堆栈内存溢出
  简体   繁体   English

SAML 2.0声明请求

[英]SAML 2.0 Assertion request

 原文  2013-09-13 18:21:57       java/ saml-2.0

问题描述

How do you use SAML 2.0 for redirecting a user from website A to website B? 您如何使用SAML 2.0将用户从网站A重定向到网站B? Once the user finishes his activity at website B, he should come back to website A , based on results from website B, he should be able to proceed on website A for further activity. 一旦用户完成了在网站B上的活动,他应该回到网站A,根据网站B的结果,他应该能够继续在网站A上进行进一步的活动。

I am also confused with the idea of Service Provider(SP) and Identity Provider(IP). 我也对服务提供商(SP)和身份提供商(IP)的概念感到困惑。 Will website A be a service provider or identity provider and similarly for website B? 网站A是否将成为服务提供商或身份提供商,并且网站B是否类似?

My background in SAML 2.0 is literally zero and I am reading documents to understand how to create SAML 2.0 assertion. 我在SAML 2.0中的背景实际上是零,我正在阅读文档以了解如何创建SAML 2.0断言。 I am trying to implement this in java. 我试图在Java中实现这一点。

Does anyone have any good starting primer for understanding SAML 2.0 ? 有没有人对理解SAML 2.0有什么好的入门入门? 

<?xml version="1.0" encoding="UTF-8"?>
-<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" IssueInstant="2013-04-12T15:43:42.389Z" ID="413be1b7-ac2d-4324-a359-998935f11a66">
  -<saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status>
  -<saml2:Assertion Version="2.0" IssueInstant="2013-04-19T20:16:07.090Z" ID="SamlAssertion-25171a8736ed098dde8659e5ba250b5f" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
   <saml2:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">ffx-ffe-w7-15.cgiabccompany.com</saml2:Issuer>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="">test</saml2:NameID>
    <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"><saml2:NameID>CN=ffx-ffe-w7-15.cgiabccompany.com, OU=ffx, OU=ffe, O=cgifederal, L=Herndon, ST=VA, C=US</saml2:NameID></saml2:SubjectConfirmation>
    </saml2:Subject>
    <saml2:Conditions NotOnOrAfter="2013-04-19T20:21:08.437Z" NotBefore="2013-04-19T20:14:08.437Z"/>
    <saml2:AttributeStatement>
        <saml2:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="State Exchange Code"> 
        <saml2:AttributeValue>MD0</saml2:AttributeValue>  
    </saml2:Attribute>               
    <saml2:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="User Type">
    <saml2:AttributeValue>Consumer</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="ABC Company User ID">
    <saml2:AttributeValue>john.doe@email.com</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="Transfer Type">
    <saml2:AttributeValue>Direct Service</saml2:AttributeValue> 
    </saml2:Attribute>        
    <saml2:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="Keep Alive URL">
    <saml2:AttributeValue>https://www.mycompany.com/extendsession.jsp</saml2:AttributeValue>
    </saml2:Attribute>        
    <saml2:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="First Name">
    <saml2:AttributeValue>JOHN</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="Middle Name">
    <saml2:AttributeValue>FISCHER</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="Last Name">
    <saml2:AttributeValue>DOE</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="City Name">
    <saml2:AttributeValue>PEORIA</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="State">
    <saml2:AttributeValue>IL</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="Zip Code">
    <saml2:AttributeValue>20190</saml2:AttributeValue>
    </saml2:Attribute>
 </saml2:AttributeStatement>
 <saml2:AuthnStatement SessionNotOnOrAfter="2013-04-12T15:43:42.328Z" SessionIndex="session#1" AuthnInstant="2013-04-12T15:43:42.328Z"><saml2:SubjectLocality DNSName="2.175.111.190" Address="1234 Fishy LN, PEORIA, IL 20190"/>
   <saml2:AuthnContext>
   <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password   
   </saml2:AuthnContextClassRef>
   </saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>

1 个解决方案

解决方案1
 1 已采纳  2013-09-14 10:26:07

A typical scenario for this is SAML WEB SSO with artifact bindig. 一个典型的场景是带有工件bindig的SAML WEB SSO。

  1. Website A(SP) sees that the user does not have an authenticated session. 网站A(SP)看到用户没有经过身份验证的会话。
  2. The SP redirects the user to website B(IDP) with a SAML AutnRequest as an URL parameter. SP使用SAML AutnRequest作为URL参数将用户重定向到网站B(IDP)。
  3. The IDP authenticates the user and redirects it back to the SP with an artifact in URL parmeter. IDP对用户进行身份验证,并使用URL参数中的工件将其重定向回SP。
  4. The SP exchanges the Artifact for an Assertion over SOAP using a ArtifactResolveRequest to the IDP. SP使用对IDP的ArtifactResolveRequest将Artifact换成SOAP上的断言。

The Assertion is the evidence of the user being authenticated and can contain information about the user that the IDP has stored. 断言是对用户进行身份验证的证据,可以包含IDP已存储的有关用户的信息。 For example uid. 例如uid。

In the scenario your talking about, the website A is the SP and website B the IDP. 在您谈论的场景中,网站A是SP,网站B是IDP。 The SP is the entity wanting a user authenticated, IDP(IDentity Provider) is the entity providing authentication. SP是要验证用户身份的实体,IDP(IDentity Provider)是提供身份验证的实体。

SAML SSO is achieved using many products, for example OpenAM Shibboleth. SAML SSO可使用许多产品来实现,例如OpenAM Shibboleth。 If you want to build SAML into your software you can use libraries like OpenSAML or Spring SAML module. 如果要在软件中构建SAML,则可以使用OpenSAML或Spring SAML模块之类的库。

My book, A Guide to OpenSAML , gives a good introduction SAML and the OpenSAML library. 的《 OpenSAML指南 》一书很好地介绍了SAML和OpenSAML库。

Other relevant reading is The SAML technical overview and these post on my blogg . 其他相关阅读资料是SAML技术概述 ,这些信息都发布在我的博客上

Need help? 需要帮忙? Ask me a question on the blogg. 在博客上问我一个问题。 Need a lot of help? 需要很多帮助吗? I'm a consultant for hire. 我是一名招聘顾问。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 生成saml 2.0断言 - Generate a saml 2.0 assertion Saml 2.0请求编码 - Saml 2.0 request encoding 通过OpenSAML中的现有元素创建SAML 2.0断言 - Create SAML 2.0 assertion by existing element in OpenSAML 如何通过有效的SAML 2.0断言登录? - How to login throught a valid SAML 2.0 assertion? 如何使用openssl(.PCKS8)文件签署saml 2.0断言 - How to sign an saml 2.0 assertion using the openssl (.PCKS8) file salesForce上有效SAML2.0断言的invalid_grant错误 - invalid_grant error with valid SAML2.0 assertion on SalesForce 使用OpenSAML在Java中使用SAML 2.0解密加密的断言 - Decrypting encrypted assertion using SAML 2.0 in java using OpenSAML 如何在 Java 中使用 OpenSAML 库创建有效的 SAML 2.0 断言 - How to create a valid SAML 2.0 Assertion with OpenSAML library in Java 实施SAML断言 - Implementing SAML Assertion 在XSD中使用SAML断言 - Using SAML Assertion in XSD
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM