この質問は、別の投稿と非常によく似ています。
ADFS 2.0 で SSO を実装する NameIDPolicyError を取得する
ただし、上記の答えは機能しませんでした。このサイトや他のサイトで、これを修正する方法について多くの投稿を読みました。多くの人はそれを機能させることができますが、私はできません。簡単に言えば、AD で OpenAM サーバーを証明書利用者信頼として構成すると、ログイン後に SSO エラーが発生するという問題です。
ログ名: AD FS 2.0/Admin ソース: AD FS 2.0 日付: 11/4/2013 12:52:04 PM イベント ID: 321 タスク カテゴリ: なし レベル:
エラー キーワード: AD FS ユーザー: CBC\adfsuser コンピューター:
domainserver2.cincybible.priv 説明: SAML 認証要求には、満たされない NameID ポリシーが含まれていました。リクエスター: sso.uat.firstmarblehead.com/ccuniversity_sso 名前識別子の形式: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: sso.uat.firstmarblehead.com/ccuniversity_sso 例外の詳細: MSIS1000: SAML要求に含まれていた NameIDPolicy は、発行されたトークンによって満たされませんでした。要求された NameIDPolicy: AllowCreate: True 形式: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: sso.uat.firstmarblehead.com/ccuniversity_sso. 実際の NameID プロパティ: null。このリクエストは失敗しました。
オンラインで見つけたすべての記事の指示に従って、Issuance Transform Rules を作成しました。これについて多くのバージョンを試しましたが、これが最新の試みです。
最初のルール:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "http://sso.uat.firstmarblehead.com/ccuniversity_sso", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http://auth.ccuniversity.edu/adfs/services/trust");
2 番目のルール:
c:[Type == "http://mycompany/internal/sessionid"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");
Get-ADFSRelyingPartyTrust からの出力は次のとおりです。
AutoUpdateEnabled : False
DelegationAuthorizationRules :
EncryptionCertificateRevocationCheck : CheckChainExcludeRoot
IssuanceAuthorizationRules : @RuleTemplate = "AllowAllAuthzRule"
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Val
ue = "true");
SigningCertificateRevocationCheck : CheckChainExcludeRoot
WSFedEndpoint :
IssuanceTransformRules : @RuleName = "tma1"
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameiden
tifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value,
ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/ident
ity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transi
ent", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties
/spnamequalifier"] = "http://sso.uat.firstmarblehead.com/ccuniversity_sso", Prop
erties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequali
fier"] = "http://auth.ccuniversity.edu/adfs/services/trust");
@RuleTemplate = "MapClaims"
@RuleName = "tms"
c:[Type == "http://mycompany/internal/sessionid"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameiden
tifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value,
ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/ident
ity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transi
ent");
ClaimsAccepted : {}
ConflictWithPublishedPolicy : False
EncryptClaims : True
Enabled : True
EncryptionCertificate : [Subject]
CN=*.uat.firstmarblehead.com, OU=Information Technology, O="First Marblehead E
ducation Resources, Inc.", L=Boston, S=Massachusetts, C=US
[Issuer]
CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US
[Serial Number]
098E9D684BFAE209A18CCEF5787321DC
[Not Before]
4/17/2013 8:00:00 PM
[Not After]
4/22/2016 8:00:00 AM
[Thumbprint]
CA87AB342FBD2B07FF6642FAE1B6F9A685914BC8
Identifier : {sso.uat.firstmarblehead.com/ccuniversity_sso}
LastMonitoredTime : 1/1/1900 12:00:00 AM
LastPublishedPolicyCheckSuccessful :
LastUpdateTime : 1/1/1900 12:00:00 AM
MetadataUrl :
MonitoringEnabled : False
Name : tms
NotBeforeSkew : 0
Notes :
OrganizationInfo :
ImpersonationAuthorizationRules : c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" ] => issue(store="_
ProxyCredentialStore",types=("http://schemas.microsoft.com/authorization/claims/
permit"),query="isProxySid({0})", param=c.Value );
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", I
ssuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" ] => issue(store="_Pr
oxyCredentialStore",types=("http://schemas.microsoft.com/authorization/claims/pe
rmit"),query="isProxySid({0})", param=c.Value );
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/proxytrustid
", Issuer =~ "^SELF AUTHORITY$" ] => issue(store="_ProxyCredentialStore",types=(
"http://schemas.microsoft.com/authorization/claims/permit"),query="isProxyTrustP
rovisioned({0})", param=c.Value );
ProtocolProfile : WsFed-SAML
RequestSigningCertificate : {[Subject]
CN=*.uat.firstmarblehead.com, OU=Information Technology, O="First Marblehead E
ducation Resources, Inc.", L=Boston, S=Massachusetts, C=US
[Issuer]
CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US
[Serial Number]
0FF7E7A675A284662D016D88667AB41F
[Not Before]
4/17/2013 8:00:00 PM
[Not After]
4/22/2016 8:00:00 AM
[Thumbprint]
24EC80DB593EAFB2828D779562EA8CED42D76846
}
EncryptedNameIdRequired : False
SignedSamlRequestsRequired : True
SamlEndpoints : {Microsoft.IdentityServer.PowerShell.Resources.SamlEndpoint, Microsoft.IdentityS
erver.PowerShell.Resources.SamlEndpoint, Microsoft.IdentityServer.PowerShell.Res
ources.SamlEndpoint, Microsoft.IdentityServer.PowerShell.Resources.SamlEndpoint}
SamlResponseSignature : AssertionOnly
SignatureAlgorithm : http://www.w3.org/2000/09/xmldsig#rsa-sha1
TokenLifetime : 0
復号化/復号化された saml は次のとおりです。これは、私たちのサーバーである IDP への投稿です。
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="s2eed242413a54b59b47903b814912ab1e84144944"
Version="2.0"
IssueInstant="2013-11-05T17:17:15Z"
Destination="https://auth.ccuniversity.edu/adfs/ls/"
ForceAuthn="false"
IsPassive="false"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="https://sso.uat.firstmarblehead.com/openam/Consumer/metaAlias/fmdrealm001/ccuniversity_sso_sp"
>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">sso.uat.firstmarblehead.com/ccuniversity_sso</saml:Issuer>
<samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
SPNameQualifier="sso.uat.firstmarblehead.com/ccuniversity_sso"
AllowCreate="true"
/>
<samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Comparison="exact"
>
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
ブラウザがサーバーであるSPに投稿するものは次のとおりです
<samlp:Response ID="_13d60ca8-b098-4373-96e3-e344668312f6"
Version="2.0"
IssueInstant="2013-11-05T17:17:40.234Z"
Destination="https://sso.uat.firstmarblehead.com/openam/Consumer/metaAlias/fmdrealm001/ccuniversity_sso_sp"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
InResponseTo="s2eed242413a54b59b47903b814912ab1e84144944"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://auth.ccuniversity.edu/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_13d60ca8-b098-4373-96e3-e344668312f6">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>8a98Uanf5TQZNwTEGU46itoq4Nc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>aesO2KDvxadT+O2z3P84c190vBPOcHYKTZjP3Sow41iRNaMo09Tz1ERLSUw0/W3g+a67D/l5ZL5SsncsQCvhVLKwGy/JO1J1fHZuzxQ5YgoRqznYQWVUVI8x1G6ZTXuLFsnj7M5FJZNsv//uGwpPmdj/6+p7gvzkhX5mE6tCHeltKD7LDXwaO6O2XwpGNuUiYr8Zix27ZpEoVtRXrZLuSdkBhWvALyDt79MsYMRfe88FWEnWxImIMPmc/+JAj4Wnw7cSh1eSc51n2h4Ke69J2tpiiz/TgTe+N2rMDTfmHHljk6TPt1eNxMIDPIMZE1yA0NBP4QU/xf+PktNmz+rx2g==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC9jCCAd6gAwIBAgIQca/kv1WgNI9OHqgFCiBlLDANBgkqhkiG9w0BAQsFADA3MTUwMwYDVQQDEyxBREZTIFNpZ25pbmcgLSBET01BSU5TRVJWRVIyLmNpbmN5YmlibGUucHJpdjAeFw0xMzEwMjQxODMzMjFaFw0xNDEwMjQxODMzMjFaMDcxNTAzBgNVBAMTLEFERlMgU2lnbmluZyAtIERPTUFJTlNFUlZFUjIuY2luY3liaWJsZS5wcml2MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiJKOTVYA9zyL6eomSCPILgGxFlVIQ4esw5AGOBt7Ws5fC8Wd2gO84T1WBErf0PCzrigIxPDCFuU9cEX91VAfKlCML5NGJl40MEvwtyBEo8sp4fq5RLmYYH7R+VqDf3nIkqmE7gPijkWAX9f0kaU8A7QKoSSUSmN+51jCft/ksFC9opNvq71zsKRP4m7qI/Geowh+a6PwiJHkTZBFImqFormVtm3UE+OyUpkagOKtK23vypIOLNXtfErsQVQO1JCTj/Bg4ECEib1yn/Kuy6yJOerSEwevFU6d8YwBkjBX8UeNBntpOA7F1Toma6vPIy+iqlf4xx2LK+a6o9A5Ac/o4wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAaAgfSJ/DM+lQ8IPUsdrMH4tTl/5DZmMy5fPeCouzi8DuV3igTCvBL79YDSkxU3IUvE7BFiTbZlW6qG5zPmULHZ/8Bcp00F/TVF/wbu2zWhPFfP0m79dEJNcVrEudWkNTKqQcfvvYrg+7Lm8yR4Fo2neFC6UfPyfqUD903y+0Xu+g6hUSJu+O9y9J4e2JQvMM9yA0DW8JcIXJceL3qB6Dm4vg/aiPStV3IKZRUo7FCvKNsffQl2Thjo+mbR2RRo7DSpKk/XSZhytE8F4gry0JWtShrJhlxPFuiBf8QDNkas78s4leau3JZ/zEc6TMsyxJTftxtISvpKztZa5BA0Vo/</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" />
</samlp:StatusCode>
</samlp:Status>
</samlp:Response>
ブラウザに表示されるエラーは次のとおりです。
GET https://sso.uat.firstmarblehead.com/favicon.ico HTTP/1.1
Host: sso.uat.firstmarblehead.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: amlbcookie=03; BIGipServerUAT.sso.firstmarblehead.com-HTTP=1548095916.20480.0000
HTTP/?.? 404 Not Found
Date: Tue, 05 Nov 2013 17:17:40 GMT
Server: Apache/2.2.17 (Red Hat Enterprise Web Server)
Content-Length: 325
Connection: close
Content-Type: text/html; charset=iso-8859-1
AD FS トレース --> デバッグ カテゴリで重要と思われるログは 2 つだけです。これは「情報ログ」です
Date: 10/25/2013 2:32:50 PM
Event ID: 49
Task Category: None
Level: Information
Keywords: ADFSSamlProtocol
User: CBC\adfsuser
Computer: domainserver2.cincybible.priv
Description:
Response: Id='_36e6dc52-2c10-40d6-8c7c-be8340812130', InResponseTo='s21d64ddbc5730da20e41936d9059bdbcf8800fa40', Status='urn:oasis:names:tc:SAML:2.0:status:Requester(urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy)', Destination='https://sso.uat.firstmarblehead.com/openam/Consumer/metaAlias/fmdrealm001/ccuniversity_sso_sp': error response created
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="AD FS 2.0 Tracing" Guid="{f1aa12b3-dba2-4cab-b909-2c2b7afcf1fd}" />
<EventID>49</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000200</Keywords>
<TimeCreated SystemTime="2013-10-25T18:32:50.360003000Z" />
<EventRecordID>92</EventRecordID>
<Correlation ActivityID="{4DD6736A-7793-4261-BF76-DC5F84FCE6EE}" />
<Execution ProcessID="5068" ThreadID="5636" ProcessorID="1" KernelTime="3" UserTime="15" />
<Channel>AD FS 2.0 Tracing/Debug</Channel>
<Computer>domainserver2.cincybible.priv</Computer>
<Security UserID="S-1-5-21-617894710-599159305-1136263860-26051" />
</System>
<UserData>
<Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
<EventData>Response: Id='_36e6dc52-2c10-40d6-8c7c-be8340812130', InResponseTo='s21d64ddbc5730da20e41936d9059bdbcf8800fa40', Status='urn:oasis:names:tc:SAML:2.0:status:Requester(urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy)', Destination='https://sso.uat.firstmarblehead.com/openam/Consumer/metaAlias/fmdrealm001/ccuniversity_sso_sp': error response created</EventData>
</Event>
</UserData>
</Event>
これはエラーログです:
Log Name: AD FS 2.0 Tracing/Debug
Source: AD FS 2.0 Tracing
Date: 10/25/2013 2:32:50 PM
Event ID: 47
Task Category: None
Level: Error
Keywords: ADFSSamlProtocol
User: CBC\adfsuser
Computer: domainserver2.cincybible.priv
Description:
Microsoft.IdentityServer.Protocols.Saml.InvalidNameIdPolicyException: MSIS1000: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: sso.uat.firstmarblehead.com/ccuniversity_sso. Actual NameID properties: null.
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest issueRequest)
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="AD FS 2.0 Tracing" Guid="{f1aa12b3-dba2-4cab-b909-2c2b7afcf1fd}" />
<EventID>47</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000200</Keywords>
<TimeCreated SystemTime="2013-10-25T18:32:50.309219800Z" />
<EventRecordID>88</EventRecordID>
<Correlation ActivityID="{4DD6736A-7793-4261-BF76-DC5F84FCE6EE}" />
<Execution ProcessID="5068" ThreadID="5636" ProcessorID="2" KernelTime="3" UserTime="12" />
<Channel>AD FS 2.0 Tracing/Debug</Channel>
<Computer>domainserver2.cincybible.priv</Computer>
<Security UserID="S-1-5-21-617894710-599159305-1136263860-26051" />
</System>
<UserData>
<Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
<EventData>Microsoft.IdentityServer.Protocols.Saml.InvalidNameIdPolicyException: MSIS1000: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: sso.uat.firstmarblehead.com/ccuniversity_sso. Actual NameID properties: null.
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest issueRequest)
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)</EventData>
</Event>
</UserData>
</Event>
誰かがこれを行った、またはそれを行うアイデアを持っていますか?
そのため、ADFS (IDP) と OpenAM (SP) のルールを変更することで、ある程度の進歩を遂げました。解決できる楽観的な証明書に関するエラーが表示されるようになりました。
正確な更新されたルールは次のとおりです。
Rule 1
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);
ルール 2
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "sso.uat.firstmarblehead.com/ccuniversity_sso");
このフォーラムでは、OpenAM に加えられた変更について説明します
http://list-archives.org/2012/09/29/openam-forgerock-org/openam-and-adfs-fedration/f/1331885749
特に次のセクションに注意してください。
"> >>> Peter Major <peter.major@forgerock.com> 9/29/2012 3:04 AM >>>
>
> Go to the Federation page, and try to remove persistent nameid-format
> from both SP and IdP configuration (one of seems to be on the top of the
> nameid format, but adfs doesn't like it).
> The OpenAM side of the error is probably at handling the SAML error
> response, can you please provide the HTTP flow (or the SAML
> requests/responses)?"