我正在尝试使用Devise在Rails 5应用程序中实现OmniAuth SSO专用身份验证。我在使用我们的组织内部IdP之前尝试使用TestShib进行测试。
这是我在config/initializers/devise.rb中的当前配置:
idp_meta_parser = OneLogin::RubySaml::IdpMetadataParser.new
idp_meta = idp_meta_parser.parse_remote_to_hash('https://idp.testshib.org/idp/shibboleth')
config.omniauth :saml,
issuer: 'https://localhost:3000/shibboleth',
**idp_meta
当导航到auth URL(/users/auth/saml)时,我被重定向到TestShib上的错误页面,并且日志说明了这一点:
10:01:19.187 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:86] - shibboleth.HandlerManager: Looking up profile handler for request path: /Shibboleth/SSO
10:01:19.188 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:97] - shibboleth.HandlerManager: Located profile handler of the following type for the request path: edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOProfileHandler
10:01:19.188 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:339] - LoginContext key cookie was not present in request
10:01:19.188 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOProfileHandler:152] - Incoming request does not contain a login context, processing as first leg of request
10:01:19.188 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOProfileHandler:218] - Decoding message with decoder binding urn:mace:shibboleth:1.0:profiles:AuthnRequest
10:01:19.188 - WARN [edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSODecoder:72] - No providerId parameter given in Shibboleth SSO authentication request.
10:01:19.188 - WARN [edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOProfileHandler:247] - Error decoding Shibboleth SSO request
org.opensaml.ws.message.decoder.MessageDecodingException: No providerId parameter given in Shibboleth SSO authentication request.
at edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSODecoder.doDecode(ShibbolethSSODecoder.java:73) ~[shibboleth-identityprovider-2.4.0.jar:na]
at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:79) ~[openws-1.5.0.jar:na]
at org.opensaml.saml1.binding.decoding.BaseSAML1MessageDecoder.decode(BaseSAML1MessageDecoder.java:109) ~[opensaml-2.6.0.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOProfileHandler.decodeRequest(ShibbolethSSOProfileHandler.java:240) [shibboleth-identityprovider-2.4.0.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOProfileHandler.performAuthentication(ShibbolethSSOProfileHandler.java:174) [shibboleth-identityprovider-2.4.0.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOProfileHandler.processRequest(ShibbolethSSOProfileHandler.java:153) [shibboleth-identityprovider-2.4.0.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOProfileHandler.processRequest(ShibbolethSSOProfileHandler.java:70) [shibboleth-identityprovider-2.4.0.jar:na]
at edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(ProfileRequestDispatcherServlet.java:83) [shibboleth-common-1.4.0.jar:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [servlet-api.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) [catalina.jar:6.0.36]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.36]
at edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:50) [shibboleth-identityprovider-2.4.0.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.36]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.36]
at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:87) [shibboleth-identityprovider-2.4.0.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.36]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.36]
at edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:52) [shibboleth-common-1.4.0.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.36]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.36]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) [catalina.jar:6.0.36]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina.jar:6.0.36]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470) [catalina.jar:6.0.36]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [catalina.jar:6.0.36]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) [catalina.jar:6.0.36]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina.jar:6.0.36]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) [catalina.jar:6.0.36]
at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190) [tomcat-coyote.jar:6.0.36]
at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:311) [tomcat-coyote.jar:6.0.36]
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:776) [tomcat-coyote.jar:6.0.36]
at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:705) [tomcat-coyote.jar:6.0.36]
at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:898) [tomcat-coyote.jar:6.0.36]
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690) [tomcat-coyote.jar:6.0.36]
at java.lang.Thread.run(Thread.java:745) [na:1.7.0_55]
我在网上找不到任何真正相关的内容,我能找到的唯一提到providerId的文件是this on the Shibboleth Wiki。
什么是providerId,我如何用OmniAuth和RubySaml指定它?
所以这需要永远弄明白。基本上我跟踪了所有文档(https://wiki.shibboleth.net/confluence/display/IDP30/UnsolicitedSSOConfiguration)并查看了几个电子邮件列表。您缺少的是重定向查询的一部分。它通常看起来像这样:
https://idp.testshib.org/idp/profile/Shibboleth/SSO?SAMLRequest=rVbZjqraFv0Vk3rwoWLRSGt2VbJoRFAoEGn05YZmgSh9I8rXX7T2rlTt3HPOPslNgLDmms1Ycwxm%2BNF4WVouQNce8y2sOti0E9A0sG6TIueLvOkyWJuwviQBtLab1%2BmxbcsFgtAsOidRwnvJ47o4vyQF4o0pYN4mgdcWNXJP2yARDsN5RPkzCoXUjAiZYOZBhp6xDO7hlBdQvg8RL2imE2EsnOTevepHjWYskoTlSztuNMfEfynq%2BG5AyrqIkhQi5mj0ixS2R8Q036cTWXid%2FgfHGRYPCXZGs%2BxYEGXImc8Q1AwlUHKOURTlz4PRtWk6KOdN6%2BXt6xRHMWaGzsdrhzELnFwQ2GE6sWHdPMDgL%2Bh0cs3SvFncD%2FU67ep8UXhN0ixyL4PNog0WJlA3i9Fx4f1q3deQ8u9jxgO1RVCk07cfd%2B%2FFA1399v9vdAZbL%2FRa7wfytc6PsFmYSTz2vqvhT9Rh80l03%2Fcv%2FfzRfRxFUQRlkdEnbJL4afoZC0M5j4rHkvfyIh%2BxpcnwYFMdCSrCCUjjok7aY%2FYXiTEEQ%2B%2BJZ%2FAazAKMyJ%2BmyHdof5wIJX4hnGVFDZ%2Fqxps1Rw8nqZ8ptzCCNcwDOLG28uv06c9U8wjd1V7eREWdNd%2BX%2FwjrW%2BNgfoFpUcJw1vw63U9of57wfzTs7QcMFnIepF2TXKB2F1rpBbCZ6DWMkusmaUa1P4Uw8rq0nTyU%2BXhOwmZyvV%2FJJAt%2FCRcG%2F4op5Cv435YfvRKSePyU%2FyWLI0tP37j7yGJ7aQfffN5ruVMeZwxtiih%2BHALOu5FzYEUEurvN5VgPhk0Vn4ud%2BPpA9DX4YfhUwsfyNyl%2FSu8jwpL2MUkjc9fM3RKLKHGX09aOZXmS3wXVcy2bO9pAXS6Iap2rDrVZHjz5ue1xpmSYTDEdWVxqYd4RxlElt32L6VTGz0%2BRTtC2uVkbMdyfcQQO%2FiWudzxOgURyFBe7WcQh0s6I05nVHCN1YdDcYmV6HWosuQGcIj%2F18VpQZNYzLvPoGFMAXXXbqvZrN0LtQD7vQmoXr1iJVZYKonr6VTzIbteZZMdG7np9q8qodXcWajIxq6YuchouzwGWEx2tVHvdw5PkiCEszdnDDkOWfCojzloMD41mn4kW4gi%2BJYtVD07qXMHI1aHsd%2F5%2BYDeRRq1v6ZZ%2FllHc1CkqEchMwp8pfcA02UD3eByoTsi8frb%2BS6%2Fv7V%2FD2ycVLomywji6Phf8fcxG9xkI31RZFsyB58FpHYNe5kA83gLQuPhcHc%2BJxPYoBwx0OdoQ1Wh63tgLtmFIYq9gwSBuVHCWAGaJPBi3UPEqDPdYzeZAoXJn7Oi52sU%2FiabKgYcf6HvFd5ZlgLPdJksvKke4wk4kVEHt1ZM8aMK%2B19LibiN%2Fs%2FX6l3rcUeVDV73yA1A%2B6sXjlsapBtMLHxjXAjhoeycdfJy4iidgfPipKu%2F8xJWQpX8%2Fu6neY5R1cZCPl0ADhshxBhDiWByf477R8OM7DzYyOSA3rYJ%2BSmLdymPnLiJl8RVsZTkA66Y6bJF3t77qKH0SyVtsLW03mp8LpY%2FE3L8dFO66YtPKMvd4KIVicHWuWvS%2BucVcxG5ORYqY3ZXul5mmHND1yS1BrUBCj3NOqsvj4Ah0xaxXQxQkz0tSKqB%2Bs6juQjmSldjpRlAPwU1IV%2FZ%2BGXT8jQA8ZSFHWwfMBvDPfWYIZr8MzrfW57j1LuHXbVMMkdG6zC12SoVhpRAXElNmjvFpX5E%2Bm5wk%2BG7N4d5sWYplx3NG7fWm1gpN6VrV505o8RGjV1bA4umNLuGAGVSxZ89W5514iyYNszTryr2RiGOpV9X31EOJvFOxLYEz0HZgxdz06xz1R%2Bo4AKSTJXDvKofe%2BQ2F2HA4bqustrpTYZDD825F2yh9QCU54dPjZQDRnc%2BVqYqSAJz4733Vh%2B9WFbndqGRjhagAlXizkkzZnwsj34JhAUDc9Q%2FsxCW4XIRYwbXOgAeBJMAz7W9VlaaqWAijYNtzYTRnrBjNZNNymF0dO4aj7wgG898vVSR1V%2Ffc0s%2Fp%2B8Zfque9uxGP%2BEqPOgV6g8hvrJV7SVvIHHzcDxo4pouu20E6HBMpjny0EFaHpjtBcXtaLyXHrJGMcZYktBpaRjohEE7hka6y8rk%2FJYrKYmJWqBuFLDcVla4pXtHzuGyIrK7qK2Zbz1pCWUJMWHRN81q5MRr5lriHXhMVWpN71E82zfwmtKTeZ1Z3tXd2viF0y1kvyz1txrZgryFydMeGBZIUD%2FoKQMOihEaUIqBuSTjKRzS9wi7ld687WDaTL7UUnqhbtPbOMhKlvcUQGGW8fgyr3wfQp%2FFjRCFfh9e34fb28ev1%2FX%2F77b8%3D
缺少的是params中查询字符串的一部分。您使用的方法是SAML 1.x.简单包括您的providerId,shire和target作为重定向URL的一部分。结果应如下所示:
或者,您可以使用需要较少这些参数的SAML 2端点https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO。