SAMLException:NameID元素必须作为Response消息中Subject的一部分出现,请在IDP配置中启用它 [英] SAMLException: NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration
问题描述
我使用 spring-saml 实现.在WebSSOProfileConsumerImpl类中,我可以找到以下代码行,这些代码检查 SAML响应的断言中的nameId.
Iam using spring-saml implementation. In the class WebSSOProfileConsumerImpl, I could find the following lines of code which checks for nameId in the assertion of the SAML response.
NameID nameID;
if (subject.getEncryptedID() != null) {
Assert.notNull(context.getLocalDecrypter(), "Can't decrypt NameID, no decrypter is set in the context");
nameID = (NameID) context.getLocalDecrypter().decrypt(subject.getEncryptedID());
} else {
nameID = subject.getNameID();
}
基于代码,很明显nameId应该是主题的一部分.但是,包括我正在使用的IDP在内的大多数IDP都提到nameId可能是主题/属性的一部分.似乎有一些实现可以接受主题中的nameId,就像 SimpleSAMLPHP 一样.
Based on the code, its clear that the nameId should be part of the subject. But most of the IDP's including the one that I am using mention that nameId could be part of the subject/attribute. Seems that there are a few implementations which accept nameId in subject just like SimpleSAMLPHP.
我收到的主题如下,并且没有包含nameId
The subject which I am receiving is as follows and does not have nameId enclosed
<saml2:Subject>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="91.X.X.X" InResponseTo="XXXX" NotOnOrAfter="2014-10-10T10:34:26.619Z" Recipient="http://localhost:8080/XXXX/saml/SSO"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
但是,有一个属性,其中具有 nameId 作为其属性值.为什么不能使用它代替主题中的那个.
However, there is an attribute which has a nameId as its attribute value. Why cant this be used instead of the one in the subject.
<saml2:Attribute FriendlyName="testID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://XXXX/idp/shibboleth" SPNameQualifier="urn:XX:XX:XX">XXXXXXXXXXXXXXXXX=
</saml2:NameID>
</saml2:AttributeValue>
</saml2:Attribute>
任何人都可以解释 nameId 成为 spring-saml 实施中仅 subject 的一部分的原因.
Can anyone explain the reason behind nameId being part of only subject in spring-saml implementation.
@vschafer是否可以自定义 securityContext.xml 以选择 nameId ,它是特定属性的一部分,而不是从主题?
@vschafer Is there a way of customizing the securityContext.xml to choose nameId which is part of a specific attribute and not from subject?
推荐答案
Spring SAML当前需要NameID出现.更改此设置将需要更改代码,并且当前不能仅通过配置来完成.请随时在 Spring SAML Jira 中打开功能更改请求.
Spring SAML currently requires NameID to be present. Changing this would require code changes and cannot be currently done with configuration only. Please feel free to open a feature request for changing this in Spring SAML Jira.
这篇关于SAMLException:NameID元素必须作为Response消息中Subject的一部分出现,请在IDP配置中启用它的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
