如何在Identity Provider(IdP)中维护状态参数启动SAML sso?
[英]How to maintain state parameter in Identity Provider (IdP) initiated SAML sso?
问题描述
I started with Service Provider based SSO for SAML. 
我开始使用基于服务提供商的SSO进行SAML。 Since the user had to enter his email before proceeding with the login, a state variable was initiated and passed on to the SSO. 由于用户必须在继续登录之前输入他的电子邮件,因此启动了状态变量并将其传递给SSO。 It comes back through the callback URL and hence was check again for the sanity purpose. 它通过回调URL返回,因此再次检查是否有理由。 It protected against CSRF attacks. 它可以防止CSRF攻击。
Now IdP initiated SSO doesn't allow me to set state variable at all. 现在IdP发起的SSO根本不允许我设置状态变量。 Login starts at Identity Provider and only an auth token is provided to the app. 登录从身份提供程序开始,只向应用程序提供身份验证令牌。 I do not know which user is authenticating from the beginning. 我不知道哪个用户从一开始就进行身份验证。 If I remove the state variable check, it could trigger a CSRF attack as well. 如果我删除状态变量检查,它也可能触发CSRF攻击。
I am also using omniauth in rails which makes state variable a compulsory param and SSO provider is auth0 . 我也使用omniauth中rails ,这使得状态变量强制PARAM和SSO提供商auth0 。
What is the way to attach state variable to IdP initiated SSO solutions? 将状态变量附加到IdP启动的SSO解决方案的方法是什么?
1 个解决方案
解决方案1
4 已采纳 2017-05-17 08:14:23
The de-facto standard value of the RelayState parameter in IDP-init-SSO SAML flows is the URL that you want to send the user to after successful validation of the SAML assertion at the SP. IDP-init-SSO SAML流中RelayState参数的事实标准值是您在SP上成功验证SAML断言后要将用户发送到的URL。 That would work for the vast majority of SAML deployments out there. 这适用于绝大多数SAML部署。
However, that mechanism indeed does not protect against CSRF attacks this is why the spec is silent on the value of RelayState in IDP-init-SSO and leaves it open to agree on mechanisms between IDP and SP to prevent CSRF through the value of that parameter. 但是,该机制确实无法抵御CSRF攻击,这就是为什么规范对IDP-init-SSO中RelayState的值保持沉默的原因,并使其开放同意IDP和SP之间的机制以防止CSRF通过该参数的值。 One such mechanism would be to use a signed value in the RelayState but as said, nothing is standardized and it would thus depend on a bi-lateral agreement between IDP and SP which does not scale. 一种这样的机制是在RelayState使用有符号值,但如上所述,没有任何标准化,因此它将取决于IDP和SP之间不能扩展的双边协议。
In summary: send the value of the URL that you want the user to go to as the RelayState value in the "unsolicited" SAML Response that you send to the SP. 总结:发送您希望用户转到的URL的值作为您发送给SP的“未经请求的”SAML响应中的RelayState值。 How you get the IDP's SAML stack to do that is implementation specific. 如何获得IDP的SAML堆栈是特定于实现的。 For Auth0 you can read on this at: https://auth0.com/docs/protocols/saml/saml-configuration#idp-initiated-sso , and in your case it would look like: https://{accountname}.auth0.com/samlp/YOUR_CLIENT_ID?RelayState=http://FINAL_DESTINATION_URL 对于Auth0,您可以在以下网址阅读: https://{accountname}.auth0.com/samlp/YOUR_CLIENT_ID?RelayState=http://FINAL_DESTINATION_URL //auth0.com/docs/protocols/saml/saml-configuration#idp-initiated-sso,在您的情况下,它看起来像: https://{accountname}.auth0.com/samlp/YOUR_CLIENT_ID?RelayState=http://FINAL_DESTINATION_URL
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.