服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Shibboleth在PHP中将属性传递给服务器variables
Intereting Posts
如何使用input作为“文件”发送IP地址到logstash? linux:不同用户之间的共享目录 我需要多久才能存储日志? 我需要在Linux中为nagios用户创build一个帐户 免费/便宜的Exchange备份选项? CentOS PAM + LDAPlogin和主机属性 SAMBA4作为Active Directory DC:Linux计算机和更改密码 小时Clamscan cron脚本在阅读文件列表中失败 MSSQL备份问题 黑莓企业服务器的问题 我如何让cmd.run在salt-stack中回答提示? 改进与EC2的亚马逊RDS的连接 Exchange碎片整理 使用ethtool无法在Ubuntu中启用WOL 在安装monit后,当我做monit状态myproc我得到“错误连接到monit守护进程”

Shibboleth在PHP中将属性传递给服务器variables

我正在构build一个基于SAML的联邦身份validation机制,其中IdP是ADFS 2.0,SP是在Linux上运行的Shibboleth。 我能够做到以下几点:

  1. 尝试访问受保护的页面,该页面将我redirect到IdPlogin页面。
  2. 通过IdPlogin页面login并返回到受保护的页面。
  3. 浏览到spserver.internal / Shibboleth.sso / Session并查看返回的属性,包括eppn。

但是,我无法在PHP中以REMOTE_USER标头的forms提取eppn属性。

我已经禁用了attribute-policy.xml(注释在shibboleth2.xml中)。

我错过了一些微不足道的东西,我怀疑对于我的世界我不知道是什么。 要么PHP没有selectShibboleth设置的服务器variables,要么Shibboleth永远不会设置它们。 有任何想法吗?

从spserver.internal / Shibboleth.sso / Session输出 

Miscellaneous Session Expiration (barring inactivity): 479 minute(s) Client Address: abcd SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol Identity Provider: http://veragence.thesixthflag.com/adfs/services/trust Authentication Time: 2014-10-28T11:55:23.947Z Authentication Context Class: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Authentication Context Decl: (none) Attributes eppn: [email protected]

来自shibboleth2.xml的相关行: 

  <ApplicationDefaults entityID="https://spURL/shibboleth" REMOTE_USER="eppn persistent-id targeted-id">

来自attribute-map.xml的相关行 

 <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn"> <AttributeDecoder xsi:type="ScopedAttributeDecoder"/> </Attribute>

shibd.log的相关输出 

 2014-10-28 11:55:21 DEBUG Shibboleth.SSO.SAML2 [2]: extracting issuer from SAML 2.0 assertion 2014-10-28 11:55:21 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [2]: evaluating message flow policy (replay checking on, expiration 60) 2014-10-28 11:55:21 DEBUG XMLTooling.StorageService [2]: inserted record (_06157709-48ab-4701-90b2-b3ecea5df51f) in context (MessageFlow) with expiration (1414497564) 2014-10-28 11:55:21 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [2]: validating signature profile 2014-10-28 11:55:21 DEBUG XMLTooling.TrustEngine.ExplicitKey [2]: attempting to validate signature with the peer's credentials 2014-10-28 11:55:21 DEBUG XMLTooling.TrustEngine.ExplicitKey [2]: signature validated with credential 2014-10-28 11:55:21 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [2]: signature verified against message issuer 2014-10-28 11:55:21 DEBUG OpenSAML.SecurityPolicyRule.BearerConfirmation [2]: assertion satisfied bearer confirmation requirements 2014-10-28 11:55:21 DEBUG Shibboleth.SSO.SAML2 [2]: SSO profile processing completed successfully 2014-10-28 11:55:21 DEBUG Shibboleth.SSO.SAML2 [2]: extracting pushed attributes... 2014-10-28 11:55:21 DEBUG Shibboleth.AttributeExtractor.XML [2]: unable to extract attributes, unknown XML object type: samlp:Response 2014-10-28 11:55:21 DEBUG Shibboleth.AttributeExtractor.XML [2]: unable to extract attributes, unknown XML object type: {urn:oasis:names:tc:SAML:2.0:assertion}AuthnStatement 2014-10-28 11:55:21 INFO Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute with Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified 2014-10-28 11:55:21 DEBUG Shibboleth.AttributeDecoder.Scoped [2]: decoding ScopedAttribute (eppn) from SAML 2 Attribute (urn:oid:1.3.6.1.4.1.5923.1.1.1.6) with 1 value(s) 2014-10-28 11:55:21 DEBUG Shibboleth.SSO.SAML2 [2]: resolving attributes... 2014-10-28 11:55:21 DEBUG Shibboleth.AttributeResolver.Query [2]: found AttributeStatement in input to new session, skipping query 2014-10-28 11:55:21 DEBUG Shibboleth.SessionCache [2]: creating new session 2014-10-28 11:55:21 DEBUG Shibboleth.SessionCache [2]: storing new session..