WSO2 Identity Server 5.0.0 无法在 SAMLResponse 中为来自辅助用户存储的用户返回用户声明 [英] WSO2 Identity Server 5.0.0 fails to return user claims in SAMLResponse for user from secondary user store

问题描述

我在使用 SAML SSO 身份验证时遇到了这个问题.我已经成功设置了 WSO2IS 5.0.0 身份服务器，我也成功设置了(至少我希望如此)辅助用户存储.我使用了 JDBCUserStoreManager 实现.我已将此商店设置为 DOMAIN.这个用户商店工作得很好，至少我认为是这样.因为它将用户属性存储到其表(USER_ATTRIBUTES)中，并且这些属性由 WSO2IS 管理读取......

I have this problem when using SAML SSO authentication. I have successfully set up WSO2IS 5.0.0 Identity server, I also succeeded setting up (at least I hope so) secondary user store. I used JDBCUserStoreManager implementation. I have set this store as DOMAIN. This user store works nice, at least I think it does. Because it is storing user attributes into its tables (USER_ATTRIBUTES) and those attributes are read by WSO2IS administration ...

https://localhost:9443/carbon/userprofile/edit.jsp?username=DOMAIN/demo_jbu&profile=default&fromUserMgt=true    

用户被标识为域用户名，因此当我想从该域登录用户时，请求转到我的 AUTHENTICATOR 实现，以便我可以管理来自该域的用户的身份验证.

Users are identified as DOMAINusername so when I want to log in user from this DOMAIN, request goes to my AUTHENTICATOR implementation so I can manage authentication for users from this domain.

奇怪的是，如果我使用 WSO2IS 管理页面，我可以很好地设置和读取用户的属性.如果我为来自 PRIMARY 域的用户使用 SAML SSO 身份验证(已经设置了服务提供商和声明映射)，一切都会正常，调用 SP 会获取所有属性 - 在 WSO2IS 管理中映射:

What is strange is, that if I use WSO2IS administration pages, I can set and read users's attributes well. And if I use SAML SSO authentication (have already set up service provider & claim mappings) for users from PRIMARY domain, everything goes fine and calling SP gets all attributes - mapped in WSO2IS administration here:

https://localhost:9443/carbon/application/configure-service-provider.jsp    

如果我使用 SAML SSO 身份验证，但我想从我的 DOMAIN 登录用户，SP 不会得到任何东西.

If I use SAML SSO authentication, but I want to log user from my DOMAIN, SP doesn't get anything.

我可以在 DefaultResponseBuilder 中覆盖此行为，我可以将任何我想要的东西放入 SAMLResponse，但我觉得这种方法不合适.谁能告诉我，在哪里寻找错误?可能有什么问题?我应该从哪里开始寻找问题?我已经尝试对其进行调试，但它(SAML SSO/AUTHENTICATOR)似乎没有为 DOMAIN 用户找到任何声明.

I can override this behavior in DefaultResponseBuilder, I can put into SAMLResponse anything I want, but I don't feel this approach is OK. Can anyone tell me, where to look for an error? What may be wrong? Where should I start looking for problems? I have already tried to debug it, and it seems it (SAML SSO/AUTHENTICATOR) doesn't find any claim for DOMAIN user.

提前谢谢你.

约瑟夫

推荐答案

我认为这是 Identity Server 5.0.0 中的错误.当您使用 SAML2 SSO 时，用户可以使用带域名的用户名和不带域名的用户名登录 Identity Server.基本上bob 和 foo.com/bob 必须同时工作并从 foo.com 用户存储返回 bob 用户的属性.但是 IS 5.0.0 存在问题，如果辅助用户存储没有域名的用户登录，Identity Server 不会返回用户属性.但是，请尝试使用 foo.com/bob 登录，然后它会返回用户的属性.

I think this is bug in Identity Server 5.0.0. When you are using SAML2 SSO, user can login to Identity Server with both username with domain name and username without domain name. Basically bob and foo.com/bob must both works and returns the bob user's attributes from foo.com user store. However there is issue with IS 5.0.0, if secondary user store user login without domain name, Identity Server does not returns the user attributes. But, please try to login with foo.com/bob , Then it would return the user's attributes.

您可以找到公共 jira.它包含源差异.它必须是一个简单的修复程序，您甚至可以编译源代码并将修复程序添加到 Identity Server.

You can find the public jira. It contains source diff. It must be a simple fix and you even can compile the source and add fix in to the Identity Server.

这篇关于WSO2 Identity Server 5.0.0 无法在 SAMLResponse 中为来自辅助用户存储的用户返回用户声明的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！