Centos7
使用 ADFS 3.0 配置 Shibboleth SAML 2.0 並出現聯合錯誤
我正在嘗試配置 ADFS 3.0 和 SAML 2.0。目前,每當我重新啟動
shibd
和httpd
.2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 2702, message: grammar not found for namespace 'http://docs.oasis-open.org/wsfed/federation/200706' 2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 2702, message: attribute 'ServiceDisplayName' is not declared for element 'RoleDescriptor' 2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 3893, message: no declaration found for element 'fed:ClaimTypesRequested' 2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 24931, message: no declaration found for element 'fed:TargetScopes' 2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 26031, message: no declaration found for element 'fed:ApplicationServiceEndpoint' 2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 26285, message: no declaration found for element 'fed:PassiveRequestorEndpoint' 2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 26473, message: element 'fed:ClaimTypesRequested' is not allowed for content model '(Signature?,Extensions?,KeyDescriptor*,Organization?,ContactPerson*)' 2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 26848, message: grammar not found for namespace 'http://docs.oasis-open.org/wsfed/federation/200706' 2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 26848, message: attribute 'ServiceDisplayName' is not declared for element 'RoleDescriptor' 2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 28026, message: no declaration found for element 'fed:TokenTypesOffered' 2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 28193, message: no declaration found for element 'fed:ClaimTypesOffered' 2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 49245, message: no declaration found for element 'fed:SecurityTokenServiceEndpoint' 2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 49941, message: no declaration found for element 'fed:PassiveRequestorEndpoint' 2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 50129, message: element 'fed:TokenTypesOffered' is not allowed for content model '(Signature?,Extensions?,KeyDescriptor*,Organization?,ContactPerson*)' 2016-11-07 12:49:08 ERROR OpenSAML.MetadataProvider.XML : error while loading resource (https://c-adfs01.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml): XML error(s) during parsing, check log for specifics 2016-11-07 12:49:08 WARN OpenSAML.MetadataProvider.XML : adjusted reload interval to 1800 seconds 2016-11-07 12:49:08 CRIT OpenSAML.MetadataProvider.XML : maintaining existing configuration, error reloading resource (https://c-adfs01.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml): XML error(s) during parsing, check log for specifics
我目前的配置在
shibbolet2.xml
<!-- ADFS Extension --> <OutOfProcess> <Extensions> <Library path="/usr/lib64/shibboleth/adfs.so" fatal="true"/> </Extensions> </OutOfProcess> <InProcess logger="native.log" checkSpoofing="true"> <Extensions> <Library path="/usr/lib64/shibboleth/adfs-lite.so" fatal="true"/> </Extensions> </InProcess> <RequestMapper type="Native"> <RequestMap applicationId="default"> <Host name="c-app01"> <Path name="secure" authType="shibboleth" requireSession="true"/> </Host> </RequestMap> </RequestMapper> <ApplicationDefaults entityID="https://c-app01.contoso.com/Shibboleth.sso/Metadata.xml" REMOTE_USER="eppn persistent-id targeted-id"> <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="true" cookieProps="https"> <!-- Putting another SSO here will make shibd fail. There should only be one SSO. --> <SSO> SAML2 SAML1 ADFS </SSO> <!-- SAML and local-only logout. --> <Logout>SAML2 Local</Logout> <!-- Extension service that generates "approximate" metadata based on SP configuration. --> <Handler type="MetadataGenerator" Location="/Metadata.xml" signing="false"/> <!-- Status reporting service. --> <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/> <!-- Session diagnostic service. --> <Handler type="Session" Location="/Session" showAttributeValues="false"/> <!-- JSON feed of discovery information. --> <Handler type="DiscoveryFeed" Location="/DiscoFeed"/> </Sessions> <Errors supportContact="root@localhost" helpLocation="/about.html" styleSheet="/shibboleth-sp/main.css"/> <MetadataProvider type="XML" validate="true" uri="https://c-adfs01.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml" reloadInterval="7200"> <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true" attributeName="http://macedir.org/entity-category" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="http://refeds.org/category/hide-from-discovery" /> </MetadataProvider> <!-- Example of locally maintained metadata. --> <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/> <!-- Use a SAML query if no attributes are supplied during SSO. --> <AttributeResolver type="Query" subjectMatch="true"/> <!-- Default filtering policy for recognized attributes, lets other data pass. --> <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/> <!-- Simple file-based resolver for using a single keypair. --> <CredentialResolver type="File" key="c-app01.contoso.com.key" certificate="c-app01.contoso.com.pem"/> </ApplicationDefaults> <!-- Policies that determine how to process and authenticate runtime messages. --> <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/> <!-- Low-level configuration about protocols and bindings available for use. --> <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
阿帕奇配置
/etc/httpd/conf.d/shib.conf
LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so ShibCompatValidUser Off <Location /Shibboleth.sso> SetHandler shib AuthType None Require all granted </Location>
如何消除這些
fed
錯誤?
在 ADFS 中,這些錯誤來自 ADFS 端點。
2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 3893, message: no declaration found for element 'fed:ClaimTypesRequested' 2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 24931, message: no declaration found for element 'fed:TargetScopes' 2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 26031, message: no declaration found for element 'fed:ApplicationServiceEndpoint' 2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 26285, message: no declaration found for element 'fed:PassiveRequestorEndpoint'
因此,我只需要在 ADFS 管理 > 服務 > 端點中禁用未使用的端點。然後,它隨後刪除了錯誤。
我不知道您是否找到了解決方案,但我剛剛遇到了同樣的情況,我有一個解決方法:在您的 shibboleth2.xml 文件中,將“validate”參數更改為“false”,如下所示:
<MetadataProvider type="XML" validate="false" file="/etc/shibboleth/FederationMetadata.xml"/>
就我而言,我可以在 Idp 的登錄頁面上被重定向,然後發回我的應用程序。