使用SimpleSAML作為SP和IDP用於開發環境

Question

我正在嘗試使用我的網絡應用程序中的SAML進行身份驗證。

我按照IdP快速入門和SP快速入門用戶指南進行了操作，並且下面的配置失敗了：

Backtrace:
1 /app_path/application/lib/simplesamlphp/www/_include.php:37 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: Exception: Unable to find the current binding.
Backtrace:
2 /app_path/application/lib/simplesamlphp/lib/SAML2/Binding.php:81 (SAML2_Binding::getCurrentBinding)
1 /app_path/application/lib/simplesamlphp/modules/saml/lib/IdP/SAML2.php:266 (sspmod_saml_IdP_SAML2::receiveAuthnRequest)
0 /app_path/application/lib/simplesamlphp/www/saml2/idp/SSOService.php:19 (N/A)

設定 ：

• 我的應用程序在本地與主機：trunk.sam.net一起運行
• Simplesaml，SP，作為庫包含在應用程序中，可從以下位置訪問：trunk.sam.net/simplesaml
• Simplesaml，IdP，在本地安裝，運行於：auth.sam.net

這兩個simplesaml實際上都使用相同的代碼和配置文件（它們共享相同的文檔根目錄）

配置：

config.php文件

'enable.saml20-idp'     => true,
'enable.shib13-idp'     => true,

authsources.php

'default-sp-trunk.sam.net' => array(
    'saml:SP',
    'entityID'    => 'http://trunk.sam.net',
    'idp'         => 'http://auth.sam.net/simplesaml/saml2/idp/metadata.php',
    'ssoPortalUrl'=> 'http://auth.sam.net/simplesaml/saml2/idp/SSOService.php',
    'bkmapping'   => array(
        'login'     => 'uid',
        'eMail'     => 'mail'
    )
),


'example-userpass' => array(
    'exampleauth:UserPass',
    'shf:pwd' => array(
        'uid' => array('shf'),
        'eduPersonAffiliation' => array('mail', 'shf@bk-soft.com')
    ),
    'shl:pwd' => array(
        'uid' => array('shl')
    ),
),

saml20-IDP-hosted.php

$metadata['__DYNAMIC:1__'] = array(
/*
 * The hostname for this IdP. This makes it possible to run multiple
 * IdPs from the same configuration. '__DEFAULT__' means that this one
 * should be used by default.
 */
'host' => '__DEFAULT__',

/*
 * The private key and certificate to use when signing responses.
 * These are stored in the cert-directory.
 */
'privatekey' => 'server.pem',
'certificate' => 'server.crt',

/*
 * The authentication source which should be used to authenticate the
 * user. This must match one of the entries in config/authsources.php.
 */
'auth' => 'example-userpass',

/*
 * The interoperable SAML 2 profile specifies that attributes should be delivered using the urn:oasis:names:tc:SAML:2.0:attrname-format:uri NameFormat. 
 * We therefore recommended enabling this in new installations. This can be done by adding the following to the saml20-idp-hosted configuration:
 */
'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
'authproc' => array(
    // Convert LDAP names to oids.
    100 => array('class' => 'core:AttributeMap', 'name2oid'),
),

）;

saml20-IDP-remote.php

$metadata['http://auth.sam.net/simplesaml/saml2/idp/metadata.php'] = array (
    'entityid' => 'http://auth.sam.net/simplesaml/saml2/idp/metadata.php',
    'contacts' => 
    array (0 => 
        array (
            'contactType' => 'technical',
            'surName' => 'Administrator',
            'emailAddress' => array (0 => 'support@bluekiwi-software.com'),
       ),
  ),
  'metadata-set' => 'saml20-idp-remote',
  'SingleSignOnService' => array (0 => array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'http://auth.sam.net/simplesaml/saml2/idp/SSOService.php',
  ),
),
'SingleLogoutService' => 
array ( 0 =>  array (
    'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
    'Location' => 'http://auth.sam.net/simplesaml/saml2/idp/SingleLogoutService.php',
  ),
),
'ArtifactResolutionService' => 
array (
),
'keys' => 
array (0 =>  array (
    'encryption' => false,
    'signing' => true,
    'type' => 'X509Certificate',
    'X509Certificate' => 'MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo',
  ),
  1 => 
  array (
    'encryption' => true,
    'signing' => false,
    'type' => 'X509Certificate',
    'X509Certificate' => 'MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo',
  ),
),

）;

saml20-SP-remote.php

$metadata['http://trunk.sam.net'] = array (
  'AssertionConsumerService' => 'http://trunk.sam.net/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp-trunk.sam.net',
  'SingleLogoutService' => 'http://trunk.sam.net/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp-trunk.sam.net',
);

誰能指出我做錯了什么？

我錯過了配置條目/文件嗎？

我應該使用單獨的simplesaml安裝嗎？

謝謝你的建議

Answer 1

問題是SP和IdP需要兩個不同的簡單saml安裝。 我將源代碼復制到另一個文件夾，編輯了我用於IdP（auth.sam.net）的vhost，一切正常。 配置沒問題。

Answer 2

您的simpleSAML IDP對哪些進行身份驗證？ 廣告？

您是否只是希望您的應用程序針對IDP存儲庫進行身份驗證？

為什么需要simpleSAML SP？

您的應用程序可以直接針對simpleSAML IDP進行身份驗證嗎？

您通常使用simpleSAML SP，如下所示：

AD < - ADFS < - simpleSAML SP < - SAML應用程序。