SAP SAML身份验证不接受WS-TRUST URI令牌 [英] SAP SAML authentication doesn't accept WS-TRUST URI token

问题描述

我们在SAP Netweaver和ADFS（充当STS）之间建立了SSO。
因此，某些用户将登录到自定义ASP.Net应用程序，该应用程序将请求ADFS发出SAML声明以访问SAP系统。

We have a SSO setup between SAP Netweaver and ADFS (acting as the STS). So, some user will login on a custom ASP.Net application and this application will request a SAML assertion from ADFS to access the SAP system.

是根据SAP文档，SAP系统的依赖方标识符不是URL（仅是名称），而是在ADFS中指定的方式（例如：SAPSYSTEMRPID）。

The thing is that according to SAP documentation the relying party identifier of the SAP system is not an URL (its just a name), and that way is specified en ADFS (eg: SAPSYSTEMRPID).

当AppliesTo字段需要Uri时，如何获得使用WS-TRUST（ADFS提供的）发行的令牌？有一个默认的方案，有一些约定吗？

How on earth I can get a token issued using WS-TRUST (which is what ADFS provides) when the AppliesTo field requires an Uri? Is there a default scheme, some convention?

我已经在桌子上殴打了好几天，显然我丢失了一些东西

I've been beating my head against the table for days now, I am obviously missing something

推荐答案

好吧，经过这么多时间来结束我自己的问题。

Well, to close my own question after so much.

最后，问题是依赖方的ADFS命名，一旦我们将其名称切换为URL（需要一些说服力），它便开始起作用。

In the end the problem was ADFS naming of Relying Parties, once we switched the name to an URL (which took some convincing) it started working.

ADFS应该是RP的名称格式中的字符串标识符。

ADFS should be string in the name format for the RP identifier.

这篇关于SAP SAML身份验证不接受WS-TRUST URI令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！