如何将Spring SAML示例应用程序连接到Weblogic IDP?
[英]How can I connect the Spring SAML example application to a Weblogic IDP?
问题描述
- I downloaded the Spring SAML example application here: http://docs.spring.io/spring-security-saml/docs/current/reference/htmlsingle/#quick-start-steps
我在这里下载了Spring SAML示例应用程序: http : //docs.spring.io/spring-security-saml/docs/current/reference/htmlsingle/#quick-start-steps - I ran the application and successfully authenticated against the SSOCircle IDP. 我运行了该应用程序,并针对SSOCircle IDP成功进行了身份验证。
- I then tried to switch to a Weblogic IDP, but when I try the authentication, it fails with an exception. 然后,我尝试切换到Weblogic IDP,但是在尝试身份验证时,它失败并出现异常。
Exception stacktrace: 异常stacktrace:
Jun 17, 2015 10:33:31 AM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [default] in context with path [] threw exception [org.opensaml.ws.message.encoder.MessageEncodingException: Unable to builder artifact for message to relying party] with root cause
org.opensaml.ws.message.encoder.MessageEncodingException: Unable to builder artifact for message to relying party
at org.opensaml.saml2.binding.encoding.HTTPArtifactEncoder.buildArtifact(HTTPArtifactEncoder.java:232)
at org.opensaml.saml2.binding.encoding.HTTPArtifactEncoder.getEncode(HTTPArtifactEncoder.java:195)
at org.opensaml.saml2.binding.encoding.HTTPArtifactEncoder.doEncode(HTTPArtifactEncoder.java:137)
at org.opensaml.ws.message.encoder.BaseMessageEncoder.encode(BaseMessageEncoder.java:52)
at org.springframework.security.saml.processor.SAMLProcessorImpl.sendMessage(SAMLProcessorImpl.java:227)
at org.springframework.security.saml.processor.SAMLProcessorImpl.sendMessage(SAMLProcessorImpl.java:195)
at org.springframework.security.saml.websso.AbstractProfileBase.sendMessage(AbstractProfileBase.java:144)
at org.springframework.security.saml.websso.WebSSOProfileImpl.sendAuthenticationRequest(WebSSOProfileImpl.java:105)
at org.springframework.security.saml.SAMLEntryPoint.initializeSSO(SAMLEntryPoint.java:226)
at org.springframework.security.saml.SAMLEntryPoint.commence(SAMLEntryPoint.java:153)
at org.springframework.security.saml.SAMLEntryPoint.doFilter(SAMLEntryPoint.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
In the log there's another message that says: 日志中还有另一条消息:
No artifact resolution service endpoint defined for the entity null
- What can I do to make the artifact resolution succeed? 如何使伪像解析成功? I debugged the application and found that the method org.opensaml.saml2.binding.artifact.SAML2ArtifactType0004Builder#getAcsEndpoint() returns null, which causes the exception above. 我调试了应用程序,发现方法org.opensaml.saml2.binding.artifact.SAML2ArtifactType0004Builder#getAcsEndpoint()返回null,这导致上面的异常。 I'm not really sure what this means or what to do to make it work. 我不确定这意味着什么或如何使它起作用。
- I exported the IDP metadata and included that in the metadata provider bean and in turn exported the SP metadata and uploaded it into Weblogic as a federated partner metadata. 我导出了IDP元数据并将其包含在元数据提供程序bean中,然后又导出了SP元数据并将其作为联合伙伴元数据上传到Weblogic中。 Did I miss something? 我错过了什么?
I tried to make the example application authenticate against a Weblogic IDP and against a Shibboleth IDP, but I didn't manage to make it work. 我试图使示例应用程序针对Weblogic IDP和Shibboleth IDP进行身份验证,但是我没有设法使其正常工作。 Either the configuration is not complete or I'm missing something fundamental. 配置要么不完整,要么我缺少基本的东西。
2 个解决方案
解决方案1
1 已采纳 2015-06-30 09:43:26
1. Add Credential Mapping 1.添加凭据映射
To enable SAML functionality, we first need to add a credential mapping. 要启用SAML功能,我们首先需要添加凭证映射。 Open the Weblogic Administration Console 打开Weblogic管理控制台
http://server:port/console
e.g.
http://127.0.0.1:7101/console
1.1. 1.1。 Add mapping entry 添加映射条目
1.1.1. 1.1.1。 Navigate to the Credential Mapping page: 导航到“凭据映射”页面:
Security Realms > myrealm > Providers > Credential Mapping
1.1.2. 1.1.2。 Click the new button 点击新按钮
- Enter a name for the mapping (eg SamlCredentialMapper) 输入映射的名称(例如SamlCredentialMapper)
- Select the SAML2CredentialMappertype 选择SAML2CredentialMapper类型
- Save the new mapping 保存新的映射
1.1.3. 1.1.3。 Click on the new mapping 点击新的映射
- Go to the Provider Specific tab 转到提供商特定选项卡
Enter an Issuer URI :
输入颁发者URI : eg http://www.server.com/issuer
例如http://www.server.com/issuer Save the mapping
保存映射
2. Configure SAML properties 2.配置SAML属性
2.1. 2.1。 Navigate to the Servers page 导航到“服务器”页面
- Open the server entry for the Admin Server. 打开管理服务器的服务器条目。
- Note the values of Listen Address and Listen Port on the General tab. 注意常规选项卡上的监听地址和监听端口的值。
2.2. 2.2。 Navigate to Federation Services > SAML 2.0 General 导航到联合身份验证服务> SAML 2.0常规
Enter a value for the Published Site URL (host and port should be the same as the values you noted in the previous step):
输入发布站点URL的值(主机和端口应与上一步中记下的值相同): eg http://localhost:7101/saml2
例如http:// localhost:7101 / saml2 Enter an Entity ID (note that this ID MUST BE the same as the Issuer URI you entered earlier)
输入实体ID (请注意,此ID必须与您之前输入的Issuer URI相同) eg http://www.server.com/issuer
例如http://www.server.com/issuer Has to be the same as the Issuer URI from the Credential Mapping.
必须与凭据映射中的颁发者URI相同。 - Save the settings 保存设置
2.3. 2.3。 Switch to the SAML 2.0 Identity Provider tab 切换到SAML 2.0身份提供程序选项卡
- Check the enabled checkbox. 选中已启用的复选框。
- Select POST as the preffered binding. 选择POST作为首选绑定。
- Save the settings. 保存设置。
3. Exchange metadata information 3.交换元数据信息
3.1. 3.1。 Export IDP metadata 导出IDP元数据
The Identity Provider metadata file is used by the Service Provider (SSO client) application to determine login URLs and other useful information. 服务提供商(SSO客户端)应用程序使用身份提供者元数据文件来确定登录URL和其他有用信息。
3.1.1. 3.1.1。 Navigate to Federation Services > SAML 2.0 General 导航到联合身份验证服务> SAML 2.0常规
- Click on the Publish Meta Data button. 单击发布元数据按钮。
- Select a file name for the metadata file 选择元数据文件的文件名
- by entering a path / file name in the Path text field 通过在“路径”文本字段中输入路径/文件名
- OR by selecting an existing file in the directory structure (you have to check the Overwrite checkbox to overwrite the file) 或者通过在目录结构中选择一个现有文件(您必须选中“覆盖”复选框来覆盖该文件)
- by entering a path / file name in the Path text field
- Click OK to export the metadata file. 单击“确定”导出元数据文件。
3.2. 3.2。 Use the metadata file in the Service Provider application 在服务提供商应用程序中使用元数据文件
The Service Provider application needs to know where to find the IDP. 服务提供商应用程序需要知道在哪里可以找到IDP。 This information is contained in the IDP metadata file. 此信息包含在IDP元数据文件中。
3.3. 3.3。 Obtain the Service Provider metadata file 获取服务提供商元数据文件
The IDP needs to know about the Service Provider (SSO client) as well. IDP还需要了解服务提供商(SSO客户端)。 You need to obtain the SP metadata file. 您需要获取SP元数据文件。
3.4. 3.4。 Configure Service Provider Partner 配置服务提供商合作伙伴
- Navigate to the Credential Mapping you created earlier. 导航到您先前创建的凭据映射。
- Go to the Management tab. 转到管理选项卡。
- Create a New Web Single Sign-on Service Provider Partner. 创建一个新的Web Single Sign-on服务提供商合作伙伴。
- pick a name (or leave the default) 选择一个名称(或保留默认名称)
- Select the SP metadata file by navigating to a directory and selecting an existing file in the directory structure 通过导航到目录并在目录结构中选择现有文件来选择SP元数据文件
- Click OK to save the new partner. 单击确定以保存新伙伴。
- Click on the new Service Provider Partner. 单击新的服务提供商合作伙伴。
- Check the enabled checkbox. 选中已启用的复选框。
- Click on Save. 点击保存。
Links 链接
解决方案2
0 2015-06-24 06:45:17
Which Weblogic version are you using? 您正在使用哪个Weblogic版本? At least in older versions Oracle consultants told me that the Weblogic's SAML IDP support is not "production quality" and the implementation indeed had issues (like usage of old libraries, no support for SAML encryption, handling bugs), but it may have changed since. 至少在较旧的版本中,Oracle顾问告诉我,Weblogic的SAML IDP支持不是“生产质量”,并且实现确实存在问题(例如,使用旧库,不支持SAML加密,处理错误),但是此后可能已经发生了变化。 。
The error "No artifact resolution service endpoint" suggests that your IDP's metadata doesn't have an ArtifactResolutionEndpoint in its metadata. 错误“无工件解析服务端点”提示您IDP的元数据的元数据中没有ArtifactResolutionEndpoint。 In your place I'd try to use HTTP-POST binding instead of Artifact. 在您的位置,我将尝试使用HTTP-POST绑定而不是Artifact。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.