我正在运行两个simplesamplephp实例(一个用于SP,另一个用于IdP)并使用SSO进行游戏。我的IdP使用openLDAP进行授权。simplesamplephp sp + idp设置问题
我从下面的PHP代码开始通过将它们在使用example.php文件,把使用example.php文件中的Apache httpd和从浏览器访问它:
$as = new SimpleSAML_Auth_Simple('example-sp');
$as->requireAuth();
$attr = $as->getAttributes();
print ………..
看来,认证请求是能够从SP发送到IDP和这里是SP日志:
Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76] Session: 'example-sp' not valid because we are not authenticated.
Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76] Saved state: '_04c9e1a8c58932ab2d79c179a90d4e9c88e9c693f3'
Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76] Sending SAML 2 AuthnRequest to 'https://idp.example.com/simplesaml/saml2/idp/metadata.php'
Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76] Sending message:
Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76] <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_04c9e1a8c58932ab2d79c179a90d4e9c88e9c693f3" Version="2.0" IssueInstant="2013-07-06T19:56:06Z" Destination="https://idp.example.com/simplesaml/saml2/idp/SSOService.php" AssertionConsumerServiceURL="https://sp.example.com/simplesaml/module.php/saml/sp/saml2-acs.php/example-sp" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76] <saml:Issuer>example-sp-host</saml:Issuer>
Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76] <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/>
Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76] </samlp:AuthnRequest>
然后在IDP登录我看到下面的(看来的IdP能够接收请求):
Jul 06 19:56:06 simplesamlphp INFO [37f32bab7b] SAML2.0 - IdP.SSOService: Accessing SAML 2.0 IdP endpoint SSOService
Jul 06 19:56:06 simplesamlphp DEBUG [37f32bab7b] Received message:
Jul 06 19:56:06 simplesamlphp DEBUG [37f32bab7b] <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_04c9e1a8c58932ab2d79c179a90d4e9c88e9c693f3" Version="2.0" IssueInstant="2013-07-06T19:56:06Z" Destination="https://idp.example.com/simplesaml/saml2/idp/SSOService.php" AssertionConsumerServiceURL="https://sp.example.com/simplesaml/module.php/saml/sp/saml2-acs.php/example-sp" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
Jul 06 19:56:06 simplesamlphp DEBUG [37f32bab7b] <saml:Issuer>example-sp-host</saml:Issuer>
Jul 06 19:56:06 simplesamlphp DEBUG [37f32bab7b] <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/>
Jul 06 19:56:06 simplesamlphp DEBUG [37f32bab7b] </samlp:AuthnRequest>
然后在SP日志我看到以下内容:
Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76] Redirect to 636 byte URL: https://idp.example.com/simplesaml/saml2/idp/SSOService.php?SAMLRequest=fVLfb4IwEP5XSN8RRKfQAInTLDNxk4jbw16WWs7RBFrWK%2Fvx36%2BAi%2B5hJs1dcnff912%2FNkZWVw1dtKaUO3hvAY3zVVcSad9ISKslVQwFUslqQGo4zRcPGxqMfNpoZRRXFbmAXEcwRNBGKEmc9Sohr%2F6URzBmIb8Jo0nADkExj%2Fh4HrHIL6YQ8TC0YRZNjhPiPINGi0yIJbJwxBbWEg2Txpb88cT15%2FbsfZ%2BOZzQIX4izsrcRkpkeVRrTIPU8UTQjKHWp0Iy4qj0UdVNBt7rXhaAb8PJ8m4P%2BEBxGTdkQZ%2FG791JJbGvQp%2B7TbnNmxn%2BJa1W0VU%2FlDUJDDlzGsa%2BecC5arezk6q2QhZBv1w09DENI7%2Ff7zM22%2BZ6kccdNe4N0emZ2uxx7l814eP1HS7teZaoS%2FNu5U7pm5rpqVxGFe%2BxHqdFMogBprE9VpT6XGpiBhBjdAvHSQfLvH0t%2FAA%3D%3D&RelayState=https%3A%2F%2Fsp.example.com%2Fexample.php
但在我的浏览器我得到了以下错误:
The website encountered an error while retrieving https://idp.example.com/simplesaml/saml2/idp/SSOService.php?SAMLRequest=fVLfb4IwEP5XSN8RRKfQAInTLDNxk4jbw16WWs7RBFrWK%2Fvx36%2BAi%2B5hJs1dcnff912%2FNkZWVw1dtKaUO3hvAY3zVVcSad9ISKslVQwFUslqQGo4zRcPGxqMfNpoZRRXFbmAXEcwRNBGKEmc9Sohr%2F6URzBmIb8Jo0nADkExj%2Fh4HrHIL6YQ8TC0YRZNjhPiPINGi0yIJbJwxBbWEg2Txpb88cT15%2FbsfZ%2BOZzQIX4izsrcRkpkeVRrTIPU8UTQjKHWp0Iy4qj0UdVNBt7rXhaAb8PJ8m4P%2BEBxGTdkQZ%2FG791JJbGvQp%2B7TbnNmxn%2BJa1W0VU%2FlDUJDDlzGsa%2BecC5arezk6q2QhZBv1w09DENI7%2Ff7zM22%2BZ6kccdNe4N0emZ2uxx7l814eP1HS7teZaoS%2FNu5U7pm5rpqVxGFe%2BxHqdFMogBprE9VpT6XGpiBhBjdAvHSQfLvH0t%2FAA%3D%3D&RelayState=https%3A%2F%2Fsp.example.com%2Fexample.php. It may be down for maintenance or configured incorrectly.
注1 - 我为什么在SP日志我不知道它说“Session:'example-sp'无效,因为我们没有通过认证”。也许在那个时候,安全上下文还没有建立,这正是我们为什么需要执行$ as-> requireAuth()的原因?
注2 - 浏览器中的错误表示什么?这是否意味着我必须设置一些额外的html文件或表单来输入LDAP验证的用户名/密码?有关如何设置的任何线索?
注意3 - 除非我没有更改'certFingerprint'值,否则根据simplesamlphp SP和IdP指南,我遵循了大部分配置更改。这可能是问题吗?我有我的IdP和SP的goDaddy.com签名SSL的副本 - 我应该使用它们吗?
我实际上期望SSOService.php将sp传递给loginuserpass.php,但不知道为什么没有。我想我可能会错过一个设置的地方,但不知道确切的地方...
谢谢!