WSO2 IS和simplesamlphp
[英]WSO2 IS and simplesamlphp
问题描述
I am trying to get the WSO2 Identity Server (4.0.0) to authenticate simplesamlphp (1.10.0) sessions. 
我正在尝试获取WSO2身份服务器(4.0.0)来验证simplesamlphp(1.10.0)会话。
The WSO2 IS host is running @ https://sim2:9443/ # IdP server. WSO2 IS主机正在运行@ https://sim2:9443/ #IdP服务器。
The simplesamlphp scripts are running @ http://dellperf1/simplesaml/ # Configured as SP simplesamlphp脚本正在运行@ http://dellperf1/simplesaml/ #配置为SP
Configuration 组态
On the the WSO2 end, I have configured an Issuer as follows: 在WSO2端,我已配置发布者,如下所示:
wso2 IS Issuer Configuration wso2 IS发行者配置
I have configured some users, both by using the "Add User" under configure -> User and Roles and by "Sign Up" function on the WSO2 IS homepage. 我已经通过使用configure-> User and Roles下的“ Add User”和WSO2 IS主页上的“ Sign Up”功能来配置了一些用户。
I have configured simplesamlphp as follows - 我已经如下配置了simplesamlphp-
config/authsources.php config / authsources.php
entityID matches "Issuer" in the WSO2 config - it's my company name, so I've obscured it. 在WSO2配置中,entityID与“ Issuer”匹配-这是我的公司名称,因此我将其掩盖了。
14 // An authentication source which can authenticate against both SAML 2.0
15 // and Shibboleth 1.3 IdPs.
16 'default-sp' => array(
17 'saml:SP',
18
19 // The entity ID of this SP.
20 // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
21 'entityID' => '$ISSUER HIDDEN',
22
23 // The entity ID of the IdP this should SP should contact.
24 // Can be NULL/unset, in which case the user will be shown a list of available IdPs.
25 // 'idp' => NULL,
26
27 // The URL to the discovery service.
28 // Can be NULL/unset, in which case a builtin discovery service will be used.
29 // 'discoURL' => NULL,
30 'privatekey' => 'saml.pem',
31 'certificate' => 'saml.crt',
32 ),
metadata/saml20-idp-remote.php 元数据/saml20-idp-remote.php
93 /*
94 * $MY IdP
95 */
96
97 $metadata['https://sim2.FQDN:9443'] = array(
98 'name' => array(
99 'en' => '$company IdP test server',
100 ),
101 'description' => 'WSO2 ID Server',
102 'SingleSignOnService' => 'https://sim2:9443/samlsso',
103 'SingleLogoutService' => 'https://sim2:9443/samlsso',
104 //'certFingerprint' => '04b3b08bce004c27458b3e85b125273e67ef062b'
105 'certFingerprint' => '6bf8e136eb36d4a56ea05c7ae4b9a45b63bf975d'
106
107 );
Whenever I visit http://dellperf1/simplesaml/ , select the Authentication tab -> Test Authentication sources -> default-sp and select "$company IdP test server", I am correctly redirected to the wso2 server and presented with the "SAML 2.0 based Single Sign-On" page. 每当我访问http://dellperf1/simplesaml/ ,选择“身份验证”选项卡->“测试身份验证源”->“ default-sp”,然后选择“ $ company IdP测试服务器”,我就会正确地重定向到wso2服务器并显示“ SAML”基于2.0的“单一登录”页面。
This is where I hit problems. 这是我遇到问题的地方。 I don't seem to be able to authenticate using any user I have created, either using Add User, or Sign up. 我似乎无法使用创建的任何用户进行身份验证,无论是使用“添加用户”还是“注册”。
I only get the following in the Carbon logs: 我仅在Carbon日志中得到以下内容:
[2013-01-29 11:36:57,269] WARN {org.wso2.carbon.identity.sso.saml.processors.AuthnRequestProcessor} - Authentication Failure, invalid username or password.
The users are in the default profile, which has the following configured as roles: "identity,everyone". 用户位于默认配置文件中,该配置文件将以下角色配置为角色:“身份,每个人”。
If I try to log in using the (default) admin:admin password, I seem to be able to authenticate, but simplesamlphp throws an exception: 如果我尝试使用(默认)admin:admin密码登录,我似乎可以进行身份验证,但是simplesamlphp会引发异常:
SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 /var/simplesamlphp/www/module.php:180 (N/A)
Caused by: Exception: Unable to find the current binding.
Backtrace:
2 /var/simplesamlphp/lib/SAML2/Binding.php:95 (SAML2_Binding::getCurrentBinding)
1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:11 (require)
0 /var/simplesamlphp/www/module.php:135 (N/A)
I think I am hitting two issues here: 我想在这里遇到两个问题:
1) The users I am creating are unable to be authenticated using SAML - whereas the admin user can be. 1)我正在创建的用户无法使用SAML进行身份验证-而管理员用户可以。 Why might this be? 为什么会这样呢? Profiles or policy issues? 个人资料或政策问题?
2) Even if I could authenticate with a users I have created, other than admin, would I get the same Binding backtrace? 2)即使我可以用我创建的用户(而不是admin)进行身份验证,我也会得到相同的绑定回溯吗?
I have seen some traffic on the wso mailing lists in December 2012 around the binding WSO2 IS supports - am I fighting a losing battle here? 我在2012年12月的wso邮件列表上看到了一些具有约束力的WSO2 IS支持的访问量-我在这里与失败的战斗进行斗争吗?
If simplesamlphp and WSO2 IS won't currently play well together, can someone from the WSO2 crowd suggest a simple method for testing SAML-2.0 against their IS? 如果simplesamlphp和WSO2 IS目前无法很好地配合使用,WSO2人群中是否有人可以提出一种针对其IS测试SAML-2.0的简单方法?
1 个解决方案
解决方案1
1 2013-07-09 09:39:00
If User can not login, it means that you have not configure login permission to that user... Please assign login permission to "everyrole" and check.. 如果“用户无法登录”,则表示您尚未配置该用户的登录权限...请为“ everyrole”分配登录权限并进行检查。
I guess one of my friend has tried the simplesamlphp integration with WSO2 Identity server, Please find blog post that he has written from there [1]. 我想我的一位朋友已经尝试过与WSO2身份服务器进行simplesamlphp集成,请从那里找到他写的博客文章[1]。 I guess this would help you. 我想这对您有帮助。
[1] http://blog.facilelogin.com/2013/06/wso2-identity-server-saml2-idp-with.html [1] http://blog.facilelogin.com/2013/06/wso2-identity-server-saml2-idp-with.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.