堆栈内存溢出
  简体   繁体   English

IdP 使用 SimplesamlPHP 发起 SSO

[英]IdP initiated SSO with SimplesamlPHP

 原文  2016-05-31 14:27:14       php/ single-sign-on/ saml/ simplesamlphp

问题描述

I am having trouble implementing an IdP initiated login with SimplesamlPHP.我在使用 SimplesamlPHP 实现 IdP 发起的登录时遇到问题。 Understanding what I have to do from the documentation is not the easiest thing.从文档中了解我必须做的事情并不是最简单的事情。

I am redirecting the user to the IdP server and after logging in, the server sends the SP an XML file which includes the email user's address, ID and other data.我将用户重定向到 IdP 服务器,登录后,服务器向 SP 发送一个 XML 文件,其中包括电子邮件用户的地址、ID 和其他数据。 This looks like a successful login but at this point I don't know what to do with that XML.这看起来像是成功登录,但此时我不知道如何处理该 XML。 Should i parse it myself or use simplesaml for that?我应该自己解析还是使用 simplesaml? How do i validate the signature?我如何验证签名?

Here is the XML I am receiving:这是我收到的 XML:

<samlp:Response Destination="http://example.com/auth/acs" ID="HK1goP6OuzQs2Xrd-CN9gAkRt0Z" IssueInstant="2016-05-25T13:52:32.075Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">Stage-az:sp:MediEventsregapp</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
        <ds:Reference URI="#HK1goP6OuzQs2Xrd-CN9gAkRt0Z">
            <ds:Transforms>
                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
            <ds:DigestValue>anIASGQuZD+Z7oBVc/VJ9TuTDCcddHOkUHJuo4KGE4o=</ds:DigestValue>
        </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>Pw5N1U+IxXAkCARDLFHkSyinhCqy5jJ8ljkJRfVSCzWl9z/gZb87aSGs+1XH+yJJs9wOKlSisnaNBHDOPocoweqXMCePskQp0d46GX8FKLKrFPwNeyta/MnC+y2ujT/mRbd8znTkXt9ZKS2WNZbQuAgRP+4mIh+C4R0J7xjzBgPhJR+IpaAeSlFuI3oS2ggh5+fe68BQtreEAcwc4ehbt93SQA5ryXgVAWRX4COeuETj/4t5dVhk1f34JdUSO0n13U6xRheAyGJJ7njRMntNQCAGkcB6F7GEK0bEnLFTfImYhJOascURyjWUnCqyZbWt5SBKUNdWL1P90W2b17eqmg==</ds:SignatureValue>
</ds:Signature>
<samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion ID="VFBGJiVRjw.GE4s8KVI2G0oyIOv" IssueInstant="2016-05-25T13:52:32.106Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Issuer>Stage-az:sp:MediEventsregapp</saml:Issuer>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">john.smith@example.com</saml:NameID>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData NotOnOrAfter="2016-05-25T13:57:32.106Z" Recipient="http://example.com/auth/acs"/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2016-05-25T13:47:32.106Z" NotOnOrAfter="2016-05-25T13:57:32.106Z">
        <saml:AudienceRestriction>
            <saml:Audience>Stage-az:sp:MediEventsregapp</saml:Audience>
        </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2016-05-25T13:52:32.106Z" SessionIndex="VFBGJiVRjw.GE4s8KVI2G0oyIOv">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
        <saml:Attribute Name="PRID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">kyjh364</saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
</saml:Assertion>

1 个解决方案

解决方案1
 0  2016-06-01 07:11:56

simpleSAMLphp gives you the functions that you need in order to validate and process the SAMLResponse. simpleSAMLphp 为您提供了验证和处理 SAMLResponse 所需的功能。

The IdP should be sending the SAMLResponse to the Service Provider's Assertion Consumer URL where the state is saved. IdP 应该将 SAMLResponse 发送到保存状态的服务提供者的断言消费者 URL。 All you need to do is to create a php file and use the following methods: https://simplesamlphp.org/docs/stable/simplesamlphp-sp-api您需要做的就是创建一个 php 文件并使用以下方法: https : //simplesamlphp.org/docs/stable/simplesamlphp-sp-api

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 simplesamlphp IDP使用现有会话启动的身份验证 - simplesamlphp IDP Initiated authentication using existing session 如何在PHP中使用simplesamlphp将office365配置为SSO的IDP - How to configure office365 as IDP for SSO using simplesamlphp in php 将站点从SP启动的SSO重定向POST转换为IdP启动的SSO POST - Convert site from SP-Initiated SSO Redirect POST to IdP-Initiated SSO POST 如何使用PHP从IDP发起的SSO处理SAML? - How to process SAML from idp initiated SSO using PHP? SimpleSAMLphp IDP、SP、MediaWiki - SimpleSAMLphp IDP, SP, MediaWiki 使用simpleSAMLphp作为SP和OpenAM作为IdP的SAML - SAML with simpleSAMLphp as SP and OpenAM as IdP SimpleSAMLphp SP是否需要与IdP通信? - Does SimpleSAMLphp SP need to communicate with IdP? SimpleSAMLPHP:因为它不是此SP的有效IdP - SimpleSAMLPHP: because it isn't a valid IdP for this SP SimpleSAMLphp 向远程 IDP Okta 发送 SLO 请求 - SimpleSAMLphp send SLO request to remote IDP Okta 没有使用symfony2捆绑包使用simplesamlphp的idp - No idp using simplesamlphp with symfony2 bundle
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM