验证IDP启动的SAML2.0响应
[英]Validate IDP initiated SAML2.0 Response
问题描述
SAML experts please help!!!! 
SAML专家请帮助!!!
Am very new to SAML and JSP. 是SAML和JSP的新手。 I wanna validate a IDP(identity provider) initiated SAML response token using Opensaml library in java(Environment linux,Tomcat6.0) and retrieve the Attribute information sent such as userid,username,email.The SAML response is not encrypted and i have the idp's trust certificate installed in my java keystore.The SAML token profile is "web browser SSO" and it uses HTTP-POST Binding.The certificate has a public key in it.Do i need a private key to validate?What are the steps to be done for a succesful validation?Just a digital signature validation is enough to trust the source?Should i do profile validation or something else? 我想使用Java(环境linux,Tomcat6.0)中的Opensaml库来验证IDP(身份提供商)启动的SAML响应令牌,并检索发送的属性信息,如用户ID,用户名,电子邮件.SAML响应未加密,并且我拥有idp的信任证书已安装在我的Java密钥库中。SAML令牌配置文件是“ Web浏览器SSO”,并且使用HTTP-POST绑定。该证书中具有公钥。我需要私钥进行验证吗?要执行什么步骤要完成成功的验证吗?数字签名验证是否足以信任来源?我应该进行配置文件验证还是其他? Below given is the SAML Response i will be receiving from the IDP. 下面给出的是我将从IDP收到的SAML响应。 Please let me know if you need any more information?Sorry if i did not give enough information.Please help me...Thanks in advance. 请让我知道是否需要更多信息?对不起,如果我没有提供足够的信息。请帮助我...谢谢。
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="XYZ" Version="2.0" IssueInstant="2013-07-10T16:43:54Z" Destination="http://www.testsp.com">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://www.testidp.com:8080/opensso</saml:Issuer>
- <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
- <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="xyz" IssueInstant="2013-07-10T16:43:51Z" Version="2.0">
<saml:Issuer>http://www.testidp.com:8080/opensso</saml:Issuer>
- <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
- <ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
- <ds:Reference URI="#xyz">
- <ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>...hdfb3454jh545dfbj545423df....=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>..................hsdgysgdyyusgfdfb98738e43hjrg874y474h7y8r............=</ds:SignatureValue>
- <ds:KeyInfo>
- <ds:X509Data>
<ds:X509Certificate>............./KPm0qLP8vCOhyI76AUE6jL NFeTlcAe3B6hOdfKCiu+EtHeZC2i/8jf1rHDNPey4TS1MQj/.......
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
- <saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="http://www.testidp.com:8080/opensso" SPNameQualifier="http://www.testsp.com">....Zeq8NhJKRKDXUwx67ytuynwj4n...</saml:NameID>
- <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2013-07-10T16:53:51Z" Recipient="http://www.testsaml.com/tespsamlmodule" />
</saml:SubjectConfirmation>
</saml:Subject>
- <saml:Conditions NotBefore="2013-07-10T16:33:51Z" NotOnOrAfter="2013-07-10T16:53:51Z">
- <saml:AudienceRestriction>
<saml:Audience>http://www.testsaml.com/tespsamlmodule</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
- <saml:AuthnStatement AuthnInstant="2013-07-10T16:36:35Z" SessionIndex="......erer54t54y45y75666y65y65y....">
- <saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
- <saml:AttributeStatement>
- <saml:Attribute Name="UID">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">ab123</saml:AttributeValue>
</saml:Attribute>
- <saml:Attribute Name="uname">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">robert</saml:AttributeValue>
</saml:Attribute>
- <saml:Attribute Name="EmailAddress">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">robert@example.com</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
2 个解决方案
解决方案1
4 已采纳 2013-08-01 13:08:57
You need to validate the responce according to the SAML spec. 您需要根据SAML规范验证响应。 There are some functionaliy for doing this in OpenSAML but i seems the safest bet is to write your own validation code. 在OpenSAML中可以执行此操作,但是我似乎最安全的选择是编写自己的验证代码。 see. 看到。 http://marc.info/?t=137354098500007&r=1&w=2 http://marc.info/?t=137354098500007&r=1&w=2
You must also validate signature. 您还必须验证签名。 As with all signature verification you use the public key. 与所有签名验证一样,您使用公共密钥。 Here is some I wrote on my blog about OpenSAML signatur verification. 这是我在博客上写的有关OpenSAML签名验证的内容。 http://mylifewithjava.blogspot.no/2012/11/verifying-signatures-with-opensaml.html http://mylifewithjava.blogspot.no/2012/11/verifying-signatures-with-opensaml.html
I have more on signing and encryption using OpenSAML in my book, A Guide to OpenSAML 我在《 OpenSAML指南》一书中有更多有关使用OpenSAML进行签名和加密的信息。
解决方案2
2 2013-09-20 15:11:28
Here are the steps i followed to implement Single sign on feature on my WEB App for IDP Initiated SAML Response. 我遵循以下步骤在我的WEB应用程序上实现IDP发起的SAML响应的单一登录功能。
Pre requisite: 前提条件:
- Import all the required and dependent jar files for opensaml java library. 导入opensaml java库的所有必需和依赖的jar文件。
- Upload the IDP's digital certificate to your java keystore. 将IDP的数字证书上载到Java密钥库。
- Create a JSP file that is responsible for SAML Authentication on your server. 在服务器上创建一个负责SAML身份验证的JSP文件。
- Do different types of validation on received SAML Message to ensure source(siganture validation),Message integrity(Reference validation) and assertion validation(Check for assertion validity time). 对收到的SAML消息执行不同类型的验证,以确保源(siganture验证),消息完整性(参考验证)和断言验证(检查断言有效时间)。
Code: This blog gives a great example which will help you to construct your own SAML SP installation. 代码:该博客提供了一个很好的示例,它将帮助您构建自己的SAML SP安装。
http://mylifewithjava.blogspot.no/2012/11/verifying-signatures-with-opensaml.html http://mylifewithjava.blogspot.no/2012/11/verifying-signatures-with-opensaml.html
Download all the required jar files from their archieve which will save you a lot of time in downloading dependent version of jars. 从档案中下载所有需要的jar文件,这将节省您大量时间下载依赖版本的jar。 http://www.capcourse.com/Library/OpenSAML http://www.capcourse.com/Library/OpenSAML
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.