡定义的?
Am i missing something? How can i get that name id policy? Where to define it?
感谢
推荐答案
simplesamlphp通常使用UPN或电子邮件作为NameID。您需要检查在config。
simplesamlphp normally uses UPN or email as the NameID. You need to check in the config.
因此,在ADFS,创建两个索赔规则:
So in ADFS, create two claims rules:
一个创建索赔(无论是UPN或电子邮件) - 正常的LDAP一个
One to create the claim (either UPN or email) - the normal LDAP one.
和一个变换,是以上述和转换到NameId索赔一种短暂的。
And a Transform that takes the above and transforms to a NameId claim with a type of "transient".
再次simplesamlphp不得使用瞬时 - 你需要检查在config
Again, simplesamlphp may not be using transient - you need to check in the config.
更新:
假设UPN:
C:[类型== http://schemas.microsoft .COM / WS / 2008/06 /身份证/索赔/ windowsaccountname ,发行人==AD权威] =>发行(店=活动目录,类型=( HTTP: //schemas.xmlsoap.org/ws/2005/05/identity/claims/upn ),查询=;通过UserPrincipalName; {0},参数= c.Value);
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";userPrincipalName;{0}", param = c.Value);
C:[类型== HTTP://schemas.xmlsoap .ORG / WS / 2005/05 /身份证/索赔/ UPN ] =>发行(TYPE = http://schemas.xmlsoap.org/ WS / 2005/05 /身份证/索赔/的NameIdentifier ,发行人= c.Issuer,OriginalIssuer = c.OriginalIssuer,值= c.Value,值类型= c.ValueType,属性[的 http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format ] =金塔:绿洲:名称:TC:SAML:2.0:nameid格式:短暂);
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");
这篇关于ADFS 2.0 InvalidNameIDPolicy的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!