堆栈内存溢出
  简体   繁体   English

PHP中的SSO SAML2.0实现

[英]SSO SAML2.0 implementation in PHP

 原文  2018-02-08 16:57:23       php/ certificate/ single-sign-on/ saml-2.0

问题描述

So I am setting up an SSO implementation FROM my website TO another site. 因此,我正在设置从我的网站到另一个网站的SSO实现。 I understand how to build the requests and sign them and all of that stuff. 我了解如何构建请求并对其进行签名以及所有这些内容。 What I am having trouble understanding is the certificates. 我无法理解的是证书。 Who gets what certificate, to be specific. 具体来说,谁获得了什么证书。 I know how to generate them, but I am not sure if I send over the certificate to the website I am signing into or if they have to generate the certificate and keystore and send us the certificate. 我知道如何生成它们,但是我不确定是否将证书发送到要登录的网站,或者是否必须生成证书和密钥库并向我们发送证书。 There is a little confusion in this part of the process for me that I could use a little help in clarifying. 在此过程的这一部分中,我有些困惑,因此我可以使用一些帮助进行澄清。

Since I am accessing their site, it would seem to me that they should generate the certificate and send it to us, and keep the keystore on their machine for the handshake. 由于我正在访问他们的站点,因此在我看来,他们应该生成证书并将其发送给我们,并将密钥库保留在其计算机上以进行握手。 If I have to generate both, where is the keystore typically kept? 如果必须同时生成两者,那么密钥库通常保存在哪里? We have a couple implementations of this on our site, but the developer that wrote them no longer works here and there is little to no documentation left behind. 我们在我们的站点上有一些实现,但是编写它们的开发人员在这里不再工作,几乎没有甚至没有文档。 Also, is the certificate a self-signed certificate that can be used in production? 另外,该证书是可以在生产中使用的自签名证书吗? I believe it is, but just want to be sure. 我相信是的,但是只是想确定一下。 Any help in clarification would be greatly appreciated. 任何澄清的帮助将不胜感激。

1 个解决方案

解决方案1
 1 已采纳  2018-02-09 09:10:41

It's public key infrastructure (PKI) so you each get the other's public key certificate. 它是公共密钥基础结构(PKI),因此你们每个人都可以获得对方的公共密钥证书。 It's normally done using the SAML2 metadata profile so you can have their public key certificate. 通常使用SAML2元数据配置文件完成此操作,因此您可以获取其公共密钥证书。

Looks like you're an IdP if they want the attributes encrypted you need to use their public key to do that. 如果他们想要对属性进行加密,则看起来您是一个IdP,您需要使用其公钥来执行此操作。 You sign your SAMLResponse to them with your private key and they validate it with your public key. 您用私钥对它们签名SAMLResponse,然后他们用公钥对其进行验证。 So you each generate your own keys and keep them secret as they are secret keys for signing. 因此,您每个人都会生成自己的密钥并将其保密,因为它们是用于签名的密钥。 You exchange public keys. 您交换公共密钥。

You need a certificate for your login endpoint but the other party don't need to see this. 您需要用于登录端点的证书,但另一方不需要看到此证书。 They only need your public key certificate for use with the XML exchange and you need their certificate to validate the signature on the SAMLResponse (if you're an SP). 他们只需要您的公共密钥证书即可用于XML交换,并且您需要他们的证书来验证SAMLResponse上的签名(如果您是SP)。

The certificate for working with the SAML XML is normally 10 year self signed. 使用SAML XML的证书通常是10年自签名的。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 PingIdentity SAML2.0 EncryptedAssertion —解密密码数据时遇到问题 - PingIdentity SAML2.0 EncryptedAssertion — Trouble decrypting cipherdata SSOCircle不断重定向到“同意”页面SAML2.0 - SSOCircle keeps redirecting to Consent page SAML2.0 实施SAML 2.0 SSO不同的IDPS - Implement SAML 2.0 SSO different Idps 如何在php中为SAML 2.0 SSO的AuthNRequest中嵌入签名 - How do I embed a signature within an AuthNRequest for SAML 2.0 SSO in php Google SAML APP SSO 与 php 应用程序集成 - Google SAML APP SSO integrate with php application php应用程序中的Google SAML APP SSO身份验证 - Google SAML APP SSO authentication in php application 在PHP应用程序中使用SAML的AWS SSO - AWS SSO using SAML in php application 实施SAML 2.0和php的问题 - Issues with implementing SAML 2.0 and php 使用 PHP 的 SAML 2.0 身份验证 - SAML 2.0 Authentication Using PHP SSO - 如何从Intranet(SAML 2.0)自动登录外部网站? - SSO - how to automatically log into an external website from an intranet (SAML 2.0)?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM