带有Websphere Application Server v9 CWWSS8017E的MS Azure的TAI:身份验证错误
[英]TAI for MS Azure with Websphere Application Server v9 CWWSS8017E: Authentication Error
问题描述
I'm trying to configure SAML between MS Azure AD and a WebSphere v9 CF11 server that's sitting in AWS. 
我正在尝试在MS Azure AD和位于AWS中的WebSphere v9 CF11服务器之间配置SAML。 But it is not recognizing the TAI set up 但是它没有意识到TAI的建立
I've followed all the steps here: https://www.ibm.com/support/knowledgecenter/en/SSAW57_9.0.0/com.ibm.websphere.nd.multiplatform.doc/ae/tsec_enable_saml_sp_sso.html and here https://www.ibm.com/support/knowledgecenter/en/SSAW57_9.0.0/com.ibm.websphere.nd.multiplatform.doc/ae/twbs_configuresamlssopartners.html 我在这里遵循了所有步骤: https : //www.ibm.com/support/knowledgecenter/en/SSAW57_9.0.0/com.ibm.websphere.nd.multiplatform.doc/ae/tsec_enable_saml_sp_sso.html和https:// //www.ibm.com/support/knowledgecenter/en/SSAW57_9.0.0/com.ibm.websphere.nd.multiplatform.doc/ae/twbs_configuresamlssopartners.html
I've installed the SAMLSA app in WebSphere, imported the metadata file provided by my Azure admin, and imported the certificate as well. 我已经在WebSphere中安装了SAMLSA应用程序,导入了Azure管理员提供的元数据文件,还导入了证书。 I've set up the ACSTrustAssociationInterceptor interceptor and put in (what I thought was) the right sso_1.sp.acsUrl and other settings for the server. 我已经设置了ACSTrustAssociationInterceptor拦截器,并为服务器输入了(我认为是)正确的sso_1.sp.acsUrl和其他设置。
The SystemOut logs show that the ACSTrustAssociationInterceptor is loading: SystemOut日志显示ACSTrustAssociationInterceptor正在加载:
SECJ0121I: Trust Association Init class com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor loaded successfully SECJ0121I:信任关联初始化类com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor已成功加载
but the version is null: 但版本为null:
SECJ0122I: Trust Association Init Interceptor signature: SECJ0122I:信任协会初始化拦截器签名:
After setting it all up as above, when I go to the URL it just shows: 如上设置所有内容后,当我转到URL时,它仅显示:
Error 403: AuthenticationFailed 错误403:身份验证失败
And the log has errors about a missing cookie: 并且日志中有关于缺少Cookie的错误:
SECJ0126E: Trust Association failed during validation. SECJ0126E:信任关联在验证期间失败。 The exception is com.ibm.websphere.security.WebTrustAssociationFailedException: CWWSS8017E: Authentication Error: Single-Sign-on cookie is not present or could not be verified. 异常是com.ibm.websphere.security.WebTrustAssociationFailedException:CWWSS8017E:认证错误:单点登录cookie不存在或无法验证。 Please login to the SAML Identity Provider, and try again. 请登录到SAML身份提供程序,然后重试。
It's like it's never "intercepted" to be passed. 就像从未被“拦截”通过一样。 Just fails. 只是失败。 No network traffic goes to the AD server 没有网络流量去往AD服务器
When going to the URL it should redirect me to the MS Login and then back to the app, but it's not 转到URL时,应将我重定向到MS登录名,然后返回到应用程序,但不是
1 个解决方案
解决方案1
0 已采纳 2019-06-20 21:00:25
It sounds like you might be missing an sso_1.sp.login.error.page property definition. 听起来您可能缺少sso_1.sp.login.error.page属性定义。 Without that property, the expectation is that the user will be going to the IdP to initiate the sign on; 如果没有该属性,则期望用户将转到IdP来启动登录。 if you define the property and set its value to your IdP's login page, then the 403 you're getting (as a result of being unauthenticated) will end up redirecting you over to the IdP to initiate the sign on process from there. 如果您定义属性并将其值设置为IdP的登录页面,那么您所获得的403(由于未经身份验证)将最终将您重定向到IdP,以从此处启动登录过程。
More info here in the "bookmark style" description: https://www.ibm.com/support/knowledgecenter/en/SSAW57_9.0.0/com.ibm.websphere.nd.multiplatform.doc/ae/cwbs_samlssosummary.html 有关更多信息,请参见“书签样式”描述: https : //www.ibm.com/support/knowledgecenter/zh-CN/SSAW57_9.0.0/com.ibm.websphere.nd.multiplatform.doc/ae/cwbs_samlssosummary.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.