Я настраиваю федеративную регистрацию для своего приложения, используя simplesamlphp Я получаю сообщение об ошибке Не удалось найти поддерживаемую точку SingleSignonServiceEndpoint. По моим исследованиям, это происходит, когда IDP хочет использовать http-post. Это действительно значение по умолчанию для метаданных xml, но он также поддерживает http-redirect как третичную опцию. Я изменил php, чтобы сделать http-перенаправление по умолчанию, добавив isDefault к методу http-redirect, все еще получая ту же ошибку. Что интересно, если мы сначала зайдем на портал входа в систему adfs и войдем в систему, перенаправление больше не будет необходимым, и мы получим обратно те требования, которые ожидаем. В противном случае мы получим ошибку.
AuthSources.php
<?php
$config = array(
// This is a authentication source which handles admin authentication.
'admin' => array(
// The default is to use core:AdminPassword, but it can be replaced with
// any authentication source.
'core:AdminPassword',
),
// An authentication source which can authenticate against both SAML 2.0
// and Shibboleth 1.3 IdPs. If you make any configuration changes, you will need
// to update the RPT at the IdP.
'app' => array(
'saml:SP',
// The entity ID of this SP.
// Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
'entityID' => null,
// !!CHANGE ME!!
// The entity ID of the IdP this should SP should contact.
// Should be the same as the IDP listed in the metadata from SimpleSAMLphp.
'idp' => 'http://********/adfs/services/trust',
// The URL to the discovery service.
// Can be NULL/unset, in which case a builtin discovery service will be used.
'discoURL' => null,
// ADFS 2012R2 requires signing of the logout - the others are optional (may be overhead you don't want.)
'sign.logout' => true,
'redirect.sign' => true,
'assertion.encryption' => true,
// We now need a certificate and key. The following command (executed on Linux usually)
// creates a self-signed cert and key, using SHA256, valid for 2 years.
// openssl req -x509 -nodes -sha256 -days 730 -newkey rsa:2048 -keyout my.key -out my.pem
'privatekey' => 'sw.key',
'certificate' => 'sw.crt',
// Enforce the use of SHA-256 by default.
'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
),
);
saml20-IDP-remote.php
<?php
/**
* SAML 2.0 remote IdP metadata for SimpleSAMLphp.
*
* Remember to remove the IdPs you don't use from this file.
*
* See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-remote
*/
$metadata['http://********/adfs/services/trust'] = array (
'entityid' => 'http://********/adfs/services/trust',
'contacts' =>
array (
0 =>
array (
'contactType' => 'support',
),
),
'metadata-set' => 'saml20-sp-remote',
'AssertionConsumerService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://********/adfs/ls/',
'index' => 0,
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
'Location' => 'https://********/adfs/ls/',
'index' => 1,
),
2 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://********/adfs/ls/',
'index' => 2,
'isDefault' => true
),
),
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://********/adfs/ls/',
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://********/adfs/ls/',
),
),
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
'keys' =>
array (
0 =>
array (
'encryption' => true,
'signing' => false,
'type' => 'X509Certificate',
'X509Certificate' => 'MIIC3DCCAcSgAwIBAgIQI+jsxeEoV5lP6fuQBfQV3DANBgkqhkiG9w0BAQsFADAqMSgwJgYDVQQDEx9BREZTIEVuY3J5cHRpb24gLSBhZGZzLmRlY3Uub3JnMB4XDTE4MDcwMjEyMjczMVoXDTE5MDcwMjEyMjczMVowKjEoMCYGA1UEAxMfQURGUyBFbmNyeXB0aW9uIC0gYWRmcy5kZWN1Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL2p4M3lPotdg2pXXtO2gqgjEoCVljFSE66IQccYFQ/lJs5OkzOwzt3xEQZGIK9TczWZLp5t1+qwRpDH9Ryzcm1/jKZlvAWMVPX0QRTyMCjZBYkjtzkV+qlCA4YZaMWAB89WwddKACwtbDps00TsqYL3qbZWnCjisSGVVSZB2FPqCsAFv3r0NPrmq5BY0+nzz3djPGT5dt3KKYzkAp9X4MnvTFQXXpWn09ZmQr/RY5sT03dNUHM4184fXmOEAr8fm+nUoqXXbXK3j8QzEw0Lz3eho7tWRSXZ4iNdnopCNFEbI1f3vMjd2dhXt+i//HDV9hzEjI5myhBNKHCWOegBKUECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAl7wMa9rj5BDkt6xxPDALwO8WkQcVDojU9dOotdMLhBM6eTPxFXey1krnlkcSq2/bsSeUTFXJOLErarurVXk74O5KWQWi3MbSYPsFezXbrPYa5OodwPRruef3gaXDUpebKp/ylRse6XFSzlmBQgCC+ILTR//eh0OgMXtgeZa+68F0nkZBxdeNJk1bvPsb1bJ1imcqVeLHioOj8WoUPKiKT6XG/1ElgU5KstfRkP171xIkbasuGD2kos3+I7Or9lqMuRxj4obuK1N4JY3kx9Zmfp20m/GoBTPhQ9CKLvVlKFg81PxeOlAuOfdS+0wEQVIcgLjIkL2JW59g/jS6iXDL1g==',
),
1 =>
array (
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => 'MIIC1jCCAb6gAwIBAgIQMExXxqd2laVFBL4In2Dn6zANBgkqhkiG9w0BAQsFADAnMSUwIwYDVQQDExxBREZTIFNpZ25pbmcgLSBhZGZzLmRlY3Uub3JnMB4XDTE4MDcwMjEyMjczM1oXDTE5MDcwMjEyMjczM1owJzElMCMGA1UEAxMcQURGUyBTaWduaW5nIC0gYWRmcy5kZWN1Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOPJGi5veiRh112olqs8DZLvckLCyHNa2GRhN2gEx7+MjX+VU/shRtSp8KC0TYbQmpnAyhCiUEbY/eEGkLQsrDeFYDwPNKjPqOIItObu+XOle56kAe2gnai4GI1GJ43WgtxAoILGTQNzL3CVUxEOKk7PQUD0NXBhOy9TpYIIeP6nk4Q0q8I2pgc0u8ANlnpAvWs+kHlo0Py5To7gT3jSbe7XvHbKCu5s41/sP2w0UCUgyKj06lNhtmYrGioQQRnPk5o0qfnjZBnPdLpNDAZ950UYGrPQh2xUrhaUtStUWSrTWr0b3E42oZTbzaRR5kFvFdTz/ps9oHDvj+t5u7fteOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAgLiInkYj5ltzMmnz29RannvdV29fDHwstkyzNYBFjJMAYjsXU2oTnzIP+ZdYgH+lmW1tAWupx7u5pFZz2LkU0kv+phY1uWMKeKrY+DCRDcnb3z17azAkMrjXGUwomCKa6QJCPO1BdvZcr4jj46nzoV/bHnzPKUYy+ov98Z+rAHCwdubPeRlG2yKZlKqmknxRoAHBa04pQ5v0spL/A1a5IXUlCGzl8P++U4h/mdPNDqAUeP2oN3Z0aa6MMBCiYHuqugKuTunQTrf8cCnYQC0z4Zex/OZCAqYzRyePLvfelwqHtHOOovGkruWZlwYMd7seyxByzTWo8x0A0eHsV/oWsA==',
),
),
'saml20.sign.assertion' => true,
);