duanlinzhen7235
2011-10-14 13:24
浏览 110
已采纳

如何设置simplesamlphp以将ADFS 2用作idp

I'm trying to get simplesamlphp 1.8 to use ADFS 2 as IdP.

Now I'm seriously stuck when getting browser NTLM authentication dialog, which does not accept any login (after selecting "Test authentication sources" -> "default-sp").

In config/config.php

'default-sp' => array(
        'saml:SP',
        'privatekey' => 'saml.pem',
        'certificate' => 'saml.crt',
        'idp' => 'http://fs.example.org/adfs/services/trust',
    ),

In metadata/saml20-idp-remote.php (Converted from https://fs.example.com/FederationMetadata/2007-06/FederationMetadata.xml with /admin/metadata-converter.php)

    $metadata['http://fs.example.com/adfs/services/trust'] = array (
  'entityid' => 'http://fs.example.com/adfs/services/trust',
  'contacts' => 
  array (
  ),
  'metadata-set' => 'saml20-idp-remote',
  'SingleSignOnService' => 
  array (
    0 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'https://fs.example.com/adfs/ls/',
    ),
    1 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
      'Location' => 'https://fs.example.com/adfs/ls/',
    ),
  ),
  'SingleLogoutService' => 
  array (
    0 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'https://fs.example.com/adfs/ls/',
    ),
    1 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
      'Location' => 'https://fs.example.com/adfs/ls/',
    ),
  ),
  'ArtifactResolutionService' => 
  array (
  ),
  'keys' => 
  array (
    0 => 
    array (
      'encryption' => true,
      'signing' => false,
      'type' => 'X509Certificate',
      'X509Certificate' => 'MIIC3DCCA....',
    ),
    1 => 
    array (
      'encryption' => false,
      'signing' => true,
      'type' => 'X509Certificate',
      'X509Certificate' => 'MIIC1j....',
    ),
  ),
);

In ADFS Claim Rules I have "Permit Access to All Users" and Transform rule "E-Mail-Address -> Name ID"

Any ideas how to proceed?

  • 写回答
  • 好问题 提建议
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • dsa111111 2011-10-17 11:30
    已采纳

    Actual problem was in that while setting DNS records I created a CNAME fs.example.com to dc.exampledomain.com. After replacing CNAME record to A record authentication went through.

    This did not solved whole question but answered the getting stuck part :)

    I also needed to set SHA-1 as secure hash algorithm in relying party properties instead of SHA-256.

    已采纳该答案
    评论
    解决 无用
    打赏 举报

相关推荐 更多相似问题