Wordpress的无效NameID策略
[英]Invalid NameID policy for wordpress
问题描述
I have following setup: 
我有以下设置:
Windows 2012 r2 with ADFS 3.0. Windows 2012 r2和ADFS 3.0。 WordPress setup as SP (relying party trust) and SimpleSAMLphp as IdP (claims party trust). 将WordPress设置为SP(依赖方信任),将SimpleSAMLphp设置为IdP(声明方信任)。
I want to authenticate WordPress users with help of SSP. 我想借助SSP对WordPress用户进行身份验证。 Control flow is like: User logs in to WordPress. 控制流程如下:用户登录WordPress。 The page then takes to number of IdP providers configured on ADFS server. 该页面然后转到在ADFS服务器上配置的IdP提供程序的数量。 User chooses SSP. 用户选择SSP。 User is authenticated with SSP and response is sent to ADFS which in turn passes information to WordPress. 通过SSP对用户进行身份验证,并将响应发送到ADFS,ADFS随后将信息传递给WordPress。
I have configured all the relying & claims party & it works well individually (WP-ADFS, ADFS-SSP) but when I try to authenticate WP with SSP, it gives me error: The SAML authentication request had a NameID Policy that could not be satisfied. 我已经配置了所有的依赖方和声明方,并且分别工作良好(WP-ADFS,ADFS-SSP),但是当我尝试使用SSP对WP进行身份验证时,它给了我error: The SAML authentication request had a NameID Policy that could not be satisfied.
I have rules setup as: Claims party rule: 我将规则设置为:要求方规则:
Transform an incoming rule: NameID transient to Windows account name
Relying party rule: 依赖方规则:
Rule 1: 规则1:
LDAP rules: SAM-Account-Name->Windows account name, E-Mail-Addresses-> Email Address
Rule 2: 规则2:
Transform an incoming claim: Windows account name-> NameID Transient Identifier
I have just started working with SSO on windows server so don't know much about claims rule & I guess that there might be something wrong with it as individually all the modules are working fine. 我刚刚开始在Windows服务器上使用SSO,所以对索偿规则了解不多,我猜可能有些问题,因为单独地所有模块都可以正常工作。 (for eg: WP as SP and ADFS as IdP, ADFS as SP and SSP as IdP). (例如:WP作为SP,ADFS作为IdP,ADFS作为SP,SSP作为IdP)。
What exactly I am doing wrong. 我到底在做什么错。
Please also let me know if I have missed out on any details. 如果我错过了任何细节,也请让我知道。
Thanks! 谢谢!
1 个解决方案
解决方案1
3 已采纳 2016-03-14 20:19:37
The first step is to figure out what NameID Policy is being requested. 第一步是弄清楚正在请求什么NameID策略。 Install SAML Tracer in FireFox and run through your flow. 在FireFox中安装SAML Tracer并运行您的流程。 You'll see the AuthnRequest may have a NameIDPolicy listed ( example <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" ). 您会看到AuthnRequest可能列出了NameIDPolicy (例如<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" )。
Once you know what NameID is needed you can try to configure Wordpress to accept a different type (SSP uses urn:oasis:names:tc:SAML:2.0:nameid-format:transient by default) or configure SSP to release NameID in the expected format. 一旦知道需要什么NameID,就可以尝试将Wordpress配置为接受其他类型(默认情况下,SSP使用urn:oasis:names:tc:SAML:2.0:nameid-format:transient )或配置SSP以预期的方式释放NameID格式。
Here is an example of using authproc in SSP to use the mail attribute for NameId 这是在SSP中使用authproc来对NameId使用mail属性的示例
'authproc' => array(
60 => array(
'class' => 'saml:AttributeNameID',
'attribute' => 'mail',
'Format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
),
),
There are other NameID generation filters documented . 还记录了其他NameID 生成过滤器 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.