事情是这样的:现在客户有个需求需要接入aws的cognito,而第三方登陆这里使用cognito提供的saml。
这边服务器使用simplesamlphp框架处理;但是当配置好之后、接收到从cognito发出的断言时simplesamlphp提示无法定位元信息:
我不确定我的配置是哪里出问题了(老实说也不知道哪里正确),配置代码如下:
saml20-idp-hosted.php 文件:
<?php
$metadata['urn:amazon:cognito:sp:us-east-1_YaRHr5R7c'] = array(
'host' => '__DEFAULT__',
'privatekey' => 'saml.pem',
'certificate' => 'saml.crt',
'auth' => 'example-userpass',
'attributes.NameFormat' => 'urn:oasis:names����SAML:2.0:attrname-format:uri',
'authproc' => array(
100 => array('class' => 'core:AttributeMap', 'name2oid'),
)
);
saml20-idp-remote.php 文件:
<?php
$metadata['urn:amazon:cognito:sp:us-east-1_YaRHr5R7c'] = array(
'metadata-set' => 'saml20-idp-remote',
'entityid' => 'http://www.saml.com/simplesaml/saml2/idp/metadata.php',
'SingleSignOnService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names����SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'http://www.saml.com/simplesaml/saml2/idp/SSOService.php',
),
),
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names����SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'http://www.saml.com/simplesaml/saml2/idp/SingleLogoutService.php',
),
),
'certData' => 'certData',
'NameIDFormat' => 'urn:oasis:names����SAML:2.0:nameid-format:transient'
);
提供给cognito的断言:
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names����SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="urn:amazon:cognito:sp:us-east-1_YaRHr5R7c">
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names����SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDtTCCAp2gAwIBAgIJAOWFqULLmgfjMA0GCSqGSIb3DQEBBQUAMHExCzAJBgNVBAYTAkNOMQswCQYDVQQIDAJHRDELMAkGA1UEBwwCR1oxCzAJBgNVBAoMAkRQMQowCAYDVQQLDAFUMQ4wDAYDVQQDDAVaSE9ORzEfMB0GCSqGSIb3DQEJARYQNDA2MTM5NzE5QHFxLmNvbTAeFw0xNzEwMjMxMDQ5NThaFw0yNzEwMjMxMDQ5NThaMHExCzAJBgNVBAYTAkNOMQswCQYDVQQIDAJHRDELMAkGA1UEBwwCR1oxCzAJBgNVBAoMAkRQMQowCAYDVQQLDAFUMQ4wDAYDVQQDDAVaSE9ORzEfMB0GCSqGSIb3DQEJARYQNDA2MTM5NzE5QHFxLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM0zCV7QvICRkVFKzRlNYYTSdWIs8xEaDseqlnLwKEzp9JG13rdwD7OxrC2V3LchRzAB2lviD6oAxEXrs2L3X4qaKhBLC8UT3mBGEDWtDkH93Kp9zmF4N6SC4fuf0ULtDofmoXv55yTZvbp4ydGXPc9NEq93wX9zPgdzejzBcIjOJu/CmzCCxy6VyTr89/e1WUDxbh5b8O+UNluM0caEXN3gdogtIgNmZqASmzV7oDIimvb6UDhjQjFkCfgwvCiYJvnesMErT8GTQ4sJRVPe5SXYecNr/Gzajdpr7i/NP7uKSoD+ykhua0Ierf3nnIZIe1FQiFlCVjU1PBorL/WlNwMCAwEAAaNQME4wHQYDVR0OBBYEFDUswqEHEi9Xgd7Od4j+WGXfpxiZMB8GA1UdIwQYMBaAFDUswqEHEi9Xgd7Od4j+WGXfpxiZMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAGUfL1lf/L1V2+fkMUZMzMSaT3HhWikpfvWnVK8IZgJfwdHadxC7N7jp/1quYL7LrJgGR9dbp3rYh2Q6DTXgwl//PFhZtf91thrwYWwKEqsge8S4LBgsNLVSlsO+7ryXy9mvcVNOhnzVirOWU7iv8wDvzbx35BwO8eQI0Rw5lQnpGWI/8wQBJYNTM5GXiJVqWAsSZTTRy5y84tCsesp7U2sNIXBuvRf2fhBul7lucQW/27KBZeeGD+ppU++eyOE6G4irOH78A9B1GK6NpDNKXieOgd+krCsG6WGaa0hqUXFWIloPugMWVVElCu6FAF15Tmm0bWS/47p+LS0hqbG+auc=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDtTCCAp2gAwIBAgIJAOWFqULLmgfjMA0GCSqGSIb3DQEBBQUAMHExCzAJBgNVBAYTAkNOMQswCQYDVQQIDAJHRDELMAkGA1UEBwwCR1oxCzAJBgNVBAoMAkRQMQowCAYDVQQLDAFUMQ4wDAYDVQQDDAVaSE9ORzEfMB0GCSqGSIb3DQEJARYQNDA2MTM5NzE5QHFxLmNvbTAeFw0xNzEwMjMxMDQ5NThaFw0yNzEwMjMxMDQ5NThaMHExCzAJBgNVBAYTAkNOMQswCQYDVQQIDAJHRDELMAkGA1UEBwwCR1oxCzAJBgNVBAoMAkRQMQowCAYDVQQLDAFUMQ4wDAYDVQQDDAVaSE9ORzEfMB0GCSqGSIb3DQEJARYQNDA2MTM5NzE5QHFxLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM0zCV7QvICRkVFKzRlNYYTSdWIs8xEaDseqlnLwKEzp9JG13rdwD7OxrC2V3LchRzAB2lviD6oAxEXrs2L3X4qaKhBLC8UT3mBGEDWtDkH93Kp9zmF4N6SC4fuf0ULtDofmoXv55yTZvbp4ydGXPc9NEq93wX9zPgdzejzBcIjOJu/CmzCCxy6VyTr89/e1WUDxbh5b8O+UNluM0caEXN3gdogtIgNmZqASmzV7oDIimvb6UDhjQjFkCfgwvCiYJvnesMErT8GTQ4sJRVPe5SXYecNr/Gzajdpr7i/NP7uKSoD+ykhua0Ierf3nnIZIe1FQiFlCVjU1PBorL/WlNwMCAwEAAaNQME4wHQYDVR0OBBYEFDUswqEHEi9Xgd7Od4j+WGXfpxiZMB8GA1UdIwQYMBaAFDUswqEHEi9Xgd7Od4j+WGXfpxiZMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAGUfL1lf/L1V2+fkMUZMzMSaT3HhWikpfvWnVK8IZgJfwdHadxC7N7jp/1quYL7LrJgGR9dbp3rYh2Q6DTXgwl//PFhZtf91thrwYWwKEqsge8S4LBgsNLVSlsO+7ryXy9mvcVNOhnzVirOWU7iv8wDvzbx35BwO8eQI0Rw5lQnpGWI/8wQBJYNTM5GXiJVqWAsSZTTRy5y84tCsesp7U2sNIXBuvRf2fhBul7lucQW/27KBZeeGD+ppU++eyOE6G4irOH78A9B1GK6NpDNKXieOgd+krCsG6WGaa0hqUXFWIloPugMWVVElCu6FAF15Tmm0bWS/47p+LS0hqbG+auc=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names����SAML:2.0:bindings:HTTP-Redirect" Location="http://www.saml.com/simplesaml/saml2/idp/SingleLogoutService.php"/>
<md:NameIDFormat>urn:oasis:names����SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names����SAML:2.0:bindings:HTTP-Redirect" Location="http://www.saml.com/simplesaml/saml2/idp/SSOService.php"/>
</md:IDPSSODescriptor>
<md:ContactPerson contactType="technical">
<md:GivenName>zhong</md:GivenName>
<md:EmailAddress>40613****@qq.com</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
望大神赐教
"
解决了,主要是要配置它的saml20-sp-remote.php文件:
$metadata['urn:amazon:cognito:sp:us-east-1_YaRHr5R7c'] = array( 'AssertionConsumerService' => 'https://testcloud.auth.us-east-1.amazoncognito.com/saml2/idpresponse', 'SingleLogoutService' => 'https://testcloud.auth.us-east-1.amazoncognito.com/logout?client_id=7tkior5512sk93rmb5der0aa0r&logout_uri=https://test.dvrskype.com/test/logout', 'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', 'simplesaml.attributes' => FALSE, );
最大的教训是多上官方论坛,少看官方文档:(
" ![image.png](https://ucc.alicdn.com/pic/developer-ecology/e74a78e460af48629d039853749aa268.png)版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。