问题描述
推荐答案
作为一个实际建议,我附加了一条SAML2消息,当ADFS2配置为与SAML2通信时,ADFS2会发送给ADFS2。我发送未经修改的单行以避免破坏签名,我希望它有效。
我猜你是否"复制"了这种行为,那么你将不会遇到ADFS2的问题。 ADFS2进行了Interop测试。所以它也可能只与其他人合作,至少这个想法。在您修复此问题后,这可以帮助您解决任何问题。实用.........
As a practical suggestion I attached a SAML2 message as ADFS2 sends to ADFS2 when they are configured to talk SAML2. I send the unmodified single line to avoid breaking the signature, I hope it worked.
I guess if you "copy" this behavior, then you will not have trouble with ADFS2. ADFS2 was tested for Interop. So it might just work with others too, that is at least the idea. That may help you with any issues after you have fixed this one. Be practical.........
在这种情况下,第二个"ds:Transform"缺少,请参阅ADFS2签名。
In this case the second "ds:Transform" is missing, see the ADFS2 signature.
<samlp:Response ID="_2756dbd9-f679-4989-84a8-705734265702" Version="2.0" IssueInstant="2010-06-17T08:08:23.541Z" Destination="https://fed1.psres.local/adfs/ls/" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="id-1f58076d-e34c-49ee-b2cf-c44b32fe52df" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://fed.pspar.local/adfs/services/trust</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><Assertion ID="_33dd437a-6502-46ce-a8b6-dc156d832118" IssueInstant="2010-06-17T08:08:23.541Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>http://fed.pspar.local/adfs/services/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_33dd437a-6502-46ce-a8b6-dc156d832118"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>3WEwcEu9S8nAYJwOUFc3gME1zDqNPMLqU2lgJ6NTDZ8=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>U2WQ7YmdcXyLbRxcpXFDEC4Kc7kIIQj4ZcgsIDdDZCjJRTUqLEnI/8NJ8As/GIJMp45RJ3bo+ZBwWnN2ksQ9cASKE2MuFvEoT3DWEMH24vVbXD1q7dqYq5OA9243n9/SeUPOT6NnNTtTMU7Rjtx7+Iu/4q5+27YkLIUPj7AsvzqquwHazr8Shy1CGrW/ECNmEF/4rZe4P/Ea347DxLM7FV2l43Qb2pafq83L/I12siQjzwZUkyFH/DeOVpsSf9M1ESLGwb5PV1iuRaNyXcvemx0dsGTNFHRDS2WAmmSZzbixMZ8q8DxkitU0dLrxoFjskKtve2E9CaunSz2IZpFEPQ==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIC2jCCAcKgAwIBAgIQEhxLf71UX45CxY1MV99S4DANBgkqhkiG9w0BAQsFADApMScwJQYDVQQDEx5BREZTIFNpZ25pbmcgLSBmZWQucHNwYXIubG9jYWwwHhcNMTAwNTEzMDgzNjE2WhcNMTEwNTEzMDgzNjE2WjApMScwJQYDVQQDEx5BREZTIFNpZ25pbmcgLSBmZWQucHNwYXIubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIk1ukygu+DX7geLgDqvJGuZ/e77MXIwj/9CfJZZ/mV7qoYGzUOld6QB5cG5VsyLNgQA1e8RYr33Q8UQhb5x82i0vQZ6rmoRiqSqP4HM3ugxgI1Jcam2FfzDcuvj9GnACZ3GGbsdsTwJKzrL354LbJuXK9gaWwy7mQiMzMNHd2E5TBHCGG9DOH74HDTIUEprSIJQjrWdUeXsNssnb0yP3jAFnKJ0LZE68KOk9RyWCdPAEujBT6VayjPuWPtnytRtqp6t043bzkNXDTn1aRoWP2DyiEaiw0pdPlpO8MX4G3+9wcea7/nKOFrRgHclNhf4U21ti8G42jU7/pVpsQW9kzAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAAjQZBajeTMh7njQEBrVAbOdU5q0b9bq8J1qbvefHVM8gey9BggcIhlbJMf7YTAdUmzLPgemRZMeFGKKz8QvJJsb8zVL1IkXADJkeo/XAPZmZ60mj6WfeZEcrB83/QkZ35bBb8NWMhmllz3TdDmILJJ09504wXuPJWQ6w09YSMXcTChhoDQzWByjlmd6SK7S8HCMk56TjNlcIYqVTyqdTucXqCMQVJwEnKaIvt0Cr7IBETKwkAtwo8+RkuSzBf3ShG7pDp0VAQOCECRlbKLIO66QrVkRABMFGI7POTWk21mOsJyvTtDeUc5JOpLO2Tlhp/D+wY6bH2ahbGONZSa2EUM=</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><Subject><NameID Format="http://schemas.xmlsoap.org/claims/UPN">[email protected]</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="id-1f58076d-e34c-49ee-b2cf-c44b32fe52df" NotOnOrAfter="2010-06-17T08:13:23.541Z" Recipient="https://fed1.psres.local/adfs/ls/" /></SubjectConfirmation></Subject><Conditions NotBefore="2010-06-17T08:08:23.528Z" NotOnOrAfter="2010-06-17T09:08:23.528Z"><AudienceRestriction><Audience>http://fed1.psres.local/adfs/services/trust</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"><AttributeValue>[email protected]</AttributeValue></Attribute><Attribute Name="urn:mace:dir:attribute-def:displayName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><AttributeValue>Arnold User1</AttributeValue></Attribute><Attribute Name="urn:mace:dir:attribute-def:mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><AttributeValue>[email protected]</AttributeValue></Attribute><Attribute Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><AttributeValue>[email protected]</AttributeValue></Attribute><Attribute Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><AttributeValue>Arnold</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2010-06-17T08:08:23.429Z" SessionIndex="_33dd437a-6502-46ce-a8b6-dc156d832118"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>
这篇关于需要帮助ADFS 2.0和SAML的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!