Я устанавливаю и настраиваю ADFS 2.0 как Idp и проект Django как SP с помощью djangosaml2. Проект Django deploing на IIS 7.5.SSO с Django 1.9 + djangosaml2 + ADFS 2.0
Джанго saml2 конфигурации:
SAML_CONFIG = {
# full path to the xmlsec1 binary programm
'xmlsec_binary': 'C:\\Program Files\\xmlsec1\\xmlsec1-1.2.20-win32-x86\\bin\\xmlsec1.exe',
# your entity id, usually your subdomain plus the url to the metadata view
'entityid': 'https://sp.corp.com/saml2/metadata/',
# this block states what services we provide
'service': {
# we are just a lonely SP
'sp' : {
'authn_requests_signed': "true",
'name': 'SP',
'name_id_format': NAMEID_FORMAT_EMAILADDRESS,
'endpoints': {
# url and binding to the assetion consumer service view
# do not change the binding or service name
'assertion_consumer_service': [
('https://sp.corp.com/saml2/acs/',
saml2.BINDING_HTTP_POST),
],
# url and binding to the single logout service view
# do not change the binding or service name
'single_logout_service': [
('https://sp.corp.com/saml2/ls/',
saml2.BINDING_HTTP_REDIRECT),
('https://sp.corp.com/saml2/ls/post',
saml2.BINDING_HTTP_POST),
],
},
# attributes that this project need to identify a user
'required_attributes': ['email'],
# attributes that may be useful to have but not required
'optional_attributes': ['surname'],
},
},
# where the remote metadata is stored
'metadata': {
'local': [os.path.join(BASE_DIR, 'FederationMetadata.xml')],
},
# set to 1 to output debugging information
'debug': 1,
# certificate
'key_file': os.path.join(BASE_DIR, 'iispk.pem'), # private part
'cert_file': os.path.join(BASE_DIR, 'iiscert.pem'), # public part
}
На стороне компьютера ADFS добавить Reling Party Trust через URL https://sp.corp.com/saml2/metadata/. Затем добавьте правило требования . Отправьте атрибут LDAP в качестве претензии и добавьте E-Mail-Addressess - адрес электронной почты, фамилию - фамилию. После этого перейдите на https://sp.corp.com/saml2/login/, введите имя пользователя и PWD, и получить ошибку, службы федерации Active Directory, которые показывают в журнале событий:
Event 364:
Encountered error during federation passive request.
Additional Data
Exception details:
Microsoft.IdentityServer.Protocols.Saml.InvalidNameIdPolicyException: MSIS7012: ошибка при обработке запроса. Для получения дополнительных сведений обратитесь к администратору.
в Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String& samlpSessionState, String& samlpAuthenticationProvider)
в Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSerializedToken(String signOnToken, WSFederationMessage incomingMessage)
в Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SignIn(SecurityToken securityToken)
Event 321
The SAML authentication request had a NameID Policy that could not be satisfied.
Requestor: https://iisserver.corp.com/saml2/metadata/
Name identifier format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
SPNameQualifier:
Exception details:
MSIS1000: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: False Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier: . Actual NameID properties: Format: , NameQualifier: SPNameQualifier: , SPProvidedId: .
This request failed.
User Action
Use the AD FS 2.0 Management snap-in to configure the configuration that emits the required name identifier.
мучая несколько дней. Как это исправить? Целесообразно подробно. Большое спасибо.