如何使用Influtive为SSO实施SAML?
[英]How do you implement SAML for SSO with Influitive?
问题描述
I am trying to implement SSO via SAML for my Influitive hub. 
我正在尝试通过SAML为我的Influitive集线器实现SSO。 I have followed their documentation here and have set up my environment per their specifications. 我在这里遵循了他们的文档,并根据他们的规范设置了我的环境。 I have the fingerprint of my cert as well as an endpoint to handle their SAMLRequest's via the QueryString. 我具有证书的指纹以及通过QueryString处理其SAMLRequest的端点。
I am using the Web Browser SSO use case outlined here . 我正在使用此处概述的Web浏览器SSO用例。
For forming my SAML Response, I followed the examples here . 为了形成我的SAML响应,我遵循了此处的示例。
I also followed this example for generating a certificate, as well as generating and then signing my SAML Response. 我还按照此示例生成证书,以及生成并签名SAML响应。 However, in my efforts to fix my implementation, I altered the signing method to be SHA1. 但是,在修复实现过程中,我将签名方法更改为SHA1。
For submitting my form, I bound values from my codebehind to an HTML form that POSTed, essentially, this: 为了提交表单,我将代码背后的值绑定到了一个HTML表单,该表单本质上就是这样发布的:
<form method="post" action="https://{myhub}.influitive.com/saml/consume" />
<input type="hidden" name="SAMLResponse" value="{Base64EncodedStringofSAMLResponse}" />
<input type="hidden" name="RelayState" value="https://{myhub}.influitive.com/about" />
</form>
<script>
if ("{Base64EncodedStringofSAMLResponse}" != "") {
window.onload = function () {
document.forms[0].submit();
}
}
</script>
The problem is whenever my form POSTs, I keep getting 500 Internal Server error, even though my SAML Response is formed, signed, and encoded properly. 问题是,无论我的表单POST何时,即使我的SAML响应已正确形成,签名和编码,我仍会收到500 Internal Server错误。 How do I fix this? 我该如何解决?
1 个解决方案
解决方案1
0 2016-03-29 20:49:23
The problem is actually from an unnecessary "Issuer" tag in my SAML Response. 问题实际上出在我的SAML响应中不必要的“ Issuer”标签上。
I included two of them based on examples I found online. 根据在网上找到的示例,我包括了其中的两个。 I took out the first instance of the Issuer tag but left the second instance, inside the Assertion tag, and it worked. 我取出了Issuer标记的第一个实例,但是将第二个实例留在了Assertion标记内,并且可以正常工作。 Influitive support looked up the logs for my hub and sent me an error message saying approximately this. 有影响力的支持人员在我的集线器的日志中查找并向我发送了一条错误消息,大致说明了这一点。
Here is an example of the correctly formed, signed SAML Response. 这是格式正确的已签名SAML响应的示例。
<samlp:Response
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
Destination="https://{YOURHUB}.influitive.com/saml/consume"
ID="{A GUID}"
IssueInstant="{CURRENT UTC TIME}"
Version="2.0"
InResponseTo="{ID of Influitive SAMLRequest, or leave blank for IdP initiated SSO}">
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_f44dfe01e93143d7b1e1b9e826ace708">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>{The DigestValue}</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>{The SignatureValue}<SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>{The X509Cert}</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion
ID="{A SECOND GUID}"
IssueInstant="{CURRENT UTC TIME}"
Version="2.0">
<saml:Issuer>{Name of the Issuer. Shouldn't really matter}</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" NameQualifier="Influitive-AdvocateHub">example@gmail.com</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="{CURRENT UTC TIME + 1 MINUTE}" Recipient="https://{YOURHUB}.influitive.com/saml/consume" InResponseTo="{ID of Influitive SAMLRequest, or leave blank for IdP initiated SSO}" />
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="{CURRENT UTC TIME}" NotOnOrAfter="{CURRENT UTC TIME + 1 MINUTE}">
<saml:AudienceRestriction>
<saml:Audience>Influitive-AdvocateHub</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="{CURRENT UTC TIME}">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">{SOME FIRST NAME}</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">{SOME LAST NAME}</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">{example@gmail.com}</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
If you have any more questions about how to generate this SAML Response, how to sign it with a cert, or encode or ANYTHING, please let me know! 如果您对如何生成此SAML响应,如何使用证书进行签名,编码或其他任何问题还有其他疑问,请告诉我! This was a huge PITA and I would relish the opportunity to help anyone else with this. 这是一个巨大的PITA,我很乐意借此机会帮助其他任何人。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.