【发布时间】:2014-07-29 14:20:31
【问题描述】:
我在我的 asp.net 应用程序的 SAML 身份验证中使用 Shibboleth 作为 SP。 Idp 对用户进行身份验证并将响应发送到 shibboleth,后者为 Idp 返回的每个属性设置 http 请求变量。
下面的日志显示了两个身份验证请求。第一个我可以看到正确发送的属性,但第二个没有发送任何属性。属性通常在来自“saml:AttributeStatement”节点的 idp 的 xml 响应中发送,但这不会出现在第二个请求中。下面的警告日志也显示了这一点。
为什么在第二次请求时不会从 Idp 发送这些属性?
还有什么我可以在配置/日志中寻找的吗?
我还不能始终如一地重现该问题。我试图等到 Shibboleth 删除它的缓存响应之后(我认为它缓存了来自 idp 的响应?),但有时 Idp 返回属性节点,有时不返回。
Warn log:
2014-07-29 09:37:11 WARN Shibboleth.AttributeResolver.Query [32]: no SAML 2 AttributeAuthority role found in metadata
Shibd Log:
2014-07-29 09:29:39 INFO Shibboleth.SessionCache [32]: new session created: ID (_4a08732fafc683618ec84f743679a558) IdP (https://<idp url>) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (<client ip>)
2014-07-29 09:37:10 INFO Shibboleth.SessionCache [32]: removed session (_4a08732fafc683618ec84f743679a558)
2014-07-29 09:37:11 WARN Shibboleth.AttributeResolver.Query [32]: no SAML 2 AttributeAuthority role found in metadata
2014-07-29 09:37:11 INFO Shibboleth.SessionCache [32]: new session created: ID (_ebfc98924b1bafc96a646a9e0ef97cd8) IdP (https://<idp url>) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (10.60.112.1)
2014-07-29 09:37:12 INFO XMLTooling.StorageService : purged 8 expired record(s) from storage
Transaction Log:
2014-07-29 09:29:39 INFO Shibboleth-TRANSACTION [32]: New session (ID: _4a08732fafc683618ec84f743679a558) with (applicationId: default) for principal from (IdP: https://<idp url>) at (ClientAddress: <client ip>) with (NameIdentifier: test@testdomain.com) using (Protocol: urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID: id-eyHUtkCazAdXC6cMPibbv8YhuYc-)
2014-07-29 09:29:39 INFO Shibboleth-TRANSACTION [32]: Cached the following attributes with session (ID: _4a08732fafc683618ec84f743679a558) for (applicationId: default) {
2014-07-29 09:29:39 INFO Shibboleth-TRANSACTION [32]: username (1 values)
2014-07-29 09:29:39 INFO Shibboleth-TRANSACTION [32]: userGUID (1 values)
2014-07-29 09:29:39 INFO Shibboleth-TRANSACTION [32]: lastname (1 values)
2014-07-29 09:29:39 INFO Shibboleth-TRANSACTION [32]: role (1 values)
2014-07-29 09:29:39 INFO Shibboleth-TRANSACTION [32]: firstname (1 values)
2014-07-29 09:29:39 INFO Shibboleth-TRANSACTION [32]: companyName (1 values)
2014-07-29 09:29:39 INFO Shibboleth-TRANSACTION [32]: companyGUID (1 values)
2014-07-29 09:29:39 INFO Shibboleth-TRANSACTION [32]: emailAddress (1 values)
2014-07-29 09:29:39 INFO Shibboleth-TRANSACTION [32]: }
2014-07-29 09:37:11 INFO Shibboleth-TRANSACTION [32]: New session (ID: _ebfc98924b1bafc96a646a9e0ef97cd8) with (applicationId: default) for principal from (IdP: https://<idp url>) at (ClientAddress: <client ip>) with (NameIdentifier: test@testdomain.com) using (Protocol: urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID: id-jAnsCQo6-BH2skcHhzj8i63jKxQ-)
2014-07-29 09:37:11 INFO Shibboleth-TRANSACTION [32]: Cached the following attributes with session (ID: _ebfc98924b1bafc96a646a9e0ef97cd8) for (applicationId: default) {
2014-07-29 09:37:11 INFO Shibboleth-TRANSACTION [32]: emailAddress (1 values)
2014-07-29 09:37:11 INFO Shibboleth-TRANSACTION [32]: }
【问题讨论】:
标签: .net asp.net-mvc single-sign-on shibboleth