0
Ich richte ADFS 3.0 und SAML 2.0 mit Shibboleth als Dienstanbieter (SP) ein. Ich habe die Zertifikate erfolgreich in ADFS importiert. Die ADFS Ansprüche Provider (oder ADFS IDP) Anmeldeseite funktioniert, weil der Benutzer umgeleitet wird:Entfernen Sie Verbundfehler in SAML 2.0 und ADFS 3.0
https://c-adfs01.contoso.com/Shibboleth.sso/SAML2/POST`
nach der Anmeldung an:
https://c-adfs01.contoso.com/adfs/ls/idpinitiatedsignon
Jedes Mal, wenn ich diesen Befehl:
systemctl restart shibd && systemctl restart httpd
ich folgende Fehler:
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 2732, message: grammar not found for namespace 'http://docs.oasis-open.org/wsfed/federation/200706'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 2732, message: attribute 'ServiceDisplayName' is not declared for element 'RoleDescriptor'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 3923, message: no declaration found for element 'fed:ClaimTypesRequested'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 24961, message: no declaration found for element 'fed:TargetScopes'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 25333, message: no declaration found for element 'fed:ApplicationServiceEndpoint'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 25536, message: no declaration found for element 'fed:PassiveRequestorEndpoint'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 25724, message: element 'fed:ClaimTypesRequested' is not allowed for content model '(Signature?,Extensions?,KeyDescriptor*,Organization?,ContactPerson*)'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 26099, message: grammar not found for namespace 'http://docs.oasis-open.org/wsfed/federation/200706'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 26099, message: attribute 'ServiceDisplayName' is not declared for element 'RoleDescriptor'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 27277, message: no declaration found for element 'fed:TokenTypesOffered'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 27444, message: no declaration found for element 'fed:ClaimTypesOffered'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 48496, message: no declaration found for element 'fed:SecurityTokenServiceEndpoint'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 49192, message: no declaration found for element 'fed:PassiveRequestorEndpoint'
2016-11-09 16:54:36 ERROR XMLTooling.ParserPool : error on line 1, column 49380, message: element 'fed:TokenTypesOffered' is not allowed for content model '(Signature?,Extensions?,KeyDescriptor*,Organization?,ContactPerson*)'
2016-11-09 16:54:36 ERROR OpenSAML.MetadataProvider.XML : error while loading resource (https://c-adfs01.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml): XML error(s) during parsing, check log for specifics
2016-11-09 16:54:36 WARN OpenSAML.MetadataProvider.XML : adjusted reload interval to 600 seconds
2016-11-09 16:54:36 CRIT Shibboleth.Application : error initializing MetadataProvider: XML error(s) during parsing, check log for specifics
Hier ist meine shibboleth.xml Konfiguration
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML::2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">
<!-- ADFS Extension -->
<OutOfProcess>
<Extensions>
<Library path="/usr/lib64/shibboleth/adfs.so" fatal="true"/>
</Extensions>
</OutOfProcess>
<InProcess logger="native.log" checkSpoofing="true">
<Extensions>
<Library path="/usr/lib64/shibboleth/adfs-lite.so" fatal="true"/>
</Extensions>
</InProcess>
<RequestMapper type="Native"
sessionError="/var/log/shibboleth/session_error.log"
metadataError="/var/log/shibboleth/metadata_error.log"
accessError="/var/log/shibboleth/access_error.log"
sslError="/var/log/shibboleth/ssl_error.log">
<RequestMap applicationId="default">
<Host name="c-app01">
<Path name="secure" authType="shibboleth" requireSession="true"/>
</Host>
</RequestMap>
</RequestMapper>
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
<ApplicationDefaults entityID="https://c-app01.contoso.com/Shibboleth.sso/Metadata.xml"
REMOTE_USER="eppn persistent-id targeted-id">
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="true" cookieProps="https">
<!-- Putting another SSO here will make shibd fail. There should only be one SSO. -->
<SSO>
SAML2 SAML1 ADFS
</SSO>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata.xml" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<Errors supportContact="[email protected]"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>
<!-- Example of remotely supplied batch of signed metadata. -->
<!-- using validate="true" will give errors in Federationmetadata.xml-->
<MetadataProvider type="XML" validate="true"
uri="https://c-adfs01.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml"
reloadInterval="3600">
<DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
attributeName="http://macedir.org/entity-category"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="http://refeds.org/category/hide-from-discovery" />
</MetadataProvider>
<!-- Example of locally maintained metadata. -->
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<!-- Use a SAML query if no attributes are supplied during SSO. -->
<AttributeResolver type="Query" subjectMatch="true"/>
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<!-- Simple file-based resolver for using a single keypair. -->
<CredentialResolver type="File" key="c-app01.contoso.com.key" certificate="c-app01.contoso.com.pem"/>
</ApplicationDefaults>
<!-- Policies that determine how to process and authenticate runtime messages. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<!-- Low-level configuration about protocols and bindings available for use. -->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
meine Apache-Konfiguration Hier ist:
LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so
ShibCompatValidUser Off
<Location /Shibboleth.sso>
SetHandler shib
AuthType None
Require all granted
</Location>
Also, meine Frage ist ... wie der Service Provider ich konfigurieren, dass die ClaimTypesOffered zu bekommen, usw. (im Fehler), um die Fehler zu entfernen?