Centos7

使用 ADFS 3.0 配置 Shibboleth SAML 2.0 並出現聯合錯誤

  • December 12, 2016

我正在嘗試配置 ADFS 3.0 和 SAML 2.0。目前,每當我重新啟動shibdhttpd.

2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 2702, message: grammar not found for namespace 'http://docs.oasis-open.org/wsfed/federation/200706'
2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 2702, message: attribute 'ServiceDisplayName' is not declared for element 'RoleDescriptor'
2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 3893, message: no declaration found for element 'fed:ClaimTypesRequested'
2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 24931, message: no declaration found for element 'fed:TargetScopes'
2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 26031, message: no declaration found for element 'fed:ApplicationServiceEndpoint'
2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 26285, message: no declaration found for element 'fed:PassiveRequestorEndpoint'
2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 26473, message: element 'fed:ClaimTypesRequested' is not allowed for content model '(Signature?,Extensions?,KeyDescriptor*,Organization?,ContactPerson*)'
2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 26848, message: grammar not found for namespace 'http://docs.oasis-open.org/wsfed/federation/200706'
2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 26848, message: attribute 'ServiceDisplayName' is not declared for element 'RoleDescriptor'
2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 28026, message: no declaration found for element 'fed:TokenTypesOffered'
2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 28193, message: no declaration found for element 'fed:ClaimTypesOffered'
2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 49245, message: no declaration found for element 'fed:SecurityTokenServiceEndpoint'
2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 49941, message: no declaration found for element 'fed:PassiveRequestorEndpoint'
2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 50129, message: element 'fed:TokenTypesOffered' is not allowed for content model '(Signature?,Extensions?,KeyDescriptor*,Organization?,ContactPerson*)'
2016-11-07 12:49:08 ERROR OpenSAML.MetadataProvider.XML : error while loading resource (https://c-adfs01.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml): XML error(s) during parsing, check log for specifics
2016-11-07 12:49:08 WARN OpenSAML.MetadataProvider.XML : adjusted reload interval to 1800 seconds
2016-11-07 12:49:08 CRIT OpenSAML.MetadataProvider.XML : maintaining existing configuration, error reloading resource (https://c-adfs01.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml): XML error(s) during parsing, check log for specifics

我目前的配置在shibbolet2.xml

<!-- ADFS Extension -->
<OutOfProcess>
   <Extensions>
       <Library path="/usr/lib64/shibboleth/adfs.so" fatal="true"/>
   </Extensions>
</OutOfProcess>
<InProcess logger="native.log" checkSpoofing="true">
   <Extensions>
       <Library path="/usr/lib64/shibboleth/adfs-lite.so" fatal="true"/>
   </Extensions>
</InProcess>
<RequestMapper type="Native">
   <RequestMap applicationId="default">
       <Host name="c-app01">
           <Path name="secure" authType="shibboleth" requireSession="true"/>
       </Host>
   </RequestMap>
</RequestMapper>
<ApplicationDefaults entityID="https://c-app01.contoso.com/Shibboleth.sso/Metadata.xml"
                    REMOTE_USER="eppn persistent-id targeted-id">
   <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
            checkAddress="false" handlerSSL="true" cookieProps="https">
       <!-- Putting another SSO here will make shibd fail. There should only be one SSO. -->
       <SSO>
           SAML2 SAML1 ADFS
       </SSO>
       <!-- SAML and local-only logout. -->
       <Logout>SAML2 Local</Logout>
       <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
       <Handler type="MetadataGenerator" Location="/Metadata.xml" signing="false"/>
       <!-- Status reporting service. -->
       <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
       <!-- Session diagnostic service. -->
       <Handler type="Session" Location="/Session" showAttributeValues="false"/>
       <!-- JSON feed of discovery information. -->
       <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
   </Sessions>
   <Errors supportContact="root@localhost"
       helpLocation="/about.html"
       styleSheet="/shibboleth-sp/main.css"/>
   <MetadataProvider type="XML" validate="true"
       uri="https://c-adfs01.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml"
       reloadInterval="7200">
     <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
       attributeName="http://macedir.org/entity-category"
       attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
       attributeValue="http://refeds.org/category/hide-from-discovery" />
   </MetadataProvider>
   <!-- Example of locally maintained metadata. -->
   <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
   <!-- Use a SAML query if no attributes are supplied during SSO. -->
   <AttributeResolver type="Query" subjectMatch="true"/>
   <!-- Default filtering policy for recognized attributes, lets other data pass. -->
   <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
   <!-- Simple file-based resolver for using a single keypair. -->
   <CredentialResolver type="File" key="c-app01.contoso.com.key" certificate="c-app01.contoso.com.pem"/>
</ApplicationDefaults>
<!-- Policies that determine how to process and authenticate runtime messages. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<!-- Low-level configuration about protocols and bindings available for use. -->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>

阿帕奇配置/etc/httpd/conf.d/shib.conf

LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so

ShibCompatValidUser Off

<Location /Shibboleth.sso>
 SetHandler shib
 AuthType None
 Require all granted
</Location>

如何消除這些fed錯誤?

在 ADFS 中,這些錯誤來自 ADFS 端點。

2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 3893, message: no declaration found for element 'fed:ClaimTypesRequested'
2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 24931, message: no declaration found for element 'fed:TargetScopes'
2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 26031, message: no declaration found for element 'fed:ApplicationServiceEndpoint'
2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 26285, message: no declaration found for element 'fed:PassiveRequestorEndpoint'

因此,我只需要在 ADFS 管理 > 服務 > 端點中禁用未使用的端點。然後,它隨後刪除了錯誤。

我不知道您是否找到了解決方案,但我剛剛遇到了同樣的情況,我有一個解決方法:在您的 shibboleth2.xml 文件中,將“validate”參數更改為“false”,如下所示:

<MetadataProvider type="XML" validate="false" file="/etc/shibboleth/FederationMetadata.xml"/>

就我而言,我可以在 Idp 的登錄頁面上被重定向,然後發回我的應用程序。

引用自:https://serverfault.com/questions/813858

相關問答

Adfs

ADFS - 如何在沒有域的情況下發送 sAMAccountName

  • September 24, 2020
檢視問答
Active-Directory

AD FS 未對 SAML 請求進行身份驗證

  • February 11, 2020
檢視問答
Shibboleth

跳過未映射的 SAML 2.0 屬性,即使 name 和 nameFormat 匹配

  • February 2, 2020
檢視問答
Windows-Server-2016

SAML 身份驗證請求具有無法滿足的 NameID 策略。

  • December 11, 2019
檢視問答
Active-Directory

SAML 服務提供商登錄時出現 ADFS 錯誤

  • July 16, 2019
檢視問答
Adfs

Shibboleth SP 2 和 ADFS sha1 到 sha256

  • August 1, 2018
檢視問答