我是 Shibboleth 新手,尝试在 ADFS 和 Shibboleth 之间配置身份验证。用户存储在 AD 中。我已经连接了 ADFS 和 Shibboleth,并且能够看到登录页面,提交用户名和凭据后,我收到错误“身份验证失败”。
日志显示以下错误:
16:46:06.929 - 调试 [edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet:177] - cc 的用户身份验证失败 java.lang.SecurityException: 配置错误:没有该文件或目录 at com.sun.security.auth.login.ConfigFile.(未知来源) ~[na:1.7.0_45] at sun.reflect.NativeConstructorAccessorImpl.newInstance0(本机方法) ~[na:1.7.0_45] at sun.reflect.NativeConstructorAccessorImpl.newInstance(未知来源) ~[na:1.7.0_45] at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(未知来源) ~[na:1.7.0_45]
我无法找出哪个文件丢失以及我在哪里犯了错误。非常感谢您的帮助。
login.config 如下所示:
ShibUserPassAuth {
// Example LDAP authentication
// See: https://spaces.internet2.edu/display/SHIB2/IdPAuthUserPass
edu.vt.middleware.ldap.jaas.LdapLoginModule required
host="idmgt-IP0.idmgtext.demo"
port="389"
base="CN=Users,DC=idmgtext,DC=demo"
serviceCredential="Corp123!"
userRoleAttribute="sAMAccountName"
serviceUser="[email protected]"
subtreeSearch = "true"
ssl="false"
userFilter="sAMAccountName={0}";
// Example Kerberos authentication, requires Sun's JVM
// See: https://spaces.internet2.edu/display/SHIB2/IdPAuthUserPass
/*
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab="true"
keyTab="/path/to/idp/keytab/file";
*/
};
处理程序.xml
<?xml version="1.0" encoding="UTF-8"?>
<ProfileHandlerGroup xmlns="urn:mace:shibboleth:2.0:idp:profile-handler"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:idp:profile-handler classpath:/schema/shibboleth-2.0-idp-profile-handler.xsd">
<!-- Error Handler -->
<ErrorHandler xsi:type="JSPErrorHandler" jspPagePath="/error.jsp" />
<!-- Profile Handlers -->
<!--
All profile handlers defined below are accessed via the Servlet path "/profile" so if your profile
handler's request path is "/Status" then the full path is "<servletContextName>/profile/Status"
-->
<ProfileHandler xsi:type="Status">
<RequestPath>/Status</RequestPath>
</ProfileHandler>
<ProfileHandler xsi:type="SAMLMetadata" metadataFile="C:\opt\Shib2Idp/metadata/idp-metadata.xml">
<RequestPath>/Metadata/SAML</RequestPath>
</ProfileHandler>
<ProfileHandler xsi:type="ShibbolethSSO"
inboundBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
outboundBindingEnumeration="urn:oasis:names:tc:SAML:1.0:profiles:browser-post
urn:oasis:names:tc:SAML:1.0:profiles:artifact-01">
<RequestPath>/Shibboleth/SSO</RequestPath>
</ProfileHandler>
<ProfileHandler xsi:type="SAML1AttributeQuery"
inboundBinding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
outboundBindingEnumeration="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding">
<RequestPath>/SAML1/SOAP/AttributeQuery</RequestPath>
</ProfileHandler>
<ProfileHandler xsi:type="SAML1ArtifactResolution"
inboundBinding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
outboundBindingEnumeration="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding">
<RequestPath>/SAML1/SOAP/ArtifactResolution</RequestPath>
</ProfileHandler>
<ProfileHandler xsi:type="SAML2SSO"
inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
<RequestPath>/SAML2/POST/SSO</RequestPath>
</ProfileHandler>
<ProfileHandler xsi:type="SAML2SSO"
inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
<RequestPath>/SAML2/POST-SimpleSign/SSO</RequestPath>
</ProfileHandler>
<ProfileHandler xsi:type="SAML2SSO"
inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
<RequestPath>/SAML2/Redirect/SSO</RequestPath>
</ProfileHandler>
<ProfileHandler xsi:type="SAML2AttributeQuery"
inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:SOAP">
<RequestPath>/SAML2/SOAP/AttributeQuery</RequestPath>
</ProfileHandler>
<ProfileHandler xsi:type="SAML2ArtifactResolution"
inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:SOAP">
<RequestPath>/SAML2/SOAP/ArtifactResolution</RequestPath>
</ProfileHandler>
<!-- Login Handlers
<LoginHandler xsi:type="RemoteUser">
<AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</AuthenticationMethod>
</LoginHandler>
-->
<!-- Username/password login handler -->
<LoginHandler xsi:type="UsernamePassword"
jaasConfigurationLocation="file://C:\opt\Shib2Idp/conf/login.config">
<AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthenticationMethod>
</LoginHandler>
<!--
Removal of this login handler will disable SSO support, that is it will require the user to authenticate
on every request.
-->
<LoginHandler xsi:type="PreviousSession">
<AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</AuthenticationMethod>
</LoginHandler>
</ProfileHandlerGroup>