我已配置 Azure AD 并联合域。
我已按照 MSDN guide 使用 SAML 2.0 IdP 来实现 SSO 和 this blog 。
我可以成功重定向到我的自定义 IdP 页面。 IDP 将 SAML token 发送到“login.microsoftonline.com/login.srf”。但它给出了代码 800478A1 的错误。
请告诉我出了什么问题。我复制了下面的 SAML 响应以供引用。
<saml2p:Response
Destination="https://login.microsoftonline.com/login.srf"
ID="id66864f3b430546b1a10e488579ea0ba1"
Version="2.0"
IssueInstant="2016-05-13T01:53:56Z"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
InResponseTo="_049917a6-1183-42fd-a190-1d2cbaf9b144"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:52071/</saml2:Issuer>
<saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_a1efef91-62e4-4ff5-93c1-9b456603f5d4" IssueInstant="2016-05-13T01:53:56Z">
<saml2:Issuer>http://localhost:52071/Metadata</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"><a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="8be1e4e3e5efe4eecbeef3eae6fbe7eea5e8e4e6" rel="noreferrer noopener nofollow">[email protected]</a></saml2:NameID>
<saml2:SubjectConfirmation Method="urn:Oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData NotOnOrAfter="2016-05-13T02:13:56Z" Recipient="https://login.microsoftonline.com/login.srf" InResponseTo="_049917a6-1183-42fd-a190-1d2cbaf9b144"/></saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2016-05-13T01:55:56Z" NotOnOrAfter="2016-05-13T02:15:56Z">
<saml2:AudienceRestriction>
<saml2:Audience>urn:federation:MicrosoftOnline</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AttributeStatement>
<saml2:Attribute Name="IDPEmail">
<saml2:AttributeValue><a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="7d171215131912183d18051c100d1118531e1210" rel="noreferrer noopener nofollow">[email protected]</a></saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
<saml2:AuthnStatement AuthnInstant="2016-05-13T01:53:56Z" SessionIndex="42">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#id66864f3b430546b1a10e488579ea0ba1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>ynB0J1UwKJ9396uOkbMajyi2k8s=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>*** redacted ***</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>*** redacted ***</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</saml2:Assertion>
最佳答案
实际上,您似乎正在主题字段的 NameID 中传递用户的电子邮件。您的 IDP 是否有可能在 NAmeID 字段的 sam 响应中发送不可变的 iD 或 objectguid。
关于azure - Office 365 使用外部 SAML 身份时出现错误 : 800478A1,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/37206672/