我在执行Ping联邦时遇到这个问题
Error - Single Sign-On
Single sign-on authentication was unsuccessful (reference # TAELHKAD).
Please contact your system administrator for assistance regarding this error.
Partner: localhost:default:entityId
Target Resource: http://sp-connection.com
但是服务器日志没有显示任何错误消息/指示:
16:32:32,854 DEBUG [IntegrationControllerServlet] GET: https://localhost:9031/idp/startSSO.ping
16:32:32,856 DEBUG [IdpAdapterSupportBase] IdP Adapter Selection disabled, performing legacy adapter selection.
16:32:32,859 DEBUG [InterReqStateMgmtMapImpl] Object removeAttr(key: null, name: NUMBER_OF_ATTEMPTS): null
16:32:32,860 DEBUG [AttributeMap] Ignoring attempt to add null value to attribute map for context.TargetResource
16:32:32,860 DEBUG [AttributeMapping] Source attributes:{not-before=2014-05-26T10:47:32Z, authnContext=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, subject=joe, userId=joe, context.AuthenticationCtx=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, context.ClientIp=127.0.0.1, not-on-or-after=2014-05-26T10:52:32Z, renew-until=2014-05-26T22:47:32Z, password=test, context.HttpRequest=/idp/startSSO.ping} Resulting attributes:{SAML_SUBJECT=joe}
16:32:32,862 DEBUG [TrackingIdSupport] [cross-reference-message] PFSessionXRefID:MzqNiwww3_exb1uk7K60oH69Wzx
16:32:32,863 DEBUG [IdpSessionRegistryMapImpl] registerSessionIssued: authnbean a6fff81d8b37477eb3f90824fdc8f2d3adb847c2 | assertion id MzqNiwww3_exb1uk7K60oH69Wzx
16:32:32,863 DEBUG [IdpSessionRegistryMapImpl] registerAuthnBean IdpHashableAuthnBean: a6fff81d8b37477eb3f90824fdc8f2d3adb847c2 with session id PedsaJJVNrmTayLjKvIOvz. Session now has 15 beans associated with it.
16:32:32,863 DEBUG [TrackingIdSupport] [cross-reference-message] entityid:sbwb-ppc-idp subject:joe
16:32:32,885 DEBUG [LoggingInterceptor] Transported Response. OutMessageContext:
OutMessageContext
XML: <samlp:Response Version="2.0" ID="pvQGJNnQ3P22J_J_uBSMckj1jVd" IssueInstant="2014-05-26T10:47:32.856Z" Destination="https://localhost:9031/sp/ACS.saml2" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">localhost:default:entityId</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#pvQGJNnQ3P22J_J_uBSMckj1jVd">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>xPhSc53rXySUbxdfq0vHG0pvuq4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>qoEICv2FFgDuif8G0KVli2KWykvLbnu4jzIZRViS4WAyPuVKaxHik0Zg6cp5yX0ns4PRjcGH4KZP
UkZTMZ5P3mLOAgvy7AUX02vsQSs9hFqNlmDbgH7r9c3UyIdl4OGf/FC1Rcse7Z5FIfkJnUc9yu5q
AE9Dl7CsWNe0uzbLpkQ=</ds:SignatureValue>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion ID="MzqNiwww3_exb1uk7K60oH69Wzx" IssueInstant="2014-05-26T10:47:32.861Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>localhost:default:entityId</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">joe</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData Recipient="https://localhost:9031/sp/ACS.saml2" NotOnOrAfter="2014-05-26T10:52:32.861Z"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2014-05-26T10:42:32.861Z" NotOnOrAfter="2014-05-26T10:52:32.861Z">
<saml:AudienceRestriction>
<saml:Audience>sbwb-ppc-idp</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement SessionIndex="MzqNiwww3_exb1uk7K60oH69Wzx" AuthnInstant="2014-05-26T10:47:32.860Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
entityId: sbwb-ppc-idp (SP)
Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Endpoint: https://localhost:9031/sp/ACS.saml2
SignaturePolicy: BINDING_DEFAULT
16:32:32,942 DEBUG [ProtocolControllerServlet] ---REQUEST (POST)/sp/ACS.saml2 from 127.0.0.1:
---PARAMETERS---
SAMLResponse:
PHNhbWxwOlJlc3BvbnNlIFZlcnNpb249IjIuMCIgSUQ9InB2UUdKTm5RM1AyMkpfSl91QlNNY2tqMWpWZCIgSXNzdWVJbnN0YW50PSIyMDE0LTA1LTI2VDEwOjQ3OjMyLjg1NloiIERlc3RpbmF0aW9uPSJodHRwczovL2xvY2FsaG9zdDo5MDMxL3NwL0FDUy5zYW1sMiIgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCI+PHNhbWw6SXNzdWVyIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmxvY2FsaG9zdDpkZWZhdWx0OmVudGl0eUlkPC9zYW1sOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4KPGRzOlNpZ25lZEluZm8+CjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4KPGRzOlJlZmVyZW5jZSBVUkk9IiNwdlFHSk5uUTNQMjJKX0pfdUJTTWNrajFqVmQiPgo8ZHM6VHJhbnNmb3Jtcz4KPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+CjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4KPC9kczpUcmFuc2Zvcm1zPgo8ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz4KPGRzOkRpZ2VzdFZhbHVlPnhQaFNjNTNyWHlTVWJ4ZGZxMHZIRzBwdnVxND08L2RzOkRpZ2VzdFZhbHVlPgo8L2RzOlJlZmVyZW5jZT4KPC9kczpTaWduZWRJbmZvPgo8ZHM6U2lnbmF0dXJlVmFsdWU+CnFvRUlDdjJGRmdEdWlmOEcwS1ZsaTJLV3lrdkxibnU0anpJWlJWaVM0V0F5UHVWS2F4SGlrMFpnNmNwNXlYMG5zNFBSamNHSDRLWlAKVWtaVE1aNVAzbUxPQWd2eTdBVVgwMnZzUVNzOWhGcU5sbURiZ0g3cjljM1V5SWRsNE9HZi9GQzFSY3NlN1o1Rklma0puVWM5eXU1cQpBRTlEbDdDc1dOZTB1emJMcGtRPQo8L2RzOlNpZ25hdHVyZVZhbHVlPgo8L2RzOlNpZ25hdHVyZT48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24gSUQ9Ik16cU5pd3d3M19leGIxdWs3SzYwb0g2OVd6eCIgSXNzdWVJbnN0YW50PSIyMDE0LTA1LTI2VDEwOjQ3OjMyLjg2MVoiIFZlcnNpb249IjIuMCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+PHNhbWw6SXNzdWVyPmxvY2FsaG9zdDpkZWZhdWx0OmVudGl0eUlkPC9zYW1sOklzc3Vlcj48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OnVuc3BlY2lmaWVkIj5qb2U8L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBSZWNpcGllbnQ9Imh0dHBzOi8vbG9jYWxob3N0OjkwMzEvc3AvQUNTLnNhbWwyIiBOb3RPbk9yQWZ0ZXI9IjIwMTQtMDUtMjZUMTA6NTI6MzIuODYxWiIvPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDpTdWJqZWN0PjxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE0LTA1LTI2VDEwOjQyOjMyLjg2MVoiIE5vdE9uT3JBZnRlcj0iMjAxNC0wNS0yNlQxMDo1MjozMi44NjFaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPnNid2ItcHBjLWlkcDwvc2FtbDpBdWRpZW5jZT48L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWw6Q29uZGl0aW9ucz48c2FtbDpBdXRoblN0YXRlbWVudCBTZXNzaW9uSW5kZXg9Ik16cU5pd3d3M19leGIxdWs3SzYwb0g2OVd6eCIgQXV0aG5JbnN0YW50PSIyMDE0LTA1LTI2VDEwOjQ3OjMyLjg2MFoiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDp1bnNwZWNpZmllZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+
16:32:32,942 DEBUG [BindingFactory] POST
with Params: [SAMLResponse]
assume binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
from: 127.0.0.1
Referer: https://localhost:9031/idp/startSSO.ping?PartnerSpId=sbwb-ppc-idp&IdpAdapterId=sbwbinstance&opentoken=T1RLAQJ-xGLJVNYpt6wbFuBEdkTdV_H7ExDDab6qMWCtnsV-8a8MiZQoAACgJ8IrzSTee9EIMxp11drk1ECkiKk5ogNZpGTfMN64-QOJsNBdeMKeU-L3-iD0HjNKDFOoTFVbhtUr20WUp22RVpp8KtvErnHQ984ZAj9AD5h4DU_OVA1cpDDcF9zZVqC_EpLZkUoK3vH9oj5B0cBpIM7QpIOVys4YZXx6-83C7RgpoWg7nAFK_Yx0JtnrS7Nd-bc8EVcVIdSUhVcsSxBAnQ**
AuthType: null
Content-Type: application/x-www-form-urlencoded
16:32:32,955 DEBUG [LoggingInterceptor] Received InMessageContext:
InMessageContext
XML: <samlp:Response Version="2.0" ID="pvQGJNnQ3P22J_J_uBSMckj1jVd" IssueInstant="2014-05-26T10:47:32.856Z" Destination="https://localhost:9031/sp/ACS.saml2" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">localhost:default:entityId</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#pvQGJNnQ3P22J_J_uBSMckj1jVd">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>xPhSc53rXySUbxdfq0vHG0pvuq4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>qoEICv2FFgDuif8G0KVli2KWykvLbnu4jzIZRViS4WAyPuVKaxHik0Zg6cp5yX0ns4PRjcGH4KZP
UkZTMZ5P3mLOAgvy7AUX02vsQSs9hFqNlmDbgH7r9c3UyIdl4OGf/FC1Rcse7Z5FIfkJnUc9yu5q
AE9Dl7CsWNe0uzbLpkQ=</ds:SignatureValue>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion ID="MzqNiwww3_exb1uk7K60oH69Wzx" IssueInstant="2014-05-26T10:47:32.861Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>localhost:default:entityId</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">joe</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData Recipient="https://localhost:9031/sp/ACS.saml2" NotOnOrAfter="2014-05-26T10:52:32.861Z"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2014-05-26T10:42:32.861Z" NotOnOrAfter="2014-05-26T10:52:32.861Z">
<saml:AudienceRestriction>
<saml:Audience>sbwb-ppc-idp</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement SessionIndex="MzqNiwww3_exb1uk7K60oH69Wzx" AuthnInstant="2014-05-26T10:47:32.860Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
entityId: localhost:default:entityId (IDP)
Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
SignatureStatus: VALID
Binding says to sign: true
16:32:32,965 WARN [AudienceEvaluator] no protocol: sbwb-ppc-idp when checking audience sbwb-ppc-idp against https://localhost:9031
16:32:32,966 WARN [ValidateWebSsoResponse] Invalid assertion
Assertion (MzqNiwww3_exb1uk7K60oH69Wzx) Status: INVALID
Remarks:
Assertion audience condition validation failed, expecting localhost:default:entityId or a URL with the same hostname as the base URL (https://localhost:9031) in all audience restriction conditions.
16:32:32,967 DEBUG [TrackingIdSupport] [cross-reference-message] entityid:null subject:null
16:32:32,968 WARN [HandleAuthnResponse] Invalid response: InMessageContext
XML: <samlp:Response Version="2.0" ID="pvQGJNnQ3P22J_J_uBSMckj1jVd" IssueInstant="2014-05-26T10:47:32.856Z" Destination="https://localhost:9031/sp/ACS.saml2" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">localhost:default:entityId</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#pvQGJNnQ3P22J_J_uBSMckj1jVd">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>xPhSc53rXySUbxdfq0vHG0pvuq4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>qoEICv2FFgDuif8G0KVli2KWykvLbnu4jzIZRViS4WAyPuVKaxHik0Zg6cp5yX0ns4PRjcGH4KZP
UkZTMZ5P3mLOAgvy7AUX02vsQSs9hFqNlmDbgH7r9c3UyIdl4OGf/FC1Rcse7Z5FIfkJnUc9yu5q
AE9Dl7CsWNe0uzbLpkQ=</ds:SignatureValue>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion ID="MzqNiwww3_exb1uk7K60oH69Wzx" IssueInstant="2014-05-26T10:47:32.861Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>localhost:default:entityId</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">joe</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData Recipient="https://localhost:9031/sp/ACS.saml2" NotOnOrAfter="2014-05-26T10:52:32.861Z"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2014-05-26T10:42:32.861Z" NotOnOrAfter="2014-05-26T10:52:32.861Z">
<saml:AudienceRestriction>
<saml:Audience>sbwb-ppc-idp</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement SessionIndex="MzqNiwww3_exb1uk7K60oH69Wzx" AuthnInstant="2014-05-26T10:47:32.860Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
entityId: localhost:default:entityId (IDP)
Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
SignatureStatus: VALID
Binding says to sign: true
-------------------------------------
(reference# RMCQDOUY) Response contains no valid assertions: [
Assertion (MzqNiwww3_exb1uk7K60oH69Wzx) Status: INVALID
Remarks:
Assertion audience condition validation failed, expecting localhost:default:entityId or a URL with the same hostname as the base URL (https://localhost:9031) in all audience restriction conditions. ]. InMessageContext
XML: <samlp:Response Version="2.0" ID="pvQGJNnQ3P22J_J_uBSMckj1jVd" IssueInstant="2014-05-26T10:47:32.856Z" Destination="https://localhost:9031/sp/ACS.saml2" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">localhost:default:entityId</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#pvQGJNnQ3P22J_J_uBSMckj1jVd">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>xPhSc53rXySUbxdfq0vHG0pvuq4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>qoEICv2FFgDuif8G0KVli2KWykvLbnu4jzIZRViS4WAyPuVKaxHik0Zg6cp5yX0ns4PRjcGH4KZP
UkZTMZ5P3mLOAgvy7AUX02vsQSs9hFqNlmDbgH7r9c3UyIdl4OGf/FC1Rcse7Z5FIfkJnUc9yu5q
AE9Dl7CsWNe0uzbLpkQ=</ds:SignatureValue>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion ID="MzqNiwww3_exb1uk7K60oH69Wzx" IssueInstant="2014-05-26T10:47:32.861Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>localhost:default:entityId</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">joe</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData Recipient="https://localhost:9031/sp/ACS.saml2" NotOnOrAfter="2014-05-26T10:52:32.861Z"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2014-05-26T10:42:32.861Z" NotOnOrAfter="2014-05-26T10:52:32.861Z">
<saml:AudienceRestriction>
<saml:Audience>sbwb-ppc-idp</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement SessionIndex="MzqNiwww3_exb1uk7K60oH69Wzx" AuthnInstant="2014-05-26T10:47:32.860Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
entityId: localhost:default:entityId (IDP)
Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
SignatureStatus: VALID
Binding says to sign: true
-------------------------------------
我有以下配置:
- PF服务器同时作为IdP和SP服务器。
- 查询参数用于从IdP传输OpenTokenPF.
- 我已经为IdP和SP创建了两个适配器。
- 和SP连接在IdP侧(我还没有配置IdP连接)。
- IdP适配器- SP适配器映射-我使用了默认的
data.zip作为PF的基础。
我被困在这个协议端点:https://localhost:9031/sp/ACS.saml2
- 我在适配器映射中缺少一些东西吗?
- PF如何映射/知道SP端要命中哪个适配器OpenToken generation
任何提示/线索将不胜感激。谢谢。
server.log说明错误是什么:
16:32:32,965 WARN [AudienceEvaluator] no protocol: sbwb-ppc-idp when checking audience sbwb-ppc-idp against https://localhost:9031
16:32:32,966 WARN [ValidateWebSsoResponse] Invalid assertion
Assertion (MzqNiwww3_exb1uk7K60oH69Wzx) Status: INVALID
Remarks:
Assertion audience condition validation failed, expecting localhost:default:entityId or a URL with the same hostname as the base URL (https://localhost:9031) in all audience restriction conditions.
SAML响应正在正确生成,但您的SP期望的受众值与您发送的值不同。您的IDP生成的受众值为:
<saml:Audience>sbwb-ppc-idp</saml:Audience>
但期待收到localhost:default:entityId
我注意到你现在已经在基本设置上打开了几个箱子。您是否已经与Ping解决方案架构师取得联系,以帮助回答其中的一些问题?