simplesamplephp sp + idp設置問題

Question

我正在運行兩個simplesamplephp實例（一個用於SP，另一個用於IdP）並使用SSO進行遊戲。我的IdP使用openLDAP進行授權。

我從下面的PHP代碼開始通過將它們在使用example.php文件，把使用example.php文件中的Apache httpd和從瀏覽器訪問它：

$as = new SimpleSAML_Auth_Simple('example-sp'); 
$as->requireAuth(); 
$attr = $as->getAttributes(); 
print ……….. 

看來，認證請求是能夠從SP發送到IDP和這裏是SP日誌：

Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76] Session: 'example-sp' not valid because we are not authenticated. 
Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76] Saved state: '_04c9e1a8c58932ab2d79c179a90d4e9c88e9c693f3' 
Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76] Sending SAML 2 AuthnRequest to 'https://idp.example.com/simplesaml/saml2/idp/metadata.php' 
Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76] Sending message: 
Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76] <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_04c9e1a8c58932ab2d79c179a90d4e9c88e9c693f3" Version="2.0" IssueInstant="2013-07-06T19:56:06Z" Destination="https://idp.example.com/simplesaml/saml2/idp/SSOService.php" AssertionConsumerServiceURL="https://sp.example.com/simplesaml/module.php/saml/sp/saml2-acs.php/example-sp" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"> 
Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76] <saml:Issuer>example-sp-host</saml:Issuer> 
Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76] <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/> 
Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76] </samlp:AuthnRequest> 

然後在IDP登錄我看到下面的（看來的IdP能夠接收請求）：

Jul 06 19:56:06 simplesamlphp INFO [37f32bab7b] SAML2.0 - IdP.SSOService: Accessing SAML 2.0 IdP endpoint SSOService 
Jul 06 19:56:06 simplesamlphp DEBUG [37f32bab7b] Received message: 
Jul 06 19:56:06 simplesamlphp DEBUG [37f32bab7b] <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_04c9e1a8c58932ab2d79c179a90d4e9c88e9c693f3" Version="2.0" IssueInstant="2013-07-06T19:56:06Z" Destination="https://idp.example.com/simplesaml/saml2/idp/SSOService.php" AssertionConsumerServiceURL="https://sp.example.com/simplesaml/module.php/saml/sp/saml2-acs.php/example-sp" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"> 
Jul 06 19:56:06 simplesamlphp DEBUG [37f32bab7b] <saml:Issuer>example-sp-host</saml:Issuer> 
Jul 06 19:56:06 simplesamlphp DEBUG [37f32bab7b] <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/> 
Jul 06 19:56:06 simplesamlphp DEBUG [37f32bab7b] </samlp:AuthnRequest> 

然後在SP日誌我看到以下內容：

Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76] Redirect to 636 byte URL: https://idp.example.com/simplesaml/saml2/idp/SSOService.php?SAMLRequest=fVLfb4IwEP5XSN8RRKfQAInTLDNxk4jbw16WWs7RBFrWK%2Fvx36%2BAi%2B5hJs1dcnff912%2FNkZWVw1dtKaUO3hvAY3zVVcSad9ISKslVQwFUslqQGo4zRcPGxqMfNpoZRRXFbmAXEcwRNBGKEmc9Sohr%2F6URzBmIb8Jo0nADkExj%2Fh4HrHIL6YQ8TC0YRZNjhPiPINGi0yIJbJwxBbWEg2Txpb88cT15%2FbsfZ%2BOZzQIX4izsrcRkpkeVRrTIPU8UTQjKHWp0Iy4qj0UdVNBt7rXhaAb8PJ8m4P%2BEBxGTdkQZ%2FG791JJbGvQp%2B7TbnNmxn%2BJa1W0VU%2FlDUJDDlzGsa%2BecC5arezk6q2QhZBv1w09DENI7%2Ff7zM22%2BZ6kccdNe4N0emZ2uxx7l814eP1HS7teZaoS%2FNu5U7pm5rpqVxGFe%2BxHqdFMogBprE9VpT6XGpiBhBjdAvHSQfLvH0t%2FAA%3D%3D&RelayState=https%3A%2F%2Fsp.example.com%2Fexample.php 

但在我的瀏覽器我得到了以下錯誤：

The website encountered an error while retrieving https://idp.example.com/simplesaml/saml2/idp/SSOService.php?SAMLRequest=fVLfb4IwEP5XSN8RRKfQAInTLDNxk4jbw16WWs7RBFrWK%2Fvx36%2BAi%2B5hJs1dcnff912%2FNkZWVw1dtKaUO3hvAY3zVVcSad9ISKslVQwFUslqQGo4zRcPGxqMfNpoZRRXFbmAXEcwRNBGKEmc9Sohr%2F6URzBmIb8Jo0nADkExj%2Fh4HrHIL6YQ8TC0YRZNjhPiPINGi0yIJbJwxBbWEg2Txpb88cT15%2FbsfZ%2BOZzQIX4izsrcRkpkeVRrTIPU8UTQjKHWp0Iy4qj0UdVNBt7rXhaAb8PJ8m4P%2BEBxGTdkQZ%2FG791JJbGvQp%2B7TbnNmxn%2BJa1W0VU%2FlDUJDDlzGsa%2BecC5arezk6q2QhZBv1w09DENI7%2Ff7zM22%2BZ6kccdNe4N0emZ2uxx7l814eP1HS7teZaoS%2FNu5U7pm5rpqVxGFe%2BxHqdFMogBprE9VpT6XGpiBhBjdAvHSQfLvH0t%2FAA%3D%3D&RelayState=https%3A%2F%2Fsp.example.com%2Fexample.php. It may be down for maintenance or configured incorrectly. 

注1 - 我爲什麼在SP日誌我不知道它說「Session：'example-sp'無效，因爲我們沒有通過認證」。也許在那個時候，安全上下文還沒有建立，這正是我們爲什麼需要執行$ as-> requireAuth（）的原因？

注2 - 瀏覽器中的錯誤表示什麼？這是否意味着我必須設置一些額外的html文件或表單來輸入LDAP驗證的用戶名/密碼？有關如何設置的任何線索？

注意3 - 除非我沒有更改'certFingerprint'值，否則根據simplesamlphp SP和IdP指南，我遵循了大部分配置更改。這可能是問題嗎？我有我的IdP和SP的goDaddy.com簽名SSL的副本 - 我應該使用它們嗎？

我實際上期望SSOService.php將sp傳遞給loginuserpass.php，但不知道爲什麼沒有。我想我可能會錯過一個設置的地方，但不知道確切的地方...

謝謝！

Answer 1

看起來我在導致此問題的配置文件saml20-sp-remote.php中存在拼寫錯誤。一旦它被修復，我就被引導到Idp登錄屏幕。現在只需要繼續前進！