Wie lasse ich das OpenSSO/ Openam Fedlet mit ADFS 2.0 funktionieren?
Frage
Ich versuche, den OpenSO (OpenAM) -Fedlet gegen einen ADFS2.0 -Server auszuführen. Ich habe ihre Metadaten (idp.xml) importiert und mit dem ADFS -Server Zertifikate ausgetauscht. Ich musste einige Elemente aus der XML -Datei entfernen; ClaimStypes und einige andere solcher Elemente.
Wenn ich auf den Link "Fedlet (SP) initiiert) klicke, um mit dem HTTP -Postbindung einen SSO zu versuchen, werde ich auf eine Seite" HTTP -Status 500 - Single Sign auf fehlgeschlagen "abprallt.
Mein Fedlet wird auf myServer.domain.net ausgeführt und der ADFS -Server ist adfs.domain.net.
Ich habe die SAML -Anfrage, die ich auf dem ADFS -Server mache, dekodiert:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s25420b00d06164c30c915b9f69c6e5b73408c6b27" Version="2.0" IssueInstant="2011-03-14T21:37:27Z" Destination="https://adfs.domain.net/adfs/ls/" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://myServer:8999/fedlet/fedletapplication">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">myServer.domain.net</saml:Issuer>
<samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" SPNameQualifier="myServer.domain.net" AllowCreate="true"></samlp:NameIDPolicy>
<samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact">
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
Dies sind die Fehler und die Stapelstapelspur meines JBoss -Protokolls:
2011-03-14 16:22:00,330 ERROR [STDERR] Mar 14, 2011 4:22:00 PM com.sun.identity.plugin.log.impl.FedletLogger access
INFO: GOT_RESPONSE_FROM_POST
{}
2011-03-14 16:22:00,331 ERROR [STDERR] Mar 14, 2011 4:22:00 PM com.sun.identity.plugin.log.impl.FedletLogger error
INFO: WRONG_STATUS_CODE
{_12549e97-9ef2-49f2-a3c2-3dd40171ce8a}
{}
2011-03-14 16:22:00,331 INFO [STDOUT] ### {SAMLResponse=[Ljava.lang.String;@1d341d34}\
2011-03-14 16:22:00,331 INFO [STDOUT] ### SAMLResponse:
Die Samlresponse vom ADFS -Server:
<samlp:Response ID="_12549e97-9ef2-49f2-a3c2-3dd40171ce8a" Version="2.0" IssueInstant="2011-03-14T21:22:38.770Z" Destination="https://myServer:8999/fedlet/fedletapplication" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="s2d4265ae10edc2e33c08dc34c248a95dd771ce4ce" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.domain.net/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_12549e97-9ef2-49f2-a3c2-3dd40171ce8a">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>AX/P9yGMxS6g8X5wbWqV1bbDeIxJXuHhr5OK3VJ9lzU=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>ViPPkKk8KLx6TUHWjaVcbiDHEBQOio7+7gJqC2lnVeT6Ja4MqrF6GtIX8MjwHAHM+s5gOcxdldPYoKNfAkh12C690BQvlWXQd0nc6NmDVNvYGSCWy2JL19wiBDoNreWO4YwCXOoeHOS/CvsxB1gE5CiyQ8BzbsIAGvH3+uIVOcOrj30SuDQkXYBqnZw5OPM9BlmG7C4UBS8wlO44Ukbvs0oqwgVxSeBk6kywBYW9PoNGCc6ViTZwhWoQYGj2dFd/k282mzaZ4cz+aHBpAYMju9QJuXPpzdtP4Ms6x8BxpBrQUwPcg9+wV+jtwCmMgarFfOWwlR00b6m64XdPK9bmJw==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC2DCCAcCgAwIBAgIQE8jPCJT5aIVMphr1XJ3sNDANBgkqhkiG9w0BAQsFADAoMSYwJAYDVQQDEx1BREZTIFNpZ25pbmcgLSBhZGZzLm1tcGxwLm5ldDAeFw0xMDExMzAyMjAzMDVaFw0xMTExMzAyMjAzMDVaMCgxJjAkBgNVBAMTHUFERlMgU2lnbmluZyAtIGFkZnMubW1wbHAubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvl/P5VDzs+hpXiStYihulMkz+iR6LjDSy5sxjePEylM2XbYxMJJIuUhvHq86sb4FKiTZWAzh9VkDLvee8j+KDwuYR3yQ0VDteD/ig/hSN5ehpzijPOLhTh+7DbUqVzcXKdrhVXfhvybfeDSNEAY424h+rusdj+hIn0ggrn+rwXhC6satnbZvxhbUssiRFAEXdDKNuakpywZUw97XjTUBxm6E6GwoCznQX/wk6F82z0AkcGUV9pUOs83aPA97DBjq4oGCt+uqVUtO/KauFmydtVojU7RyYsoPOguPEOODOACd7tnag/6qyPZEroHk8OU7VdzjGg2ItXOAYlDV3HTb1QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBwACOtAkh4rngQCWf98Lsu0GuvzIhVJ+RO+Jlwc058FOXT+whyHyEJVm0joiR89lILsUJDEnYcoXEBHoiAGblDAyT+bqqWJuJBenRfXlBGlQfoGGz4eOAQ7gWkXL5kToDVtosSJ1ZtbWTeum9bYTS3xy7qzsbJLXSXUZ7mrz/kbA9ksSmTInDPhkLBkcg/OQhcDQ0F0J+ab5iGKRGkNmLgI3JRs6WRjrFRg0V8aQAtU94m6hvceu2QI8q8t9asQ3JISHLLaTUs7jDXp7j8xbeMHm8exs80mebDoJLWVEsvVLSSuUU8cTxNScpInnpjE82qH2baa2ig+XfVQbyxyJjc</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" />
</samlp:Status>
</samlp:Response>
Der Fehler/Stacktrace:
2011-03-14 16:22:00,331 ERROR [STDERR] com.sun.identity.saml2.common.SAML2Exception: Single Sign On failed.
2011-03-14 16:22:00,331 ERROR [STDERR] at com.sun.identity.saml2.profile.SPACSUtils.processResponseForFedlet(Unknown Source)
2011-03-14 16:22:00,331 ERROR [STDERR] at org.apache.jsp.fedletSampleApp_jsp._jspService(fedletSampleApp_jsp.java:262)
2011-03-14 16:22:00,331 ERROR [STDERR] at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)
2011-03-14 16:22:00,331 ERROR [STDERR] at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
2011-03-14 16:22:00,331 ERROR [STDERR] at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:332)
2011-03-14 16:22:00,331 ERROR [STDERR] at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:314)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:264)
2011-03-14 16:22:00,332 ERROR [STDERR] at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:175)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:392)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
2011-03-14 16:22:00,332 ERROR [STDERR] at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
2011-03-14 16:22:00,332 ERROR [STDERR] at java.lang.Thread.run(Thread.java:810)
Könnte dies von der Bearbeitung der Metadaten sein, die der ADFS -Server mir zur Verfügung gestellt hat? Ich habe Probleme, herauszufinden, wo ich von hier aus graben soll.
Vielen Dank,
Lösung
Hast du durchgelesen Erstellen einer virtuellen Organisation, die Federated Identity Services mit OpenSSO und Microsoft Active Directory Federation Services verwendet?.
Die Details sind im Weißbuch unten.
Die OpenSSO -Anweisungen sind hier: WS-Föderation Operationen