stackoom
  简体   繁体   中英

Recipient in SubjectConfirmationData does not match the current URL

 原文  2016-04-24 18:15:06       php/ simplesamlphp/ webseal/ tivoli-identity-manager

Question

I'm getting the following error when trying to connect to a webseal saml endpoint

My server is setup as an SP and I am trying to authenticate against and IDP that I have setup in saml20-idp-remote.php

The redirect works correctly but when the IDP redirects back to my SP I get the following error. 

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 /mnt/www/html/livehappierstg/simplesaml/www/module.php:179 (N/A)
Caused by: SimpleSAML_Error_Exception: Error validating SubjectConfirmation in Assertion:
 Recipient in SubjectConfirmationData does not match the current URL. 
Recipient is 'http://example.com/simplesaml/module.php/saml/sp/metadata.php/default-sp', 
current URL is 
'http://example.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp'.
Backtrace:
3 /mnt/www/html/livehappierstg/simplesaml/modules/saml/lib/Message.php:684 (sspmod_saml_Message::processAssertion)
2 /mnt/www/html/livehappierstg/simplesaml/modules/saml/lib/Message.php:517 (sspmod_saml_Message::processResponse)
1 /mnt/www/html/livehappierstg/simplesaml/modules/saml/www/sp/saml2-acs.php:96 (require)
0 /mnt/www/html/livehappierstg/simplesaml/www/module.php:134 (N/A)

How do I change the recipient url in the subject confirmation data in my config files.

My config files are as follows. 

'default-sp' => array(
    'saml:SP',

    // The entity ID of this SP.
    // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
    'entityID' => 'http://local.com/',

    // The entity ID of the IdP this should SP should contact.
    // Can be NULL/unset, in which case the user will be shown a list of available IdPs.
    'idp' => 'https://example.com/federatedaccess/SSOConsume.do',

    // The URL to the discovery service.
    // Can be NULL/unset, in which case a builtin discovery service will be used.
    'discoURL' => null,
    'privatekey' => 'saml.pem',
    'certificate' => 'saml.crt',
)

SAML2.0 Idp remote config 

$metadata['https://example.com/federatedaccess/SSOConsume.do'] = array(
  'name' => array(
    'en' => 'My SSO',
  ),
  'description' => 'My single sign on webseal environment.',
  'ForceAuthn' => false,
  'IsPassive' => false,
  'ProtocolBinding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
  'SingleSignOnService' => 'https://example.com/federatedaccess/SSOConsume.do',
  'certificate' => 'pub.crt',
  'sign.authnrequest' => true,
  'redirect.sign' => true,
  'redirect.validate' => true,
);

Cheers

1 answers

solution1
 0 ACCPTED  2016-04-25 14:22:39

This is a problem with how the IdP is configured with your SP. It be should setting the Recipient in SubjectConfirmationData to http://example.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp and is instead using http://example.com/simplesaml/module.php/saml/sp/metadata.php/default-sp (note the saml2-acs.php vs metadata.php difference in the path).

The URL the Idp is using is the URL to retrieve your SP's metadata. It seems instead of reading the metadata it is using that URL as AssertionConsumerService URL.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Match URI with current URL Zend Framework 2 match current url to route preg_match to find the current directory in a URL Match string with clicked URL on unload of current page preg_match url current with function designed (condition), or better ideas How to pass recipient email address through url CodeIgniter: How to match current_url against views url (to construct a nav) Signed URL for google bucket does not match signature provided aws s3 signature does not match -pre signed url How to match URL in PCRE regex that does not contain certain prefix
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM