堆栈内存溢出
  简体   繁体   English

如何在AuthnRequest for SAML 2.0 Web浏览器SSO中识别主体

[英]How is the principal identified in the AuthnRequest for SAML 2.0 Web Browser SSO

 原文  2015-09-03 17:12:02       authentication/ single-sign-on/ saml-2.0

问题描述

I'm new to SAML and having a bit of trouble fully understanding the full SAML2 SSO process. 我是SAML的新手,在完全理解完整的SAML2 SSO过程时遇到了一些麻烦。

Specifically, when The Service Provider responds to a resource request with a element, what piece of data in the element identifies the principal (ie the user) to be validated by the identity provider? 具体来说,当服务提供者使用元素响应资源请求时,元素中的哪条数据标识要由身份提供者验证的主体(即用户)?

For example, there does not appear to be anything to identify the principal in the following AuthnRequest: 例如,在以下AuthnRequest中似乎没有任何标识主体的内容: 

<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="identifier_1"
Version="2.0"
IssueInstant="2004-12-05T09:21:59"
AssertionConsumerServiceIndex="0">
<saml:Issuer>https://sp.example.com/SAML2</saml:Issuer>
<samlp:NameIDPolicy
  AllowCreate="true"
  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/></samlp:AuthnRequest>

Does the information identifying the principal get added after the AuthnRequest reaches the browser (maybe from a cookie?), or does information identifying the specific user not get sent to the identity provider at all? 在AuthnRequest到达浏览器后(可能来自cookie?),是否会添加标识主体的信息,或者标识特定用户的信息是否完全不会发送给身份提供者?

1 个解决方案

解决方案1
 6 已采纳  2015-09-03 17:31:59

The spec says the following on the Authentication Request (SAML Profiles, http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf , section 4.1.4.1): 规范在认证请求中说明如下(SAML配置文件, http ://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf,第4.1.4.1节):

Note that the service provider MAY include a <Subject> element in the request that names the actual identity about which it wishes to receive an assertion. 请注意,服务提供者可以在请求中包含一个<Subject>元素,该元素命名它希望接收断言的实际身份。

This is however rarely used and not widely implemented across different providers/stacks so your mileage may vary. 然而,这很少使用,并且在不同的供应商/堆栈中没有广泛实施,因此您的里程可能会有所不同 In fact there are deployment profiles that explicitly forbid usage of the <Subject> , eg http://saml2int.org/profile/current/ section 8.2 says: 实际上有部署配置文件明确禁止使用<Subject> ,例如http://saml2int.org/profile/current/第8.2节说:

The <saml2p:AuthnRequest> message MUST NOT contain a <saml2:Subject> element. <saml2p:AuthnRequest>消息<saml2:Subject>包含<saml2:Subject>元素。

The usual interaction is that the Service Provider determines the Identity Provider but not the user. 通常的交互是服务提供商确定身份提供者而不是用户。 The latter is left to the Identity Provider, both identification and authentication. 后者留给身份提供者,包括身份识别和身份验证。 That is a cleaner interface that avoids potential clashes between the two about identifiers and accounts. 这是一个更清晰的界面,可以避免两者之间关于标识符和帐户的潜在冲突。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 为什么此SAML 2.0 AuthnRequest无效? - Why is this SAML 2.0 AuthnRequest invalid? AuthnRequest中的SAML 2扩展(Keycloak) - SAML 2 extensions in AuthnRequest (Keycloak) 使用 SAML SSO / OAuth2.0 保护 API - Securing an API with SAML SSO / OAuth2.0 在opensaml中使用saml2.0的SSO - SSO using saml2.0 in opensaml 无法 SSO 登录 Jenkins SAML 2.0 ADFS 集成 - Unable to SSO login Jenkins SAML 2.0 ADFS integration SAML SSO-收到来自IdP的saml响应上的urn:oasis:names:tc:SAML:2.0:status:AuthnFailed错误状态 - SAML SSO - received urn:oasis:names:tc:SAML:2.0:status:AuthnFailed error status on saml response from IdP 用Java实施SAML SSO - Implementing a SAML SSO in Java 带有SAML的Alfresco社区SSO - Alfresco Community SSO with SAML cakephp应用程序中的SAML SSO - SAML SSO in cakephp application Angularjs和SSO(SAML2) - Angularjs and SSO (SAML2)
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM