我使用djangosaml2安装和配置adfs2.0作为Idp,Django项目作为SP。在iis7.5上开发Django项目。在
django saml2配置:
SAML_CONFIG = {
# full path to the xmlsec1 binary programm
'xmlsec_binary': 'C:\\Program Files\\xmlsec1\\xmlsec1-1.2.20-win32-x86\\bin\\xmlsec1.exe',
# your entity id, usually your subdomain plus the url to the metadata view
'entityid': 'https://sp.corp.com/saml2/metadata/',
# this block states what services we provide
'service': {
# we are just a lonely SP
'sp' : {
'authn_requests_signed': "true",
'name': 'SP',
'name_id_format': NAMEID_FORMAT_EMAILADDRESS,
'endpoints': {
# url and binding to the assetion consumer service view
# do not change the binding or service name
'assertion_consumer_service': [
('https://sp.corp.com/saml2/acs/',
saml2.BINDING_HTTP_POST),
],
# url and binding to the single logout service view
# do not change the binding or service name
'single_logout_service': [
('https://sp.corp.com/saml2/ls/',
saml2.BINDING_HTTP_REDIRECT),
('https://sp.corp.com/saml2/ls/post',
saml2.BINDING_HTTP_POST),
],
},
# attributes that this project need to identify a user
'required_attributes': ['email'],
# attributes that may be useful to have but not required
'optional_attributes': ['surname'],
},
},
# where the remote metadata is stored
'metadata': {
'local': [os.path.join(BASE_DIR, 'FederationMetadata.xml')],
},
# set to 1 to output debugging information
'debug': 1,
# certificate
'key_file': os.path.join(BASE_DIR, 'iispk.pem'), # private part
'cert_file': os.path.join(BASE_DIR, 'iiscert.pem'), # public part
}
在adfs端,通过url https://sp.corp.com/saml2/metadata/添加Reling方信任。然后添加claim ruleSend LDAP属性作为claim,并添加E-Mail-Address-Email-Address,姓氏-姓氏。 然后转到https://sp.corp.com/saml2/login/,输入username和pwd,得到adfs error,它显示在事件日志中:
^{pr2}$折磨了几天。怎么解决?建议详细说明。非常感谢。在
您需要在SAML断言中发送NameID声明。由于您没有在发布规则集中创建此声明,ADFS错误地说cl的值 它将在安全令牌中生成的目标与您已配置(并在SAML请求中发送)的请求策略不匹配。在
请参见https://blogs.msdn.microsoft.com/card/2010/02/17/name-identifiers-in-saml-assertions/以了解如何生成NameID声明以及它应该以何种格式发出。在
谢谢,萨姆 [Twitter:@MrADFS]
相关问题 更多 >
编程相关推荐