这个问题非常类似于不同的帖子:
Getting NameIDPolicyError implementing SSO with ADFS 2.0
但是,上述答案没有奏效 . 我在这个网站上看了很多帖子,还有其他人如何解决这个问题 . 很多人都能让它工作,但我做不到 . 问题很简单,当我们在AD中将OpenAM服务器配置为依赖方信任时,我们在登录后会收到SSO错误 .
日志名称:AD FS 2.0 / Admin来源:AD FS 2 . 0日期:11/4/2013 12:52:04 PM事件ID:321任务类别:无级别:错误关键词:AD FS用户:CBC \ adfsuser计算机:domainserver2 .cincybible.priv描述:SAML身份验证请求具有无法满足的NameID策略 . 请求者:sso.uat.firstmarblehead.com/ccuniversity_sso名称标识符格式:urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier:sso.uat.firstmarblehead.com/ccuniversity_sso异常详细信息:MSIS1000:SAML请求包含已颁发的令牌不满足的NameIDPolicy . 请求的NameIDPolicy:AllowCreate:True格式:urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier:sso.uat.firstmarblehead.com/ccuniversity_sso . 实际NameID属性:null . 此请求失败 .
我们根据我们在网上找到的所有文章的指示创建了发行转换规则 . 我们尝试了很多版本,但这是我们最新的尝试 .
The first rule:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "http://sso.uat.firstmarblehead.com/ccuniversity_sso", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http://auth.ccuniversity.edu/adfs/services/trust");
The second rule:
c:[Type == "http://mycompany/internal/sessionid"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");
Here is the output from Get-ADFSRelyingPartyTrust:
AutoUpdateEnabled : False
DelegationAuthorizationRules :
EncryptionCertificateRevocationCheck : CheckChainExcludeRoot
IssuanceAuthorizationRules : @RuleTemplate = "AllowAllAuthzRule"
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Val
ue = "true");
SigningCertificateRevocationCheck : CheckChainExcludeRoot
WSFedEndpoint :
IssuanceTransformRules : @RuleName = "tma1"
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameiden
tifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value,
ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/ident
ity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transi
ent", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties
/spnamequalifier"] = "http://sso.uat.firstmarblehead.com/ccuniversity_sso", Prop
erties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequali
fier"] = "http://auth.ccuniversity.edu/adfs/services/trust");
@RuleTemplate = "MapClaims"
@RuleName = "tms"
c:[Type == "http://mycompany/internal/sessionid"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameiden
tifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value,
ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/ident
ity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transi
ent");
ClaimsAccepted : {}
ConflictWithPublishedPolicy : False
EncryptClaims : True
Enabled : True
EncryptionCertificate : [Subject]
CN=*.uat.firstmarblehead.com, OU=Information Technology, O="First Marblehead E
ducation Resources, Inc.", L=Boston, S=Massachusetts, C=US
[Issuer]
CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US
[Serial Number]
098E9D684BFAE209A18CCEF5787321DC
[Not Before]
4/17/2013 8:00:00 PM
[Not After]
4/22/2016 8:00:00 AM
[Thumbprint]
CA87AB342FBD2B07FF6642FAE1B6F9A685914BC8
Identifier : {sso.uat.firstmarblehead.com/ccuniversity_sso}
LastMonitoredTime : 1/1/1900 12:00:00 AM
LastPublishedPolicyCheckSuccessful :
LastUpdateTime : 1/1/1900 12:00:00 AM
MetadataUrl :
MonitoringEnabled : False
Name : tms
NotBeforeSkew : 0
Notes :
OrganizationInfo :
ImpersonationAuthorizationRules : c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" ] => issue(store="_
ProxyCredentialStore",types=("http://schemas.microsoft.com/authorization/claims/
permit"),query="isProxySid({0})", param=c.Value );
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", I
ssuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" ] => issue(store="_Pr
oxyCredentialStore",types=("http://schemas.microsoft.com/authorization/claims/pe
rmit"),query="isProxySid({0})", param=c.Value );
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/proxytrustid
", Issuer =~ "^SELF AUTHORITY$" ] => issue(store="_ProxyCredentialStore",types=(
"http://schemas.microsoft.com/authorization/claims/permit"),query="isProxyTrustP
rovisioned({0})", param=c.Value );
ProtocolProfile : WsFed-SAML
RequestSigningCertificate : {[Subject]
CN=*.uat.firstmarblehead.com, OU=Information Technology, O="First Marblehead E
ducation Resources, Inc.", L=Boston, S=Massachusetts, C=US
[Issuer]
CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US
[Serial Number]
0FF7E7A675A284662D016D88667AB41F
[Not Before]
4/17/2013 8:00:00 PM
[Not After]
4/22/2016 8:00:00 AM
[Thumbprint]
24EC80DB593EAFB2828D779562EA8CED42D76846
}
EncryptedNameIdRequired : False
SignedSamlRequestsRequired : True
SamlEndpoints : {Microsoft.IdentityServer.PowerShell.Resources.SamlEndpoint, Microsoft.IdentityS
erver.PowerShell.Resources.SamlEndpoint, Microsoft.IdentityServer.PowerShell.Res
ources.SamlEndpoint, Microsoft.IdentityServer.PowerShell.Resources.SamlEndpoint}
SamlResponseSignature : AssertionOnly
SignatureAlgorithm : http://www.w3.org/2000/09/xmldsig#rsa-sha1
TokenLifetime : 0
Here is the decrypted/decoded saml. This is the post to our server, the IDP:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="s2eed242413a54b59b47903b814912ab1e84144944"
Version="2.0"
IssueInstant="2013-11-05T17:17:15Z"
Destination="https://auth.ccuniversity.edu/adfs/ls/"
ForceAuthn="false"
IsPassive="false"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="https://sso.uat.firstmarblehead.com/openam/Consumer/metaAlias/fmdrealm001/ccuniversity_sso_sp"
>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">sso.uat.firstmarblehead.com/ccuniversity_sso</saml:Issuer>
<samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
SPNameQualifier="sso.uat.firstmarblehead.com/ccuniversity_sso"
AllowCreate="true"
/>
<samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Comparison="exact"
>
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
Here is what the browser posts to their server, the SP
<samlp:Response ID="_13d60ca8-b098-4373-96e3-e344668312f6"
Version="2.0"
IssueInstant="2013-11-05T17:17:40.234Z"
Destination="https://sso.uat.firstmarblehead.com/openam/Consumer/metaAlias/fmdrealm001/ccuniversity_sso_sp"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
InResponseTo="s2eed242413a54b59b47903b814912ab1e84144944"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://auth.ccuniversity.edu/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_13d60ca8-b098-4373-96e3-e344668312f6">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>8a98Uanf5TQZNwTEGU46itoq4Nc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>aesO2KDvxadT+O2z3P84c190vBPOcHYKTZjP3Sow41iRNaMo09Tz1ERLSUw0/W3g+a67D/l5ZL5SsncsQCvhVLKwGy/JO1J1fHZuzxQ5YgoRqznYQWVUVI8x1G6ZTXuLFsnj7M5FJZNsv//uGwpPmdj/6+p7gvzkhX5mE6tCHeltKD7LDXwaO6O2XwpGNuUiYr8Zix27ZpEoVtRXrZLuSdkBhWvALyDt79MsYMRfe88FWEnWxImIMPmc/+JAj4Wnw7cSh1eSc51n2h4Ke69J2tpiiz/TgTe+N2rMDTfmHHljk6TPt1eNxMIDPIMZE1yA0NBP4QU/xf+PktNmz+rx2g==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC9jCCAd6gAwIBAgIQca/kv1WgNI9OHqgFCiBlLDANBgkqhkiG9w0BAQsFADA3MTUwMwYDVQQDEyxBREZTIFNpZ25pbmcgLSBET01BSU5TRVJWRVIyLmNpbmN5YmlibGUucHJpdjAeFw0xMzEwMjQxODMzMjFaFw0xNDEwMjQxODMzMjFaMDcxNTAzBgNVBAMTLEFERlMgU2lnbmluZyAtIERPTUFJTlNFUlZFUjIuY2luY3liaWJsZS5wcml2MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiJKOTVYA9zyL6eomSCPILgGxFlVIQ4esw5AGOBt7Ws5fC8Wd2gO84T1WBErf0PCzrigIxPDCFuU9cEX91VAfKlCML5NGJl40MEvwtyBEo8sp4fq5RLmYYH7R+VqDf3nIkqmE7gPijkWAX9f0kaU8A7QKoSSUSmN+51jCft/ksFC9opNvq71zsKRP4m7qI/Geowh+a6PwiJHkTZBFImqFormVtm3UE+OyUpkagOKtK23vypIOLNXtfErsQVQO1JCTj/Bg4ECEib1yn/Kuy6yJOerSEwevFU6d8YwBkjBX8UeNBntpOA7F1Toma6vPIy+iqlf4xx2LK+a6o9A5Ac/o4wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAaAgfSJ/DM+lQ8IPUsdrMH4tTl/5DZmMy5fPeCouzi8DuV3igTCvBL79YDSkxU3IUvE7BFiTbZlW6qG5zPmULHZ/8Bcp00F/TVF/wbu2zWhPFfP0m79dEJNcVrEudWkNTKqQcfvvYrg+7Lm8yR4Fo2neFC6UfPyfqUD903y+0Xu+g6hUSJu+O9y9J4e2JQvMM9yA0DW8JcIXJceL3qB6Dm4vg/aiPStV3IKZRUo7FCvKNsffQl2Thjo+mbR2RRo7DSpKk/XSZhytE8F4gry0JWtShrJhlxPFuiBf8QDNkas78s4leau3JZ/zEc6TMsyxJTftxtISvpKztZa5BA0Vo/</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" />
</samlp:StatusCode>
</samlp:Status>
</samlp:Response>
Here is the error shown in the browser:
GET https://sso.uat.firstmarblehead.com/favicon.ico HTTP/1.1
Host: sso.uat.firstmarblehead.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: amlbcookie=03; BIGipServerUAT.sso.firstmarblehead.com-HTTP=1548095916.20480.0000
HTTP/?.? 404 Not Found
Date: Tue, 05 Nov 2013 17:17:40 GMT
Server: Apache/2.2.17 (Red Hat Enterprise Web Server)
Content-Length: 325
Connection: close
Content-Type: text/html; charset=iso-8859-1
Here are the only two logs in the AD FS Tracing --> Debug category that seem important. This one is an "Information log"
Date: 10/25/2013 2:32:50 PM
Event ID: 49
Task Category: None
Level: Information
Keywords: ADFSSamlProtocol
User: CBC\adfsuser
Computer: domainserver2.cincybible.priv
Description:
Response: Id='_36e6dc52-2c10-40d6-8c7c-be8340812130', InResponseTo='s21d64ddbc5730da20e41936d9059bdbcf8800fa40', Status='urn:oasis:names:tc:SAML:2.0:status:Requester(urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy)', Destination='https://sso.uat.firstmarblehead.com/openam/Consumer/metaAlias/fmdrealm001/ccuniversity_sso_sp': error response created
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="AD FS 2.0 Tracing" Guid="{f1aa12b3-dba2-4cab-b909-2c2b7afcf1fd}" />
<EventID>49</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000200</Keywords>
<TimeCreated SystemTime="2013-10-25T18:32:50.360003000Z" />
<EventRecordID>92</EventRecordID>
<Correlation ActivityID="{4DD6736A-7793-4261-BF76-DC5F84FCE6EE}" />
<Execution ProcessID="5068" ThreadID="5636" ProcessorID="1" KernelTime="3" UserTime="15" />
<Channel>AD FS 2.0 Tracing/Debug</Channel>
<Computer>domainserver2.cincybible.priv</Computer>
<Security UserID="S-1-5-21-617894710-599159305-1136263860-26051" />
</System>
<UserData>
<Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
<EventData>Response: Id='_36e6dc52-2c10-40d6-8c7c-be8340812130', InResponseTo='s21d64ddbc5730da20e41936d9059bdbcf8800fa40', Status='urn:oasis:names:tc:SAML:2.0:status:Requester(urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy)', Destination='https://sso.uat.firstmarblehead.com/openam/Consumer/metaAlias/fmdrealm001/ccuniversity_sso_sp': error response created</EventData>
</Event>
</UserData>
</Event>
This one is an error log:
Log Name: AD FS 2.0 Tracing/Debug
Source: AD FS 2.0 Tracing
Date: 10/25/2013 2:32:50 PM
Event ID: 47
Task Category: None
Level: Error
Keywords: ADFSSamlProtocol
User: CBC\adfsuser
Computer: domainserver2.cincybible.priv
Description:
Microsoft.IdentityServer.Protocols.Saml.InvalidNameIdPolicyException: MSIS1000: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: sso.uat.firstmarblehead.com/ccuniversity_sso. Actual NameID properties: null.
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest issueRequest)
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="AD FS 2.0 Tracing" Guid="{f1aa12b3-dba2-4cab-b909-2c2b7afcf1fd}" />
<EventID>47</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000200</Keywords>
<TimeCreated SystemTime="2013-10-25T18:32:50.309219800Z" />
<EventRecordID>88</EventRecordID>
<Correlation ActivityID="{4DD6736A-7793-4261-BF76-DC5F84FCE6EE}" />
<Execution ProcessID="5068" ThreadID="5636" ProcessorID="2" KernelTime="3" UserTime="12" />
<Channel>AD FS 2.0 Tracing/Debug</Channel>
<Computer>domainserver2.cincybible.priv</Computer>
<Security UserID="S-1-5-21-617894710-599159305-1136263860-26051" />
</System>
<UserData>
<Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
<EventData>Microsoft.IdentityServer.Protocols.Saml.InvalidNameIdPolicyException: MSIS1000: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: sso.uat.firstmarblehead.com/ccuniversity_sso. Actual NameID properties: null.
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest issueRequest)
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)</EventData>
</Event>
</UserData>
</Event>
任何人这样做或有想法做到这一点?
因此,我们通过更改ADFS(IDP)和OpenAM(SP)中的规则取得了一些进展 . 我们现在得到关于证书的错误,我们乐观地认为这些证书可以解决 .
以下是确切的更新规则:
Rule 1
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);
规则2
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "sso.uat.firstmarblehead.com/ccuniversity_sso");
该论坛描述了对OpenAM所做的更改
http://list-archives.org/2012/09/29/openam-forgerock-org/openam-and-adfs-fedration/f/1331885749
具体请注意本节:
"> >>> Peter Major <peter.major@forgerock.com> 9/29/2012 3:04 AM >>>
>
> Go to the Federation page, and try to remove persistent nameid-format
> from both SP and IdP configuration (one of seems to be on the top of the
> nameid format, but adfs doesn't like it).
> The OpenAM side of the error is probably at handling the SAML error
> response, can you please provide the HTTP flow (or the SAML
> requests/responses)?"