Ich versuche, Shibboleth SP mit OneLogin [SAML Test Connector (IdP w/attr)] in meinem Labor zu arbeiten. Ich konnte alles mit testshib IDP arbeiten bekommen, aber wenn ich meine Metadaten-Provider ändern und meine SSO Entity ID aktualisieren bekomme ich nur diesen Fehler:onelogin SSO shibboleth ACS config
SAML-Nachricht mit POST falschen Server-URL geliefert
Bei der Betrachtung meine Metadatendatei ich sehe, dass mein ACS ist:
http://testserver/Shibboleth.sso/SAML2/POST
aber, wenn dies in meinem ONELOGIN Teststecker platziert ist alles, was ich bekomme, ist der obige Fehler.
Unten ist mein Shibboleth2.xml-Datei (mit entfernt Entität ID)
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="1800">
<!-- Windows RequestMapper -->
<!--
The RequestMap defines portions of the webspace to protect; testserver/secure here.
-->
<!--
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMap
-->
<InProcess logger="native.logger">
<ISAPI normalizeRequest="true" safeHeaderNames="false">
<!--
Maps IIS Instance ID values to the host scheme/name/port. The name is
required so that the proper <Host> in the request map above is found without
having to cover every possible DNS/IP combination the user might enter.
-->
<Site id="1" name="testserver"/>
<!--
When the port and scheme are omitted, the HTTP request's port and scheme are used.
If these are wrong because of virtualization, they can be explicitly set here to
ensure proper redirect generation.
-->
<!--
<Site id="42" name="virtual.example.org" scheme="https" port="443"/>
-->
</ISAPI>
</InProcess>
<RequestMapper type="Native">
<RequestMap applicationId="default">
<Host name="testserver">
<Path name="secure" authType="shibboleth" requireSession="true"/>
</Host>
</RequestMap>
</RequestMapper>
<!--
The entityID is the name TestShib made for your SP.
-->
<ApplicationDefaults entityID="" REMOTE_USER="eppn">
<!--
You should use secure cookies if at all possible. See cookieProps in this Wiki article.
-->
<!--
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions
-->
<Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="false">
<!--
Triggers a login request directly to the TestShib IdP.
-->
<!--
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO
-->
<SSO entityID="">SAML2</SSO>
<!-- SAML and local-only logout. -->
<!--
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceLogout
-->
<Logout>SAML2 Local</Logout>
<!--
Handlers allow you to interact with the SP and gather more information. Try them out!
Attribute values received by the SP through SAML will be visible at:
http://sdserver/Shibboleth.sso/Session
-->
<!--
Extension service that generates "approximate" metadata based on SP configuration.
-->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="true"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<!--
Error pages to display to yourself if something goes horribly wrong.
-->
<Errors supportContact="[email protected]" logoLocation="/shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css"/>
<!--
Loads and trusts a metadata file that describes only the Testshib IdP and how to communicate with it.
-->
<MetadataProvider type="XML" file="onelogin_metadata.xml"/>
<!--
Attribute and trust options you shouldn't need to change.
-->
<AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
<AttributeResolver type="Query" subjectMatch="true"/>
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<!--
Your SP generated these credentials. They're used to talk to IdP's.
-->
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
</ApplicationDefaults>
<!--
Security policies you shouldn't change unless you know what you're doing.
-->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<!--
Low-level configuration about protocols and bindings available for use.
-->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
Metadaten (wieder sensible Informationen entfernt)
<?xml version="1.0"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://app.onelogin.com/saml/metadata/">
<IDPSSODescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate></ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://.onelogin.com/trust/saml2/http-post/sso/"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://.onelogin.com/trust/saml2/http-post/sso/"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://.onelogin.com/trust/saml2/soap/sso/"/>
</IDPSSODescriptor>
<ContactPerson contactType="technical">
<SurName>Support</SurName>
<EmailAddress>[email protected]</EmailAddress>
</ContactPerson>
</EntityDescriptor>
Der Stecker nur diese Einstellungen hat:
ACS (Consumer) URL-Validator: ^ http: //testserver/shibboleth.sso/SAML2/POST$
URLACS (Consumer) http://testserver/shibboleth.sso/SAML2/POST
Können Sie SP Metadaten teilen und was setzen Sie am Stecker verbunden ist? – smartin
Aktualisiert. Vielen Dank! –