NameID 元素必须作为主题的一部分出现 [英] NameID element must be present as part of the Subject
问题描述
嘿,我正在尝试使用我的服务提供商配置 IDP,但是当来自 IDP 的 saml 响应出现在我的服务提供商中时出现此错误
Hey I am trying to configure IDP with my service provider but when saml response comes from IDP I got this error in my service provider
org.opensaml.common.SAMLException:NameID 元素必须作为响应消息中主题的一部分出现,请在 IDP 配置中启用它在 org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse
org.opensaml.common.SAMLException: NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse
我在 idp 中配置了 NameId - 元数据 xml
I configured NameId in idp - metadata xml
<NameID>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameID>
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
here is the whole response
<?xml version="1.0" encoding="UTF-8"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://localhost:8082/saml/SSO" ID="_9129c7121ce71d24e32d5dfe527bd760" InResponseTo="a1eei99dgc9442d72a98h62i9d179j9" IssueInstant="2016-05-31T15:52:04.736Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">idp.test.com/idp/shibboleth</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_4fcade81e4aae59bfa099e692158a687" Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey Id="_bd99cfd23b6342cf0b4adf7fa03d203f" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
</xenc:EncryptionMethod>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate></ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:CipherValue>ssss</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</ds:KeyInfo>
<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:CipherValue>!!!</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</saml2:EncryptedAssertion>
</saml2p:Response>
我不明白什么是 nameID 以及如何配置它我会感谢你的帮助tnx
I don' understand what is nameID and how to configure it I will appreciate your help tnx
推荐答案
在 SAML 世界中,有两种方法可以将用户的身份返回给 SP.主题区域或属性声明区域.许多较新的 SP 配置在属性声明中使用属性,但仍应填充主题区域.如果 SP 使用属性来获取用户的身份,则配置 Shibboleth 以将 transientId 返回给相关的 SP.否则,您需要参考 SP 文档/配置或元数据来确定 SP 支持哪些 NameID 格式,并配置 Shibboleth 以使用适当的格式返回适当的值.
In the SAML world there are two ways of return the user's identity to the SP. The Subject area or the Attribute Statement area. Many newer SP configurations use an attribute in the attribute statement, but the subject area should still be populated. If the SP is using an attribute to get the user's identity, then configure Shibboleth to return the transientId to the SP in question. Otherwise, you'll need to refer to the SP docs/config or metadata to determine which NameID Formats are supported by the SP and configure Shibboleth to return the appropriate value with the appropriate format.
一个很好的后续阅读是 shib-user 的线程:http://shibboleth.1660669.n2.nabble.com/No-NameID-released-td7605312.html.
A good follow-up read is a shib-user's thread: http://shibboleth.1660669.n2.nabble.com/No-NameID-released-td7605312.html.
这篇关于NameID 元素必须作为主题的一部分出现的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
