SAML服务提供商签名验证
[英]SAML service provider signature verification
问题描述
This is a basic question about SAML protocol and how it specifies verification of a SAML token. 
这是有关SAML协议以及它如何指定SAML令牌验证的基本问题。
Looking an different diagrams and resources, it looks like the service provider doesn't need to make calls to the Identity Provider (IdP) in order to verify a SAML token. 通过查找不同的图和资源,服务提供者似乎无需为了验证SAML令牌而调用身份提供者(IdP)。 I am interested in clarifying step 5 (Request the Assertion Consumer Service at the SP) from wiki SAMPL_wiki . 我有兴趣从Wiki SAMPL_wiki阐明第5步(在SP处请求断言消费者服务)。 Mainly token verification is done on Service Provider without additional calls to IdP. 主要是在服务提供商上完成令牌验证,而无需额外调用IdP。
Token validation consists of the 3 steps: 令牌验证包括3个步骤:
1.Verify token is well-formed 1.验证令牌的格式是否正确
2.Verify token is coming from the intended authority 2.验证令牌是否来自预期的权威
3.Verify token is meant for the current application 3.验证令牌适用于当前应用程序
Is this assumption right ? 这个假设正确吗?
1 个解决方案
解决方案1
1 已采纳 2015-06-11 12:06:42
From a very high level, yes, your three steps are correct. 从很高的层次上讲,是的,您的三个步骤是正确的。
More specific: 更加具体:
1 will include decoding the base64 encoded response, checking against schema, etc. 1将包括对base64编码的响应进行解码,对模式进行检查等。
2 will be done via signature validation, checking the authority, seeing if it's a response to a sent AuthnRequest and matching it, etc. 2将通过签名验证,检查权限,查看它是否是对已发送的AuthnRequest的响应并进行匹配等来完成。
3 comes from checking the relay state and ensuring that it is a location that is "protected" by the service provider 3来自检查中继状态并确保它是服务提供商“保护”的位置
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.