Opensso FAQWord文件下载.docx
《Opensso FAQWord文件下载.docx》由会员分享,可在线阅读,更多相关《Opensso FAQWord文件下载.docx(19页珍藏版)》请在冰点文库上搜索。
false"
WantAssertionsSigned="
protocolSupportEnumeration="
protocol"
SingleLogoutServiceBinding="
bindings:
HTTP-Redirect"
Location="
https:
//localhost:
8080/openfm-samples-ip/IDPSloRedirect/metaAlias/ip_meta_alias"
/>
NameIDFormat>
1.1:
nameid-format:
emailAddress<
/NameIDFormat>
AssertionConsumerServiceisDefault="
true"
index="
0"
Binding="
HTTP-POST"
3000/account/complete"
/>
/SPSSODescriptor>
/EntityDescriptor>
AndthenintheAuthrequestmyNameIDpolicyissomethinglike(inRuby):
"
samlp:
NameIDPolicy"
+
xmlns:
samlp=\"
protocol\"
Format=\"
emailAddress\"
SPNameQualifier=\"
"
+@sp_name_qualifier+"
\"
AllowCreate=\"
true\"
\n"
/samlp:
NameIDPolicy>
ButIgeta500errorwithopenssologgingthistothedebug/Federationlog:
libSAML2:
11/12/200810:
50:
13:
779AMCST:
Thread[httpSSLWorkerThread-8080-0,10,Grizzly]
ERROR:
IDPSSOFederate.doSSOFederate:
Unabletodossoorfederation.
mon.SAML2Exception:
UnabletogenerateNameIDvalue.
atcom.sun.identity.saml2.plugins.DefaultIDPAccountMapper.getNameID(DefaultIDPAccountMapper.java:
143)
atcom.sun.identity.saml2.profile.IDPSSOUtil.getSubject(IDPSSOUtil.java:
1378)
atcom.sun.identity.saml2.profile.IDPSSOUtil.getAssertion(IDPSSOUtil.java:
794)
atcom.sun.identity.saml2.profile.IDPSSOUtil.getResponse(IDPSSOUtil.java:
651)
atcom.sun.identity.saml2.profile.IDPSSOUtil.sendResponseToACS(IDPSSOUtil.java:
342)
atcom.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(IDPSSOFederate.java:
569)
InOpenSSOIseethattheIDP(IclickontheFederationtabandclickonthehostedIDPentity)IseetheNameIDformatof
emailAddress}}isincludedandaNameIDvaluemapentryof{{urn:
emailAddress=mailalongwithsomeothers.
HowIcangetOpenSSOtoreturnthe"
mail"
asthe"
emailAdress"
?
Resolution
TheexceptionmeansthatIDPisunabletofinduser'
s'
mail'
attributefromdatastore.
Makesurethatyouareloggedinastheuserwithanemailaddress.
ossoScribes:
BacktoTop
Browserthrows500errorduringSSO
WhiletheuserisperformingSSO,thebrowsershowshttp500errorwith"
InvalidConfiguration"
.
AnerrormessagesimilartotheexamplebelowiswrittentotheamSAML.errorlog:
ThetargetsiteismissingfromtheURL
∙CheckconfigurationfileandmakesureSAMLintersitetransferurlcanpickupthe"
TARGET"
site.
∙Onthebrowser,theintersitetransferurlshouldlooklike:
http:
//hostname:
port/amserver/SAMLAwareServlet?
TARGET=http(s):
//....&
SAMLArt=
....
ThiserrornormaloccursduetothevalueoftheTARGETparameterisemptyorTARGETparameterismissingfromtheaboveurl.Sincetheparameterintheurlquerystringiscasesensitive,iftheusertype
target=..."
insteadof"
TARGET=..."
theywouldgetthiserroraswell.
ThereisnotrustedsitespecifiedintheSAMLservicemanagement"
Anerrormessagesimilartotheexamplebelowiswrittentothebrowseronly.ThereisnotrustedsitespecifiedintheSAMLservicemanagement.
∙LogintoSunJavaSystemIdentityServer2004Q2console.Theurlshouldlookslike:
http(s):
port/amconsole
∙Clickon"
ServiceConfiguration"
tab
∙Ontheleftsideoftheframe,select"
SAML"
as"
ServiceName"
∙Ontherightsideoftheframe,find"
TrustedPartnerSites"
addoneormultipleentries.
BacktoTop
destIDisnotintheTrustedPartnerSites"
AnerrormessagesimilartotheexamplebelowiswrittentotheamSAMLdebug:
IntersiteTransfer:
FailedtocreateAssertionArtifact(s).
AssertionManager.createAssertionArtifact(String,String):
destIDnotinpartnerlist.
∙Verifythatthedestinationpageidisintheconfiguration.
oIfitisnot,re-enterconfigurationdataandverifythatthereisaDestUrlnamed<
destination_page_id>
oOtherwise,verifythatthehostnameofthisbankingagentisintheconfiguration.
∙Inashell,type`hostname`withoutthesinglequotes.
∙WiththeControlCenter,verifythatthishostnameislistedasanAppHost
∙LogintotheOpenSSOconsole.MakesurethisdestIDison"
SAMLExceptionwhenexecutinggetAssertionsmethod
TheusertriestogetasetofAssertionsbycallingAssertionManagerClientclass'
smethodpublic{{SetgetAssertions(SSOTokentoken)
throwsSAMLException}}
andgetsSAMLException:
NoprivilegetoperformthetaskThisAPIisnormallyusedonclient/agent/sdksite.
AssertionManager.getAssertions(SSOToken):
SSOTokendoesn'
thavetheprivilege
Checkiftheuser'
sroleistopleveladminrole.Ifnot,theuserneedstoupgradeitsroletothetopleveladminroleinordertousethismethod.
SAMLExceptionwhenexecutinggetAssertionArtifactsmethod
TheusertriestogetasetofAssertionArtifactsbycallingAssertionManagerClientclass'
smethodpublic{{SetgetAssertionArtifacts(SSOTokentoken)
andgets{{SAMLException:
Noprivilegetoperformthetask.}}ThisAPIisnormallyusedonclient/agent/sdksite.
SAMLExceptionwhenexecutinggetAssertionByArtifactmethod
TheusertriestogetAssertionwiththeinputAssertionArtifactbycallingSAMLClientclass'
smethodpublicstaticAssertiongetAssertionByArtifact(Stringartifact)
andget{{SAMLException:
FailedincreatingSOAPURLEndpoint}}
AnerrormessagesimilartotheexamplebelowiswrittentotheamSAMLdebug
SAMLClient:
artifactQueryHandler:
createSOAPReceiverURLError!
Resoultion
WiththeOpenSSOconsole,makesurethatthereis"
SOAPUrl"
attributedefinedinacertainentryon"
list.
WhiletheuserisperformingSSO,thebrowsershowshttp500error.
AuthTypeandtheprotocol(basedonSOAPUrl)donotmatch
WiththeOpenSSOconsole,makesurethatattribute"
AuthType"
matchestheprotocolof"
soapurl"
attributedefinedin"
List.
AuthTypecouldbeSSL,SSLWITHBASICAUTH,NOAUTH,BASICAUTH.If"
isonhttps,wemustspecifyAuthType=SSLorSSLWITHBASICAUTH.
SAMLClient:
artifactQueryHandler
com.sun.xml.messaging.saaj.SOAPExceptionImpl:
java.security.PrivilegedActionException:
Messagesendfailed
atcom.sun.xml.messaging.saaj.client.p2p.HttpSOAPConnection.call(HttpSOAPConnection.java:
...)
OntheOpenSSOconsole,makesurethatthe"
entryiscorrect.
ThereisnoreplyfromSAMLSOAPReceiver
Theusershouldcheckwhether"
isanactiveone.
Couldn'
tverifytheResponse.
ThisproblemnormallyrelatestothemisconfigurationofsamlkeystoreinAMConfig.propertiesfile.
First,theusershouldlookintoamSAMLdebugtofindoutwhythesignatureofsamlresponsecannotbevalidated.
Second,theusershouldrecheckthefollowingentriesinOpenSSO.com.sun.identity.saml.xmlsig.keystore=/opt/SUNWam/sun-1-sign.jks
com.sun.identity.saml.xmlsig.storepass=/opt/SUNWam/.storepass
com.sun.identity.saml.xmlsig.keypass=/opt/SUNWam/.keypass
com.sun.identity.saml.xmlsig.certalias=testcert
Third,theuserneedtomakesurethedirectorywhichleadstothekeystore,storepass,keypassfilesindeedexistandarecorrect.Atlast,theusershouldusethecommand:
keytool-list-aliastestcert-keystore/opt/SUNWam/sun-1-sign.jks
tolistwhetherthesigningcertindeedisinthekeystore.
BuildingofassertionfailswithSAMLVersionMismatchException
Theuser'
sapplicationcallsSAMLsdk,specificallyAssertionconstructortobuildanAssertion.ItcouldfailwithSAML