¿Cómo obtengo el funcionamiento de OpenSso/ Openam Fedlet con ADFS 2.0?

StackOverflow https://stackoverflow.com/questions/5305123

  •  24-10-2019
  •  | 
  •  

Pregunta

Estoy tratando de obtener el Fedlet OpenSSO (Openam) en funcionamiento contra un servidor ADFS2.0. Recibí su importación de sus metadatos (idp.xml) e intercambié certificados con el servidor ADFS. Tuve que eliminar algunos elementos del archivo XML; Ridingstys y algunos otros elementos de este tipo.

Cuando hago clic en el enlace "Ejecutar Fedlet (SP) iniciado de inicio de sesión único usando HTTP Post Binding" para intentar un SSO, me rebotan a una página "HTTP Status 500 - Single Sign On Failed".

Mi fedlet se está ejecutando en myserver.domain.net y el servidor ADFS es adfs.domain.net.

He decodificado la solicitud SAML que estoy haciendo al servidor ADFS:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s25420b00d06164c30c915b9f69c6e5b73408c6b27" Version="2.0" IssueInstant="2011-03-14T21:37:27Z" Destination="https://adfs.domain.net/adfs/ls/" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://myServer:8999/fedlet/fedletapplication">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">myServer.domain.net</saml:Issuer>
    <samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" SPNameQualifier="myServer.domain.net" AllowCreate="true"></samlp:NameIDPolicy>
    <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact">
        <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

Estos son los errores y el rastro de la pila de mi registro JBoss:

2011-03-14 16:22:00,330 ERROR [STDERR] Mar 14, 2011 4:22:00 PM com.sun.identity.plugin.log.impl.FedletLogger access
INFO: GOT_RESPONSE_FROM_POST
{}
2011-03-14 16:22:00,331 ERROR [STDERR] Mar 14, 2011 4:22:00 PM com.sun.identity.plugin.log.impl.FedletLogger error
INFO: WRONG_STATUS_CODE
{_12549e97-9ef2-49f2-a3c2-3dd40171ce8a}
{}
2011-03-14 16:22:00,331 INFO  [STDOUT] ### {SAMLResponse=[Ljava.lang.String;@1d341d34}\
2011-03-14 16:22:00,331 INFO  [STDOUT] ### SAMLResponse:

El SamlResponse del servidor ADFS: 

<samlp:Response ID="_12549e97-9ef2-49f2-a3c2-3dd40171ce8a" Version="2.0" IssueInstant="2011-03-14T21:22:38.770Z" Destination="https://myServer:8999/fedlet/fedletapplication" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="s2d4265ae10edc2e33c08dc34c248a95dd771ce4ce" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.domain.net/adfs/services/trust</Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
      <ds:Reference URI="#_12549e97-9ef2-49f2-a3c2-3dd40171ce8a">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
        <ds:DigestValue>AX/P9yGMxS6g8X5wbWqV1bbDeIxJXuHhr5OK3VJ9lzU=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>ViPPkKk8KLx6TUHWjaVcbiDHEBQOio7+7gJqC2lnVeT6Ja4MqrF6GtIX8MjwHAHM+s5gOcxdldPYoKNfAkh12C690BQvlWXQd0nc6NmDVNvYGSCWy2JL19wiBDoNreWO4YwCXOoeHOS/CvsxB1gE5CiyQ8BzbsIAGvH3+uIVOcOrj30SuDQkXYBqnZw5OPM9BlmG7C4UBS8wlO44Ukbvs0oqwgVxSeBk6kywBYW9PoNGCc6ViTZwhWoQYGj2dFd/k282mzaZ4cz+aHBpAYMju9QJuXPpzdtP4Ms6x8BxpBrQUwPcg9+wV+jtwCmMgarFfOWwlR00b6m64XdPK9bmJw==</ds:SignatureValue>
    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
      <ds:X509Data>
        <ds:X509Certificate>MIIC2DCCAcCgAwIBAgIQE8jPCJT5aIVMphr1XJ3sNDANBgkqhkiG9w0BAQsFADAoMSYwJAYDVQQDEx1BREZTIFNpZ25pbmcgLSBhZGZzLm1tcGxwLm5ldDAeFw0xMDExMzAyMjAzMDVaFw0xMTExMzAyMjAzMDVaMCgxJjAkBgNVBAMTHUFERlMgU2lnbmluZyAtIGFkZnMubW1wbHAubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvl/P5VDzs+hpXiStYihulMkz+iR6LjDSy5sxjePEylM2XbYxMJJIuUhvHq86sb4FKiTZWAzh9VkDLvee8j+KDwuYR3yQ0VDteD/ig/hSN5ehpzijPOLhTh+7DbUqVzcXKdrhVXfhvybfeDSNEAY424h+rusdj+hIn0ggrn+rwXhC6satnbZvxhbUssiRFAEXdDKNuakpywZUw97XjTUBxm6E6GwoCznQX/wk6F82z0AkcGUV9pUOs83aPA97DBjq4oGCt+uqVUtO/KauFmydtVojU7RyYsoPOguPEOODOACd7tnag/6qyPZEroHk8OU7VdzjGg2ItXOAYlDV3HTb1QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBwACOtAkh4rngQCWf98Lsu0GuvzIhVJ+RO+Jlwc058FOXT+whyHyEJVm0joiR89lILsUJDEnYcoXEBHoiAGblDAyT+bqqWJuJBenRfXlBGlQfoGGz4eOAQ7gWkXL5kToDVtosSJ1ZtbWTeum9bYTS3xy7qzsbJLXSXUZ7mrz/kbA9ksSmTInDPhkLBkcg/OQhcDQ0F0J+ab5iGKRGkNmLgI3JRs6WRjrFRg0V8aQAtU94m6hvceu2QI8q8t9asQ3JISHLLaTUs7jDXp7j8xbeMHm8exs80mebDoJLWVEsvVLSSuUU8cTxNScpInnpjE82qH2baa2ig+XfVQbyxyJjc</ds:X509Certificate>
      </ds:X509Data>
    </KeyInfo>
  </ds:Signature>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" />
  </samlp:Status>
</samlp:Response>

El error/stacktrace:

2011-03-14 16:22:00,331 ERROR [STDERR] com.sun.identity.saml2.common.SAML2Exception: Single Sign On failed.
2011-03-14 16:22:00,331 ERROR [STDERR]  at com.sun.identity.saml2.profile.SPACSUtils.processResponseForFedlet(Unknown Source)
2011-03-14 16:22:00,331 ERROR [STDERR]  at org.apache.jsp.fedletSampleApp_jsp._jspService(fedletSampleApp_jsp.java:262)
2011-03-14 16:22:00,331 ERROR [STDERR]  at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)
2011-03-14 16:22:00,331 ERROR [STDERR]  at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
2011-03-14 16:22:00,331 ERROR [STDERR]  at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:332)
2011-03-14 16:22:00,331 ERROR [STDERR]  at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:314)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:264)
2011-03-14 16:22:00,332 ERROR [STDERR]  at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:175)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:392)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
2011-03-14 16:22:00,332 ERROR [STDERR]  at java.lang.Thread.run(Thread.java:810)

¿Podría ser esto de editar los metadatos que el servidor ADFS me proporcionó? Tengo problemas para descubrir dónde cavar desde aquí.

Gracias,

¿Fue útil?

Solución

Has leído Creación de una organización virtual utilizando servicios de identidad federados con OpenSSO y Microsoft Active Directory Federation Services?.

Los detalles están en el papel blanco en la parte inferior.

Las instrucciones OpenSso están aquí: Operaciones de federación WS

Licenciado bajo: CC-BY-SA con atribución
No afiliado a StackOverflow
scroll top