WSO2 IS联合登录未显示正确的用户声明
[英]WSO2 IS federated login does not show correct user claims
问题描述
Consider the case in which you have WSO2 IS (5.3.0) and an upstream IDP (eg a SAML IDP). 
考虑您拥有WSO2 IS(5.3.0)和上游IDP(例如SAML IDP)的情况。
Login procedure is as follows: User accesses a service provider (eg OpenID Connect client) which redirects to the local WSO2 IS. 登录过程如下:用户访问重定向到本地WSO2 IS的服务提供商(例如OpenID Connect客户端)。 The SP is configured to use the upstream SAML IDP or local login as outbound authentication option. SP配置为使用上游SAML IDP或本地登录作为出站身份验证选项。 The upstream SAML IDP returns some attributes in the assertion but no JiT provisioning is configured. 上游SAML IDP在断言中返回一些属性,但未配置JiT设置。
Now use the access token the service provider gets from the login process to 现在使用服务提供商从登录过程获取的访问令牌
- query the SOAP token validation endpoint of WSO2 IS with the token -> User claims returned are the claims from the local user store (embedded LDAP) 使用令牌查询WSO2 IS的SOAP令牌验证端点->返回的用户声明是本地用户存储中的声明(嵌入式LDAP)
- query the userinfo REST endpoint -> User claims are the claims that were returned by the upstream IDP in the SAML assertion, userinfo does not return any local attributes 查询userinfo REST端点->用户声明是上游IDP在SAML断言中返回的声明,userinfo不返回任何本地属性
Is this a configuration issue? 这是配置问题吗? Is there a way to work around this behavior? 有没有一种方法可以解决此问题?
What makes things even worse with the userinfo endpoint is that the claims returned depend whether the user logs in via a local login (in WSO2 IS) or via the upstream external IDP. 使用userinfo端点使情况更糟的是,返回的声明取决于用户是通过本地登录名(在WSO2 IS中)还是通过上游外部IDP登录。 That is not the case with the SOAP token validation endpoint which returns the same attributes in both cases. SOAP令牌验证端点在两种情况下均返回相同的属性,情况并非如此。
1 个解决方案
解决方案1
0 2017-05-31 15:22:00
I have made more investigation on this. 我对此进行了更多调查。 It looks like the SOAP token validation endpoint uses the claim retriever which directly accesses the user store (eg LDAP) whereas the userinfo endpoint gets the profile attributes from a cache. 看起来SOAP令牌验证端点使用了声明检索器,该检索器直接访问用户存储(例如LDAP),而userinfo端点从高速缓存中获取概要文件属性。 The cache entry is generated during authentication time and populated with infos from the SAML assertion. 缓存条目在身份验证期间生成,并填充有SAML断言中的信息。
A workaround might be to enable JiT provisioning for the IDP. 解决方法可能是为IDP启用JiT设置。 Unfortunately there is still a mismatch as long as no account association is maintained in IDN_ASSOCIATED_ID. 不幸的是,只要IDN_ASSOCIATED_ID中没有维护任何帐户关联,仍然存在不匹配的情况。
IMO the account association should be automatically created in case a user is jit provisioned. IMO应自动创建帐户关联,以防配置用户。 Not sure whether this is a bug or per design. 不确定这是错误还是每个设计。 At least there are options to work around this. 至少有一些方法可以解决此问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.