自定义 SAML 应用程序的 AWS SSO“无访问错误”
[英]AWS SSO 'no access error' with Custom SAML application
问题描述
I am trying to setup a Custom SAML 2.0 application with AWS SSO.
我正在尝试使用 AWS SSO 设置自定义 SAML 2.0 应用程序。 However I have the following error from.network tab:但是,我在 .network 选项卡中出现以下错误:
Status code 403
{"message":"No access","__type":"com.amazonaws.switchboard.portal#ForbiddenException"}
And this one displayed in the UI:这个显示在 UI 中:
Two considerations that might cause this error:可能导致此错误的两个注意事项:
- My SP testing server is running in localhost我的 SP 测试服务器在 localhost 中运行
- I am using self-signed certificates:我正在使用自签名证书:
openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -days 365 -nodes -subj "/CN=localhost:9000"
If this still does not tell you anything then I will describe more below.如果这仍然不能告诉您任何信息,那么我将在下面进行更多描述。
More details更多细节
This is the server code which is from the the library I am using这是来自我正在使用的库的服务器代码
func hello(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "Hello, %s!", samlsp.AttributeFromContext(r.Context(), "cn"))
}
func main() {
keyPair, err := tls.LoadX509KeyPair("myservice.cert", "myservice.key")
if err != nil {
panic(err) // TODO handle error
}
keyPair.Leaf, err = x509.ParseCertificate(keyPair.Certificate[0])
if err != nil {
panic(err) // TODO handle error
}
idpMetadataURL, err := url.Parse("https://portal.sso.<my aws region>.amazonaws.com/saml/metadata/<some jewbrish id>")
if err != nil {
panic(err) // TODO handle error
}
idpMetadata, err := samlsp.FetchMetadata(context.Background(), http.DefaultClient,
*idpMetadataURL)
if err != nil {
panic(err) // TODO handle error
}
rootURL, err := url.Parse("http://localhost:9000")
if err != nil {
panic(err) // TODO handle error
}
samlSP, _ := samlsp.New(samlsp.Options{
URL: *rootURL,
Key: keyPair.PrivateKey.(*rsa.PrivateKey),
Certificate: keyPair.Leaf,
IDPMetadata: idpMetadata,
})
app := http.HandlerFunc(hello)
http.Handle("/hello", samlSP.RequireAccount(app))
http.Handle("/saml/", samlSP)
http.ListenAndServe(":8000", nil)
}
This server expose an endpoint where the IDP can get fetch my auto generated metadata.该服务器公开了一个端点,IDP 可以在其中获取我自动生成的元数据。
curl -o metadata.xml http://localhost:9000/saml/metadata
Those are my metadata:这些是我的元数据:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2021-09-13T03:37:23.951Z" entityID="http://localhost:9000/saml/metadata">
<SPSSODescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2021-09-13T03:37:23.951204335Z" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="false" WantAssertionsSigned="true">
<KeyDescriptor use="encryption">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>xxxxxxxxxx</X509Certificate>
</X509Data>
</KeyInfo>
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></EncryptionMethod>
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"></EncryptionMethod>
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"></EncryptionMethod>
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></EncryptionMethod>
</KeyDescriptor>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:9000/saml/slo" ResponseLocation="http://localhost:9000/saml/slo"></SingleLogoutService>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:9000/saml/acs" index="1"></AssertionConsumerService>
</SPSSODescriptor>
</EntityDescriptor>
I have uploaded those into AWS SSO and it correctly parsed it, the following in the configuration of my AWS SSO Custom application:我已将这些上传到 AWS SSO 并正确解析了它,以下是我的 AWS SSO 自定义应用程序的配置:
When I hit the localhost:9000/hello the application will be successfully redirected to the AWS SSO login console, but the that error happens.当我点击localhost:9000/hello时,应用程序将成功重定向到 AWS SSO 登录控制台,但会发生该错误。 I have also tested the application using this website: https://samltest.id/upload.php and it worked fine.我还使用此网站测试了该应用程序: https://samltest.id/upload.php并且运行良好。
3 个解决方案
解决方案1
6 已采纳 2021-09-29 00:48:07
I have found the solution, the problem was in the attributes mapping, this is the configuration I had to use in order to make it work.我找到了解决方案,问题出在属性映射中,这是我必须使用的配置才能使其正常工作。
Note the transient format option , in my previous configuration it was unspecified注意transient格式选项,在我以前的配置中它是unspecified的
解决方案2
1 2021-09-28 14:51:19
I had the same issue.我遇到过同样的问题。 The problem was my Service Provider configuration entityId didn't end in a "/", but my "Application SAML audience" on the AWS SSO page did end in a "/".问题是我的服务提供商配置 entityId 没有以“/”结尾,但我在 AWS SSO 页面上的“应用程序 SAML 受众”确实以“/”结尾。
Even when I removed the "/" from my Application SAML Audience, I needed a "/" on the SP configuration.即使我从我的应用程序 SAML 受众中删除了“/”,我也需要在 SP 配置上使用“/”。
解决方案3
0 2022-03-31 14:18:02
Another cause of this helpful error can be if the ACS URL is not correct;此有用错误的另一个原因可能是 ACS URL 不正确; in the configuration of a SAML app you specify an ACS URL 'Assertion Consumer Service' which is the callback once you obtain the assertion.在 SAML 应用程序的配置中,您指定一个 ACS URL 'Assertion Consumer Service',这是您获得断言后的回调。
With Cognito/ALB/SSO setup this URL should end with saml2/idpresponse;使用 Cognito/ALB/SSO 设置,此 URL 应以 saml2/idpresponse 结尾; something like https ://idp.mydomain.com/ saml2/idpresponse类似于https : //idp.mydomain.com/saml2/idpresponse
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.