我正在尝试使用SAML和WSO2作为身份提供者来实现到Websphere Liberty adminCenter控制台的SSO。我已经按照此处提到的设置在自由上配置了samlWebSso20:
https://www.ibm.com/support/knowledgecenter/en/SSCKRH_1.0.2/platform/sso_liberty.html
但是,由于在messages.log中收到以下错误,授权在自由方失败:
CWWKS9104A:在/上调用com.ibm.ws.management.security.resource时,用户admin的授权失败。没有授予用户访问任何必需角色的权限:[管理员]。
似乎自由无法识别用户的角色。我的配置中可能有什么问题?
server.xml:
<?xml version="1.0" encoding="UTF-8"?>
<server description="new server">
<featureManager>
<feature>webProfile-7.0</feature>
<feature>adminCenter-1.0</feature>
<feature>websocket-1.1</feature>
<feature>samlWeb-2.0</feature>
</featureManager>
<httpEndpoint id="defaultHttpEndpoint"
httpPort="9080"
httpsPort="9443" />
<applicationManager autoExpand="true"/>
<basicRegistry id="basic">
<user name="admin" password="admin" />
</basicRegistry>
<administrator-role>
<user-access-id> user:ws02is510/admin</user-access-id>
</administrator-role>
<keyStore id="defaultKeyStore" password="liberty" />
<samlWebSso20 enabled="true" id="defaultSP" nameIDFormat="email" wantAssertionsSigned="false">
</samlWebSso20>
<variable name="defaultHostName" value="wasl9" />
</server>
WSO2的经过身份验证的响应令牌:
<saml2p:Response Destination="https://wasl9:9443/ibm/saml20/defaultSP/acs"
ID="_3a43e5d918468a66dfe72be986c6655e"
InResponseTo="_qmj6w34tYpe67bP0QNHuFi6hjAyjEogS"
IssueInstant="2020-03-31T12:54:42.492Z"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>ws02is510</saml2:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="#_3a43e5d918468a66dfe72be986c6655e">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>tIwEGcLKGUgicewNgegWCXirH5ma/oPYfTVeeu/eHFI=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
E0yABNNUvmiDaSf3pxC3K4K/wOsvcEUA5y3uWmLi1d452LskX28ak099yZz4dDqTe+CXTTR+cM0O
gmBHPsuJLOmXjuO+UF7mAASQmL04UlU9gVyEuNYcRa37g5YFR0kzjm4iP5HWTV03xE3T0SprUahJ
QZdPy+LDBibrsF2sYy3HTel04vXzQc9h8hZJQnCMYfnS/hZXQ3mGJkfbgCIRjoDpGoHQk3gpFJlm
CgPvmkjY6+BM8rryG3Pn5F9JAoiH5j5NRbsdlvIYI334TNu21i4Se5v8dqItG3RvWwOnjlQ4j1Jy
AFP1MH6TffMhS6bEg2is9Kmyl9VVIcsDfpIIMg==
</SignatureValue>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDVzCCAj+gAwIBAgIEKGtdMzANBgkqhkiG9w0BAQsFADBcMQswCQYDVQQGEwJQSzEQMA4GA1UE
CBMHRmVkZXJhbDEMMAoGA1UEBxMDSVNCMQwwCgYDVQQKEwNIUlQxCzAJBgNVBAsTAklUMRIwEAYD
VQQDEwl3czAyaXM1MTAwHhcNMjAwMzI4MTgwMDM5WhcNMjAwNjI2MTgwMDM5WjBcMQswCQYDVQQG
EwJQSzEQMA4GA1UECBMHRmVkZXJhbDEMMAoGA1UEBxMDSVNCMQwwCgYDVQQKEwNIUlQxCzAJBgNV
BAsTAklUMRIwEAYDVQQDEwl3czAyaXM1MTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCOmKIT4B+pCr1HNL6VOoe2Ps+J4/nrt9L3m4I7zHc8iAiqBMdwtfPGYGefEATn+l7AduzLVfre
qS8nqJjfnjh6Jx6abCP1z3eReaVjm5GLX325JGyIbkBtGdEHo9vSj5hgr0Z6hmSdupMZCV/86bpp
rGEOkiptejZT1Qtb3RobViI2mgJbgfThaJaqFQNZALcR7WM7KPrBU4jgPBh9XZAxfBi+RqSmS3Sr
MhAQ6z+/HHb6ef9BWoFXqpFuilZnoZZZzpjGazMFPncccNlGWqBWnLr7VbFgLJFiBz+GzbcgTjo4
LLdQ7VTXixQ1VCc92fbR++ChaZIWmREAIi/IdTQ/AgMBAAGjITAfMB0GA1UdDgQWBBS4KrNDNc+w
j6RyDqRWC80ivl7UBDANBgkqhkiG9w0BAQsFAAOCAQEAgSsPOyqPUceSvg4qiL2w1isc1fKFPfR/
bEc5ZXVhl6oRfAh9rAdhwk/GATdsMx3FiDB/Tv7Q1iKENwWIbJUb/JYQvRO81sEX3o7BczhKN9Fv
5wJOKdSGz0KLxOkLz4Gj9K87fJORSKKDjy1nz+LsZdieJjN62zW16OiggTLqf13mmmSb+jE5dYHC
SUB/k9WB+oDV0A0m9pTg1WCvrttm3KKd9DZ4QrH/mZv5lzVETpGBYFNGMmA2MQ+z2NCTaatUycnn
9nPHkpoIOGQQ11z5HCvYQ20gdvJoVJ40ZDRVaqJKeeStAd49TwYFE2kdZ9udf1LNsU8MrU89QXE5
1hiUkw==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion ID="_a29d997b5f5eec9a7de1dea1e0a79391"
IssueInstant="2020-03-31T12:54:42.492Z"
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">ws02is510</saml2:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="#_a29d997b5f5eec9a7de1dea1e0a79391">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>M6gJ6nCtngEQZvCwaFJj9mClOhtb6hWymvAHunhK3YU=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
Hm4yL/STOxHmksgQr7xFwlv1GAkgrb2bicUTqkiWF46zuZKaN9u1yOBqfEHHB0Q5R3nwUqju93Ce
RI+yCsf0MabDhsWThpTkuiWaEeKa1xhdMqgGIYs2G4yMYbQevrxhxe8gjPKp29A3zNLnYmDiiqHn
DSE2qdWTu1rLj9IPp3YtP5nIZX84KbRq0GbTZf3mZWfYOVwUiemTYhArZf+fhTeKdNpt52eFf2Ef
WZRQIa69a0haor1/7Adt/TLlJSwSvKn6k20It43W48aj6w905tSOmCfx2Vdmiod7ezx+o2K37SrX
M6SYPC2jKWt5AoyZ4zjhlnYiRmF0iU31KoEOng==
</SignatureValue>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDVzCCAj+gAwIBAgIEKGtdMzANBgkqhkiG9w0BAQsFADBcMQswCQYDVQQGEwJQSzEQMA4GA1UE
CBMHRmVkZXJhbDEMMAoGA1UEBxMDSVNCMQwwCgYDVQQKEwNIUlQxCzAJBgNVBAsTAklUMRIwEAYD
VQQDEwl3czAyaXM1MTAwHhcNMjAwMzI4MTgwMDM5WhcNMjAwNjI2MTgwMDM5WjBcMQswCQYDVQQG
EwJQSzEQMA4GA1UECBMHRmVkZXJhbDEMMAoGA1UEBxMDSVNCMQwwCgYDVQQKEwNIUlQxCzAJBgNV
BAsTAklUMRIwEAYDVQQDEwl3czAyaXM1MTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCOmKIT4B+pCr1HNL6VOoe2Ps+J4/nrt9L3m4I7zHc8iAiqBMdwtfPGYGefEATn+l7AduzLVfre
qS8nqJjfnjh6Jx6abCP1z3eReaVjm5GLX325JGyIbkBtGdEHo9vSj5hgr0Z6hmSdupMZCV/86bpp
rGEOkiptejZT1Qtb3RobViI2mgJbgfThaJaqFQNZALcR7WM7KPrBU4jgPBh9XZAxfBi+RqSmS3Sr
MhAQ6z+/HHb6ef9BWoFXqpFuilZnoZZZzpjGazMFPncccNlGWqBWnLr7VbFgLJFiBz+GzbcgTjo4
LLdQ7VTXixQ1VCc92fbR++ChaZIWmREAIi/IdTQ/AgMBAAGjITAfMB0GA1UdDgQWBBS4KrNDNc+w
j6RyDqRWC80ivl7UBDANBgkqhkiG9w0BAQsFAAOCAQEAgSsPOyqPUceSvg4qiL2w1isc1fKFPfR/
bEc5ZXVhl6oRfAh9rAdhwk/GATdsMx3FiDB/Tv7Q1iKENwWIbJUb/JYQvRO81sEX3o7BczhKN9Fv
5wJOKdSGz0KLxOkLz4Gj9K87fJORSKKDjy1nz+LsZdieJjN62zW16OiggTLqf13mmmSb+jE5dYHC
SUB/k9WB+oDV0A0m9pTg1WCvrttm3KKd9DZ4QrH/mZv5lzVETpGBYFNGMmA2MQ+z2NCTaatUycnn
9nPHkpoIOGQQ11z5HCvYQ20gdvJoVJ40ZDRVaqJKeeStAd49TwYFE2kdZ9udf1LNsU8MrU89QXE5
1hiUkw==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="_qmj6w34tYpe67bP0QNHuFi6hjAyjEogS"
NotOnOrAfter="2020-03-31T12:59:42.492Z"
Recipient="https://wasl9:9443/ibm/saml20/defaultSP/acs"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2020-03-31T12:54:42.492Z"
NotOnOrAfter="2020-03-31T12:59:42.492Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>https://wasl9:9443/ibm/saml20/defaultSP</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2020-03-31T12:54:42.477Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>
感谢@Piraveena和@Chunlong的支持,特别是@Chunlong的努力,直到彻底解决了问题。通过在WAS Liberty server.xml文件中进行以下更改,我现在可以正常工作: