基于lasso_saml20_provider_load_metadata的mod_auth_mellon故障分割

Question

我试图使用mod_auth_mellon来使用SAML2进行身份验证。我已经配置了属性，但是当我访问应用程序页面时，会收到一个分段错误错误。

在分析这个问题时，我在GDB上看到了这个错误：

Program received signal SIGSEGV, Segmentation fault.
0x00007fea68664357 in lasso_saml20_provider_load_metadata () from target:/lib64/liblasso.so.3

idp-metadata.xml:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor
 xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
 entityID="https://my-entity-id-url">
 <IDPSSODescriptor>
   <KeyDescriptor use="signing">
     <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
       <ds:X509Data>
         <ds:X509Certificate>MIIDxzCCAq+gAwIBAgIJAKQsXQb9iHdLMA0GCSqGSIb3DQEBCwUAMHoxCzAJBgNV
...
...
...
GNV1V7MfHHsu5cg=</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </KeyDescriptor>
 <KeyDescriptor use="encryption">
   <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
     <ds:X509Data>
       <ds:X509Certificate>MIIDxzCCAq+gAwIBAgIJAKQsXQb9iHdLMA0GCSqGSIb3DQEBCwUAMHoxCzAJBgNV
...
...
...
GNV1V7MfHHsu5cg=</ds:X509Certificate>
     </ds:X509Data>
   </ds:KeyInfo>
 </KeyDescriptor>
 <SingleLogoutService
   Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
   Location="https://my-slo-url"/>
 <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
 <SingleSignOnService
   Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
   Location="https://my-sso-url"/>
 <SingleSignOnService
   Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
   Location="https://my-sso-url"/>
 </IDPSSODescriptor>
</EntityDescriptor>

谢谢!

Answer 1

在https://jdennis.fedorapeople.org/doc/mellon-user-guide/mellon_user_guide.html中有一个名为demo_keycloak_ipa_idp_metadata.xml的idp元数据示例。我根据我的组织属性调整元数据，它可以工作。