ADFS 2.0和Shibboleth集成 [英] ADFS 2.0 and Shibboleth Integration
问题描述
您好,
我正在整合ADFS 2.0(服务提供商)和Shibboleth(身份提供商)并且我已经设法让一个shibboleth实例工作但是得到了使用来自其他提供程序的第二个实例进行身份验证时出现MSIS7012错误。错误
似乎与XML封装签名转换有关,如下所示:
ID8024:元素:name ='ds:KeyInfo'namespace ='http:// www。在& lt; EncryptionMethod& gt;中遇到了w3.org/2000/09/xmldsig#'。 element:'& lt; xenc:EncryptionMethod Algorithm =" http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc =" http://www.w3.org/2001/04/xmlenc#"& gt;& lt; / xenc:EncryptionMethod& gt;'
且未处理
RequestFailed:TrustNamespace = http://schemas.xmlsoap.org/ws/2005/02/trust,Action = http://schemas.xmlsoap.org/ws/2005/02/trust / RST / Issue,Exception = System.Xml.XmlException:'Element'是无效的XmlNodeType。位于Microsoft.IdentityModel的Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReamAssertion(XmlReader
reader)的Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadToken(XmlReader reader)上的System.Xml.XmlReader.ReadEndElement() .Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)at Microsoft.IdentityModel.Tokens.SecurityTokenElement.ReadSecurityToken(XmlElement
securityTokenXml,SecurityTokenHandlerCollection securityTokenHandlers)at
用户操作中未处理的异常'Microsoft .IdentityModel.Protocols.WSTrust.IWSTrustFeb2005AsyncContract.BeginTrustFeb2005Issue'。< / Description>< Comment>用户操作'Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustFeb2005AsyncContract.BeginTrustFeb2005Issue'
抛出了在用户代码中未处理的异常。此异常将被重新抛出。如果这是一个反复出现的问题,则可能表示"Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustFeb2005AsyncContract.BeginTrustFeb2005Issue"的实施中出现错误
MSIS3127:指定的请求失败。 at Microsoft.IdentityServer.Service.WSTrustProtocol.MSISWSTrustService.HandleException(Exception ex,String trustNamespace,String action,EnvelopeVersion requestEnvelopeVersion)at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message
requestMessage,WSTrustRequestSerializer
非常感谢任何帮助或指示。
谢谢
John W
在依赖方上,默认情况下只是签署断言而不是消息。消息签名是指Xml已开发签名。您也可以通过PowerShell命令指定对邮件进行签名。
对于像Shibboleth是IP的索赔发布者,我找不到指定邮件的方法(信封) )在ADFS上签名。你能在Shibboleth端只指定断言签名吗?
另外,在ADFS中指定SHA-1在索赔发行者上签名。
谢谢,
Hello,
I am integrating ADFS 2.0 (Service Provider) and Shibboleth (Identity Provider) and I have managed to get one instance of shibboleth working but get a MSIS7012 error when authenticating with a second instance from a different provider. The error appears to be related to the XML enveloped signature transform as follows:
ID8024: Element: name='ds:KeyInfo' namespace='http://www.w3.org/2000/09/xmldsig#' was encountered in an <EncryptionMethod> element: '<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"></xenc:EncryptionMethod>' and was not processed
RequestFailed: TrustNamespace=http://schemas.xmlsoap.org/ws/2005/02/trust, Action=http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue, Exception=System.Xml.XmlException: 'Element' is an invalid XmlNodeType. at System.Xml.XmlReader.ReadEndElement() at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadAssertion(XmlReader reader) at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadToken(XmlReader reader) at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader) at Microsoft.IdentityModel.Tokens.SecurityTokenElement.ReadSecurityToken(XmlElement securityTokenXml, SecurityTokenHandlerCollection securityTokenHandlers) at
Unhandled exception in user operation 'Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustFeb2005AsyncContract.BeginTrustFeb2005Issue'.</Description><Comment>User operation 'Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustFeb2005AsyncContract.BeginTrustFeb2005Issue' threw an exception that is unhandled in user code. This exception will be rethrown. If this is a recurring problem, it may indicate an error in the implementation of the 'Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustFeb2005AsyncContract.BeginTrustFeb2005Issue'
MSIS3127: The specified request failed. at Microsoft.IdentityServer.Service.WSTrustProtocol.MSISWSTrustService.HandleException(Exception ex, String trustNamespace, String action, EnvelopeVersion requestEnvelopeVersion) at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer
Any help or direction greatly appreciated.
Thanks
John W
On the relying party the default is to just sign the assertions rather than the message too. Message signing refers to the Xml eveloped signature. You can specify to sign the message too via the PowerShell command.
For a claim issuer like when Shibboleth is the IP, I cannot find a way to specify the message (envelope) signing in ADFS. Can you specify only assertion signing on the Shibboleth side?
Also, specify SHA-1 for signing on the claim issuer in ADFS.
Thanks,
这篇关于ADFS 2.0和Shibboleth集成的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
