wso2 - 将 Shibboleth SP 添加到 WSO2 身份服务器中的租户
问题描述
对于这个用例,我有一个奇怪的行为:WSO2 IS 有一个租户(租户 A),并且在租户中添加了一个 Shibboleth 服务提供商(未选择 SaaS,因此 SP 应该只对租户可见)。Shibboleth SP 具有 wso2 IDP 的元数据,并且证书已就位且正确。配置是通过碳控制台完成的。导航受 Shibboleth SP 保护的 URL 我得到了奇怪的行为:
我被重定向到tenantDomain=carbon.super 并且(正确地)wso2 日志告诉我我的SP 没有注册。
TLDR:我找不到在 Shibboleth SP 和 WSO2 IS 之间的 SP 发起的 SSO 中通知租户域的方法。这种行为是有意的吗?谢谢
这里 wso2 是常驻 IDP 元数据。这是使用 wso2 控制台中的“下载元数据”按钮生成的。然后将其复制到 Shibboleth SP 中。
<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://iam01.com">
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" validUntil="2019-01-24T14:47:48.803Z">
<KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIIDezCCAmOgAwIBAgIEJesahDANBgkqhkiG9w0BAQsFADBuMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRIwEAYDVQQDEwlwdWdsaWEuaXQwHhcNMTkwMTIzMTM1MzMxWhcNMjAwMTE4MTM1MzMxWjBuMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRIwEAYDVQQDEwlwdWdsaWEuaXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKIumEc7InbTUemGKGMnGtM9xzCbaVdqG8yE/ziEvo0dwxEvHtxsUMj/18D95hoDFpG90AOTcThHxa3ppMuN4IMhx/oNcwCahUsUQNesmQCtcL5CmduILELVmca0SQXeYqie7xLiM+osr/cGDXzzLyzyYPuWqehigtV3kGXbbMEl8mjMxwZbW3dyUeiaTmwoLmfPvvAn0KNV6aKxekziXRpELFdCZYM0u3wxfwRcwb/AMTCjTCUQANf3Fq55p1vE4+W5Wpl31Aua3SEqNAj33pJ1Bj2/e3mfWcFJeknOR/JqwEN3xAqOiLHffhiVVfN76JV7bc8bxyg6yPVpopvz9fAgMBAAGjITAfMB0GA1UdDgQWBBTvYpC7Y/jBh04BNfoqAqP4nLahPDANBgkqhkiG9w0BAQsFAAOCAQEAoE2kBEHZtKTqnYORFob5pDzLh4GZA7R7sNoCWgUsyyMOEXEyfHBNBljrvr6LMnlS6iGcuYlWAu8eonYdxlLryiThHkAMYryHp3jZXYb7AKwdm7ZJkAiiaemSXR9jjG7rzONRiLNJgoDLUdPJjzKndV4/I4VfWuYJiP1Ah7+9vR3Yu1rGom7anOfAiHv9dA/RKO642mOys3ihc6vLGsCTDFRy1pwkI62C9Tc62aSxOtNq9vasx142fKELe1+iGv5gs0oipD9/yusk6+92XdgbKASHw+r+LZVQCJN+Zn/kwFPldzhe35NVHWhx5c5ZOii0qreouYhB/ZGc0Ndl/4yzOc==</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://iam01.com:9443/samlsso" ResponseLocation="https://iam01.com:9443/samlsso"/>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://iam01.com:9443/samlsso"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://iam01.com:9443/samlsso"/>
</IDPSSODescriptor>
</EntityDescriptor>
解决方案
尝试将 URL 从 iam01.com:9443/samlsso 更改为 iam01.com:9443/samlsso?tenantDomain=tenantA.com
在 SAML 元数据文档中。
推荐阅读
- tensorflow - Out Of Memory when running multi-gpu cnn with TensorFlow
- ssl - Is this a valid Set-Cookie syntax
- bash - Is there a way to delete json files produced by protractor cucumber on Jenkins when using protractor flake?
- ruby-on-rails - 在 Rails 3.2 中公开开发和生产中的资产
- encryption - 仅显示特定客户的解密字符串
- python - Save a pandas dataframe with a column with 2d arrays as a parquet file in python
- azure - AAD: How do you send an "interactive authorization request" to resolve AADSTS65001 when using MSAL if it's not by calling acquireTokenPopup?
- javascript - 如何从数组中的对象中获取最小整数?
- java - How can I implement apollographql client into the maven project to activate subscription?
- c# - 尝试根据屏幕移动的百分比移动滑块