onelogin SSO shibboleth ACS配置

Question

我正试图让Shibboleth在我的实验室中使用OneLogin SAML测试连接器(IdP w/attr)。我能够使用testshib IDP完成所有操作，但当我更改元数据提供程序并更新我的SSO实体ID时，只会得到以下错误：

SAML消息随POST传递到不正确的服务器URL

当查看我的元数据文件时，我看到我的ACS是：

http://testserver/Shibboleth.sso/SAML2/POST

但是，当它放在我的OneLogin测试连接器中时，我得到的只是上面的错误。

下面是我的Shibboleth2.xml文件(删除实体ID)

    <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="1800">
<!--  Windows RequestMapper  -->
<!--
 The RequestMap defines portions of the webspace to protect; testserver/secure here. 
-->
<!--
 https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMap 
-->

    <InProcess logger="native.logger">
        <ISAPI normalizeRequest="true" safeHeaderNames="false">
            <!--
            Maps IIS Instance ID values to the host scheme/name/port. The name is
            required so that the proper <Host> in the request map above is found without
            having to cover every possible DNS/IP combination the user might enter.
            -->
            <Site id="1" name="testserver"/>
            <!--
            When the port and scheme are omitted, the HTTP request's port and scheme are used.
            If these are wrong because of virtualization, they can be explicitly set here to
            ensure proper redirect generation.
            -->
            <!--
            <Site id="42" name="virtual.example.org" scheme="https" port="443"/>
            -->
        </ISAPI>
    </InProcess>

<RequestMapper type="Native">
<RequestMap applicationId="default">
<Host name="testserver">
<Path name="secure" authType="shibboleth" requireSession="true"/>
</Host>
</RequestMap>
</RequestMapper>
<!--
 The entityID is the name TestShib made for your SP. 
-->
<ApplicationDefaults entityID="" REMOTE_USER="eppn">
<!--
 You should use secure cookies if at all possible.  See cookieProps in this Wiki article. 
-->
<!--
 https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions 
-->
<Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="false">
<!--
 Triggers a login request directly to the TestShib IdP. 
-->
<!--
 https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO 
-->
<SSO entityID="">SAML2</SSO>
<!--  SAML and local-only logout.  -->
<!--
 https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceLogout 
-->
<Logout>SAML2 Local</Logout>
<!--

                Handlers allow you to interact with the SP and gather more information.  Try them out!
                Attribute values received by the SP through SAML will be visible at:
                http://sdserver/Shibboleth.sso/Session

-->
<!--
 Extension service that generates "approximate" metadata based on SP configuration. 
-->

<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!--  Status reporting service.  -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<!--  Session diagnostic service.  -->
<Handler type="Session" Location="/Session" showAttributeValues="true"/>
<!--  JSON feed of discovery information.  -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>

</Sessions>
<!--
 Error pages to display to yourself if something goes horribly wrong. 
-->
<Errors supportContact="root@localhost" logoLocation="/shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css"/>
<!--
 Loads and trusts a metadata file that describes only the Testshib IdP and how to communicate with it. 
-->
<MetadataProvider type="XML" file="onelogin_metadata.xml"/>
<!--
 Attribute and trust options you shouldn't need to change. 
-->
<AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
<AttributeResolver type="Query" subjectMatch="true"/>
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<!--
 Your SP generated these credentials.  They're used to talk to IdP's. 
-->
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
</ApplicationDefaults>
<!--
 Security policies you shouldn't change unless you know what you're doing. 
-->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<!--
 Low-level configuration about protocols and bindings available for use. 
-->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>

元数据(再次删除敏感信息)

    <?xml version="1.0"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://app.onelogin.com/saml/metadata/">
  <IDPSSODescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate></ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </KeyDescriptor>
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://.onelogin.com/trust/saml2/http-post/sso/"/>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://.onelogin.com/trust/saml2/http-post/sso/"/>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://.onelogin.com/trust/saml2/soap/sso/"/>
  </IDPSSODescriptor>
  <ContactPerson contactType="technical">
    <SurName>Support</SurName>
    <EmailAddress>support@onelogin.com</EmailAddress>
  </ContactPerson>
</EntityDescriptor>

连接器只有以下设置：

ACS (消费者) URL：^http://testserver/shibboleth.sso/SAML2/POST$

消费者网址http://testserver/shibboleth.sso/SAML2/POST

Answer 1

此指南向您解释如何配置OneLogin的连接器。

• 观众：http://testserver/shibboleth.sso/SAML2/POST
• 收件人：->IdP实体ID<-
• ACS (消费者) URL：^http://testserver/shibboleth.sso/SAML2/POST$
• 美国消费者协会网址：http://testserver/shibboleth.sso/SAML2/POST

在Shibboleth：

编辑/etc/shibboleth/shibboleth2.xml，将元数据url添加为元数据提供程序。

我看到您已经获得了应用程序的元数据URL，方法是以管理员身份登录OneLogin并单击onTest连接器> SSO选项卡> Issuer。

并将其添加到文件中：

<MetadataProvider type="XML" file="onelogin_metadata.xml"/>

添加属性映射，Edit /etc/shibboleth/ attribute -map.xml，并添加以下属性：

<!-- OneLogin attributes -->

<Attribute name="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" id="login">
 <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>

<Attribute name="User.Email" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="email">
 <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>

<Attribute name="User.FirstName" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="firstName">
 <AttributeDecoder xsi:type="StringAttributeDecoder"/>
</Attribute>

<Attribute name="User.LastName" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="lastName">
 <AttributeDecoder xsi:type="StringAttributeDecoder"/>
</Attribute>

您所体验到的“将SAML消息随POST传递到不正确的服务器URL”已记录在案的错误

When a SAML message is addressed to a location inconsistent with where the SP believes it's running, this error will be thrown. The SP pulls much of this information from the web environment.

* Verify that the server name and port are properly set in accordance with the SP's metadata.
* Rewriting rules in effect for the Shibboleth.sso handler path must be consistent with the SP's metadata.
* The IdP needs to properly address the SAML response.

用SAML示踪工具记录SAML流，并验证是否使用HTTP绑定到http://testserver/shibboleth.sso/SAML2/POST端点发送SAMLResponse。

我不是专家，但可能与从HTTPS发送到HTTP的事实有关，如这里所描述的，解释这里