0
我正在嘗試使用由AD FS 2.0服務器生成的FederationMetadata.xml文件來配置SimpleSAMLphp(其中一些可以在下面看到 - 我用域「domain」替換了域的中間部分)。如何將SP連接到.local域上的IdP?
由於我們的Web應用程序不在其網絡中,因此無法在.local域中看到這些機器。我對ADFS和SAML知之甚少,但我認爲SP必須能夠訪問IdP端點。然而,IdP的技術聯繫人總是說我們需要的只是這個文件,並且SP在網絡外部並不重要。
有什麼我在這裏失蹤? IdP和SP可以使用此元數據進行通信嗎?
<EntityDescriptor ID="**ID**" entityID="http://adfs2.domain.local/adfs/services/trust" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="**URI**">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>**digest**</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>**signature**</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>**cert**</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
<RoleDescriptor xsi:type="fed:ApplicationServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/ws-sx/ws-trust/200512 http://schemas.xmlsoap.org/ws/2005/02/trust http://docs.oasis-open.org/wsfed/federation/200706" ServiceDisplayName="adfs2.domain.local" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706">
<KeyDescriptor use="encryption">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>**cert**</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>
<fed:ClaimTypesRequested>
<auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
<auth:DisplayName>E-Mail Address</auth:DisplayName>
<auth:Description>The e-mail address of the user</auth:Description>
</auth:ClaimType>
<auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
<auth:DisplayName>Given Name</auth:DisplayName>
<auth:Description>The given name of the user</auth:Description>
</auth:ClaimType>
...
</fed:ClaimTypesRequested>
<fed:TargetScopes>
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>https://adfs2.domain.local/adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256</Address>
</EndpointReference>
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>https://adfs2.domain.local/adfs/services/trust/2005/issuedtokenmixedsymmetricbasic256</Address>
</EndpointReference>
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>https://adfs2.domain.local/adfs/services/trust/13/issuedtokenmixedasymmetricbasic256</Address>
</EndpointReference>
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>https://adfs2.domain.local/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256</Address>
</EndpointReference>
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>https://adfs2.domain.local/adfs/ls/</Address>
</EndpointReference>
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>http://adfs2.domain.local/adfs/services/trust</Address>
</EndpointReference>
</fed:TargetScopes>
<fed:ApplicationServiceEndpoint>
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>https://adfs2.domain.local/adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256</Address>
</EndpointReference>
</fed:ApplicationServiceEndpoint>
<fed:PassiveRequestorEndpoint>
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>https://adfs2.domain.local/adfs/ls/</Address>
</EndpointReference>
</fed:PassiveRequestorEndpoint>
</RoleDescriptor>
</EntityDescriptor>
提供的元數據根本不是SAMLv2元數據,而是WS聯合元數據。這是完全不同的技術。 –
非常棒,謝謝你的回答。 –