Question

我有一个工作的Shibboleth IDP＆amp; SP，但SP没有解决部分属性。

在IDP日志中，您可以看到下面的值已被释放，但SP没有将它们捡起来。

发布的属性：commonName，transientId，surname，givenName，sAMAccountName

以下是日志文件。

Shibboleth IDP - 日志

18:18:15.267 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:109] - Attribute commonName has 1 values after filtering
18:18:15.267 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:109] - Attribute transientId has 1 values after filtering
18:18:15.267 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:109] - Attribute surname has 1 values after filtering
18:18:15.267 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:109] - Attribute givenName has 1 values after filtering
18:18:15.267 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:109] - Attribute sAMAccountName has 1 values after filtering
18:18:15.267 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:106] - Removing attribute from return set, no more values: displayName
18:18:15.267 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:114] - Filtered attributes for principal edison.  The following attributes remain: [commonName, transientId, surname, givenName, sAMAccountName]
18:18:15.268 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:247] - Encoded attribute commonName with encoder of type edu.internet2.middleware.shibboleth.common.attribute.encoding.provider.SAML2StringAttributeEncoder
18:18:15.268 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:263] - Attribute transientId was not encoded (filtered by query, or no SAML2AttributeEncoder attached).
18:18:15.268 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:247] - Encoded attribute surname with encoder of type edu.internet2.middleware.shibboleth.common.attribute.encoding.provider.SAML2StringAttributeEncoder
18:18:15.268 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:247] - Encoded attribute givenName with encoder of type edu.internet2.middleware.shibboleth.common.attribute.encoding.provider.SAML2StringAttributeEncoder
18:18:15.269 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:247] - Encoded attribute sAMAccountName with encoder of type edu.internet2.middleware.shibboleth.common.attribute.encoding.provider.SAML2StringAttributeEncoder
18:18:15.289 - INFO [Shibboleth-Audit:1028] - 20170601T124815Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_f29312df4af4e495770ee67f15bb462c|https://10.1.50.11/shibboleth|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://10.1.50.11:8443/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_15e1d92e1a8d5a07c2cd84808b540f77|edison|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|commonName,transientId,surname,givenName,sAMAccountName,|_a4ba91c098206a53a94b5ed2deeefbc9||

Shibboleth SP - 记录

2017-06-01 19:06:12 INFO Shibboleth.Application : building AttributeExtractor of type XML...
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : loaded XML resource (/etc/shibboleth/attribute-map.xml)
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:uid
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:0.9.2342.19200300.100.1.1
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:eduPersonScopedAffiliation
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.9
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:eduPersonAffiliation
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.1
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:cn
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:2.5.4.3
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:sn
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:2.5.4.4
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:ou
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:2.5.4.11
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:o
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:2.5.4.10
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:0.9.2342.19200300.100.1.3
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:mail
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:eduPersonTargetedID
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.10
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
2017-06-01 19:06:12 INFO Shibboleth.Application : building AttributeFilter of type XML...
2017-06-01 19:06:12 INFO Shibboleth.AttributeFilter : reload thread started...running when signaled
2017-06-01 19:06:12 INFO Shibboleth.AttributeFilter : loaded XML resource (/etc/shibboleth/attribute-policy.xml)
2017-06-01 19:06:12 INFO Shibboleth.Application : building AttributeResolver of type Query...
2017-06-01 19:06:12 INFO Shibboleth.Application : building CredentialResolver of type File...
2017-06-01 19:06:12 INFO XMLTooling.SecurityHelper : loading private key from file (/etc/shibboleth/sp-key.pem)
2017-06-01 19:06:12 INFO XMLTooling.SecurityHelper : loading certificate(s) from file (/etc/shibboleth/sp-cert.pem)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default::getHeaders::Application)
2017-06-01 19:06:12 INFO Shibboleth.Listener : listener service starting
2017-06-01 19:06:14 INFO Shibboleth.AttributeExtractor.XML [1]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:2.5.4.42
2017-06-01 19:06:14 INFO Shibboleth.AttributeExtractor.XML [1]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:1.2.840.113556.1.4.221
2017-06-01 19:06:14 INFO Shibboleth.SessionCache [1]: new session created: ID (_c699b07ff63f25bc28ef60abd9344a33) IdP (https://10.1.50.11:8443/idp/shibboleth) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (10.1.50.11)
2017-06-01 19:06:41 INFO Shibboleth.AttributeExtractor.XML [3]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:2.5.4.42
2017-06-01 19:06:41 INFO Shibboleth.AttributeExtractor.XML [3]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:1.2.840.113556.1.4.221
2017-06-01 19:06:41 INFO Shibboleth.SessionCache [3]: new session created: ID (_c3f9a98ce69aa26654851f25cbd03b7f) IdP (https://10.1.50.11:8443/idp/shibboleth) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (10.1.50.11)
edison@DLSYS1X031:/var/log/shibboleth$ tail -n 100 shibd.log
2017-06-01 19:06:12 INFO Shibboleth.Config : shibboleth 2.5.2 library initialization complete
2017-06-01 19:06:12 INFO Shibboleth.Config : reload thread started...running when signaled
2017-06-01 19:06:12 INFO Shibboleth.Config : loaded XML resource (/etc/shibboleth/shibboleth2.xml)
2017-06-01 19:06:12 INFO Shibboleth.Config : Shibboleth SP Version 2.5.2
2017-06-01 19:06:12 INFO Shibboleth.Config : Library versions: log4shib 1.0.8, Xerces-C 3.1.1, XML-Security-C 1.7.2, XMLTooling-C 1.5.3, OpenSAML-C 2.5.3, Shibboleth 1.5.2
2017-06-01 19:06:12 INFO Shibboleth.Config : building ListenerService of type UnixListener...
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (set::RelayState)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (get::RelayState)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (set::PostData)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (get::PostData)
2017-06-01 19:06:12 INFO Shibboleth.Config : no StorageService plugin(s) installed, using (mem) in-memory instance
2017-06-01 19:06:12 INFO Shibboleth.Config : no ReplayCache specified, using arbitrary StorageService instance
2017-06-01 19:06:12 INFO Shibboleth.Config : no ArtifactMap specified, building in-memory ArtifactMap...
2017-06-01 19:06:12 INFO Shibboleth.Config : no SessionCache specified, using StorageService-backed instance
2017-06-01 19:06:12 INFO XMLTooling.StorageService : cleanup thread started...running every 900 seconds
2017-06-01 19:06:12 INFO Shibboleth.SessionCache : bound to arbitrary StorageService
2017-06-01 19:06:12 INFO Shibboleth.SessionCache : StorageService for 'lite' use not set, using standard StorageService
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (find::StorageService::SessionCache)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (remove::StorageService::SessionCache)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (touch::StorageService::SessionCache)
2017-06-01 19:06:12 INFO Shibboleth.Config : building SecurityPolicyProvider of type XML...
2017-06-01 19:06:12 INFO Shibboleth.SecurityPolicyProvider.XML : reload thread started...running when signaled
2017-06-01 19:06:12 INFO Shibboleth.SecurityPolicyProvider.XML : loaded XML resource (/etc/shibboleth/security-policy.xml)
2017-06-01 19:06:12 INFO OpenSAML.SecurityPolicyRule.Conditions : building SecurityPolicyRule of type Audience
2017-06-01 19:06:12 INFO OpenSAML.SecurityPolicyRule.Conditions : building SecurityPolicyRule of type Audience
2017-06-01 19:06:12 INFO OpenSAML.SecurityPolicyRule.Conditions : building SecurityPolicyRule of type Ignore
2017-06-01 19:06:12 INFO OpenSAML.SecurityPolicyRule.Conditions : building SecurityPolicyRule of type Ignore
2017-06-01 19:06:12 INFO OpenSAML.SecurityPolicyRule.Conditions : building SecurityPolicyRule of type Ignore
2017-06-01 19:06:12 INFO Shibboleth.Config : automatically blacklisting security algorithm (http://www.w3.org/2001/04/xmldsig-more#rsa-md5)
2017-06-01 19:06:12 INFO Shibboleth.Config : automatically blacklisting security algorithm (http://www.w3.org/2001/04/xmldsig-more#md5)
2017-06-01 19:06:12 INFO Shibboleth.Config : automatically blacklisting security algorithm (http://www.w3.org/2001/04/xmlenc#rsa-1_5)
2017-06-01 19:06:12 INFO Shibboleth.Config : building ProtocolProvider of type XML...
2017-06-01 19:06:12 INFO Shibboleth.ProtocolProvider.XML : loaded XML resource (/etc/shibboleth/protocols.xml)
2017-06-01 19:06:12 WARN Shibboleth.Application : insecure cookieProps setting, set to "https" for SSL/TLS-only usage
2017-06-01 19:06:12 WARN Shibboleth.Application : handlerSSL should be enabled for SSL/TLS-enabled web sites
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (run::AssertionLookup)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/Login::run::SAML2SI)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/Login::run::Shib1SI)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/SAML2/POST)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/SAML2/POST-SimpleSign)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/SAML2/Artifact)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/SAML2/ECP)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/SAML/POST)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/SAML/Artifact)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/Logout::run::SAML2LI)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/Logout::run::LocalLI)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/SLO/SOAP)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/SLO/Redirect)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/SLO/POST)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/SLO/Artifact)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/NIM/SOAP)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/NIM/Redirect)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/NIM/POST)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/NIM/Artifact)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/Artifact/SOAP::run::SAML2Artifact)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/Metadata)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/Status)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default/DiscoFeed)
2017-06-01 19:06:12 INFO Shibboleth.DiscoveryFeed : feed files will be cached in /var/cache/shibboleth/
2017-06-01 19:06:12 INFO Shibboleth.Application : building MetadataProvider of type XML...
2017-06-01 19:06:12 INFO OpenSAML.MetadataProvider.XML : loaded XML resource (/etc/shibboleth/idp-Metadata.xml)
2017-06-01 19:06:12 INFO Shibboleth.Application : no TrustEngine specified or installed, using default chain {ExplicitKey, PKIX}
2017-06-01 19:06:12 INFO OpenSAML.MetadataProvider.XML : reload thread started...running when signaled
2017-06-01 19:06:12 INFO Shibboleth.Application : building AttributeExtractor of type XML...
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : loaded XML resource (/etc/shibboleth/attribute-map.xml)
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:uid
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:0.9.2342.19200300.100.1.1
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:eduPersonScopedAffiliation
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.9
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:eduPersonAffiliation
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.1
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:cn
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:2.5.4.3
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:sn
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:2.5.4.4
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:ou
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:2.5.4.11
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:o
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:2.5.4.10
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:0.9.2342.19200300.100.1.3
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:mail
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:eduPersonTargetedID
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.10
2017-06-01 19:06:12 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
2017-06-01 19:06:12 INFO Shibboleth.Application : building AttributeFilter of type XML...
2017-06-01 19:06:12 INFO Shibboleth.AttributeFilter : reload thread started...running when signaled
2017-06-01 19:06:12 INFO Shibboleth.AttributeFilter : loaded XML resource (/etc/shibboleth/attribute-policy.xml)
2017-06-01 19:06:12 INFO Shibboleth.Application : building AttributeResolver of type Query...
2017-06-01 19:06:12 INFO Shibboleth.Application : building CredentialResolver of type File...
2017-06-01 19:06:12 INFO XMLTooling.SecurityHelper : loading private key from file (/etc/shibboleth/sp-key.pem)
2017-06-01 19:06:12 INFO XMLTooling.SecurityHelper : loading certificate(s) from file (/etc/shibboleth/sp-cert.pem)
2017-06-01 19:06:12 INFO Shibboleth.Listener : registered remoted message endpoint (default::getHeaders::Application)
2017-06-01 19:06:12 INFO Shibboleth.Listener : listener service starting
2017-06-01 19:06:14 INFO Shibboleth.AttributeExtractor.XML [1]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:2.5.4.42
2017-06-01 19:06:14 INFO Shibboleth.AttributeExtractor.XML [1]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:1.2.840.113556.1.4.221
2017-06-01 19:06:14 INFO Shibboleth.SessionCache [1]: new session created: ID (_c699b07ff63f25bc28ef60abd9344a33) IdP (https://10.1.50.11:8443/idp/shibboleth) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (10.1.50.11)
2017-06-01 19:06:41 INFO Shibboleth.AttributeExtractor.XML [3]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:2.5.4.42
2017-06-01 19:06:41 INFO Shibboleth.AttributeExtractor.XML [3]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:1.2.840.113556.1.4.221
2017-06-01 19:06:41 INFO Shibboleth.SessionCache [3]: new session created: ID (_c3f9a98ce69aa26654851f25cbd03b7f) IdP (https://10.1.50.11:8443/idp/shibboleth) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (10.1.50.11)
2017-06-01 19:21:12 INFO XMLTooling.StorageService : purged 4 expired record(s) from storage

我想这是失败的地方，有什么不对吗？

2017-06-01 19:06:41 INFO Shibboleth.AttributeExtractor.XML [3]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:2.5.4.42
2017-06-01 19:06:41 INFO Shibboleth.AttributeExtractor.XML [3]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:1.2.840.113556.1.4.221

Answer 1

在attribute-map.xml

中映射正确的属性id后，管理以解决问题

<Attribute name="urn:mace:dir:attribute-def:uid" id="uid" />
<Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid" />

<Attribute name="urn:mace:dir:attribute-def:samaccountname" id="samaccountname" />
<Attribute name="urn:oid:1.2.840.113556.1.4.221" id="samaccountname" />

Shibboleth SP不能解析Shibboleth IDP发送的属性

1 个答案: