SubjectConfirmationData中的收件人与当前URL不匹配
[英]Recipient in SubjectConfirmationData does not match the current URL
问题描述
I'm getting the following error when trying to connect to a webseal saml endpoint 
尝试连接到Webseal SAML端点时出现以下错误
My server is setup as an SP and I am trying to authenticate against and IDP that I have setup in saml20-idp-remote.php 我的服务器设置为SP,我正在尝试对在saml20-idp-remote.php中设置的IDP进行身份验证
The redirect works correctly but when the IDP redirects back to my SP I get the following error. 重定向正常运行,但是当IDP重定向回我的SP时,出现以下错误。
SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 /mnt/www/html/livehappierstg/simplesaml/www/module.php:179 (N/A)
Caused by: SimpleSAML_Error_Exception: Error validating SubjectConfirmation in Assertion:
Recipient in SubjectConfirmationData does not match the current URL.
Recipient is 'http://example.com/simplesaml/module.php/saml/sp/metadata.php/default-sp',
current URL is
'http://example.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp'.
Backtrace:
3 /mnt/www/html/livehappierstg/simplesaml/modules/saml/lib/Message.php:684 (sspmod_saml_Message::processAssertion)
2 /mnt/www/html/livehappierstg/simplesaml/modules/saml/lib/Message.php:517 (sspmod_saml_Message::processResponse)
1 /mnt/www/html/livehappierstg/simplesaml/modules/saml/www/sp/saml2-acs.php:96 (require)
0 /mnt/www/html/livehappierstg/simplesaml/www/module.php:134 (N/A)
How do I change the recipient url in the subject confirmation data in my config files. 如何更改配置文件中主题确认数据中的收件人URL。
My config files are as follows. 我的配置文件如下。
'default-sp' => array(
'saml:SP',
// The entity ID of this SP.
// Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
'entityID' => 'http://local.com/',
// The entity ID of the IdP this should SP should contact.
// Can be NULL/unset, in which case the user will be shown a list of available IdPs.
'idp' => 'https://example.com/federatedaccess/SSOConsume.do',
// The URL to the discovery service.
// Can be NULL/unset, in which case a builtin discovery service will be used.
'discoURL' => null,
'privatekey' => 'saml.pem',
'certificate' => 'saml.crt',
)
SAML2.0 Idp remote config SAML2.0 Idp远程配置
$metadata['https://example.com/federatedaccess/SSOConsume.do'] = array(
'name' => array(
'en' => 'My SSO',
),
'description' => 'My single sign on webseal environment.',
'ForceAuthn' => false,
'IsPassive' => false,
'ProtocolBinding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'SingleSignOnService' => 'https://example.com/federatedaccess/SSOConsume.do',
'certificate' => 'pub.crt',
'sign.authnrequest' => true,
'redirect.sign' => true,
'redirect.validate' => true,
);
Cheers 干杯
1 个解决方案
解决方案1
0 已采纳 2016-04-25 14:22:39
This is a problem with how the IdP is configured with your SP. 这是如何通过SP配置IdP的问题。 It be should setting the Recipient in SubjectConfirmationData to http://example.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp and is instead using http://example.com/simplesaml/module.php/saml/sp/metadata.php/default-sp (note the saml2-acs.php vs metadata.php difference in the path). 应该将SubjectConfirmationData的Recipient设置为http://example.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp ,而应使用http://example.com/simplesaml/module.php/saml/sp/metadata.php/default-sp (注意saml2-acs.php与meta.php的区别)。
The URL the Idp is using is the URL to retrieve your SP's metadata. Idp使用的URL是检索SP的元数据的URL。 It seems instead of reading the metadata it is using that URL as AssertionConsumerService URL. 似乎不是读取元数据,而是使用该URL作为AssertionConsumerService URL。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.