堆栈内存溢出
  简体   繁体   English

SAML IdP如何与SP传达更改?

[英]How does a SAML IdP communicate changes with the SP?

 原文  2018-02-27 19:47:20       php/ saml/ simplesamlphp/ onelogin

问题描述

I'm working to integrate SAML SSO into an older PHP application. 我正在努力将SAML SSO集成到较旧的PHP应用程序中。 I am using simplesamlphp to set up my service provider and for testing purposes, I have a OneLogin dev account set up with a "SAML Test Connector (IdP w/attr)" test application as my IdP. 我正在使用simplesamlphp设置我的服务提供商,并且出于测试目的,我使用OneLogin开发帐户设置了一个“ SAML测试连接器(IdP w / attr)”测试应用程序作为我的IdP。 I can successfully sign in, and I can log the user out using single log out. 我可以成功登录,也可以使用一次注销来注销用户。 What I'm currently lost with is how the IdP communicates changes such as forced sign out and removing access to the application. 我目前所迷惑的是IdP如何传达更改,例如强制注销和删除对应用程序的访问。

I had assumed that OneLogin would send a request to the URL I provide as the "Single Logout URL" once I forced a user to sign out or removed their privileges to the application along with enough data to identify the user. 我以为一旦我强迫用户注销或删除其对应用程序的特权以及足够的数据来标识用户,OneLogin便会将请求发送到我提供的URL作为“单一注销URL”。 I would then expire that user's session in the service provider and everything would be good. 然后,我将在服务提供商中终止该用户的会话,一切都会很好。 But OneLogin isn't sending that request like I am expecting (it is only called after I initiate a single logout process on my end). 但是OneLogin并没有像我期望的那样发送该请求(仅在我启动一个注销过程之后才调用该请求)。 The other option would seem to be me sending requests to OneLogin to validate the session frequently, but that seems inefficient. 另一个选择似乎是我经常向OneLogin发送请求以验证会话,但这似乎效率很低。

What is the proper method for acquiring session/privilege updates from SAML? 从SAML获取会话/特权更新的正确方法是什么?

1 个解决方案

解决方案1
 0 已采纳  2018-02-27 21:11:56

From what I read, you don't get updates, you ask IdP about them (request user login or logout, which will check user status): http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html#5.3.Single%20Logout%20Profile|outline 从我阅读的内容中,您没有得到更新,而是向IdP询问有关更新(请求用户登录或注销,这将检查用户状态): http : //docs.oasis-open.org/security/saml/Post2.0 /sstc-saml-tech-overview-2.0-cd-02.html#5.3.Single%20Logout%20Profile|outline

I don't think simplesamlphp would act as kind of enforcer of policies, you login as a user, you get your cookie until it expires. 我认为simplesamlphp不会充当策略的执行者,您以用户身份登录,就可以得到cookie直到过期。

I know you can set up session cookie duration to reasonable value in config.php of simplesamlphp, try that. 我知道您可以在simplesamlphp的config.php中将会话cookie持续时间设置为合理的值,尝试一下。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 SimpleSAMLphp SP是否需要与IdP通信? - Does SimpleSAMLphp SP need to communicate with IdP? 使用simpleSAMLphp作为SP和OpenAM作为IdP的SAML - SAML with simpleSAMLphp as SP and OpenAM as IdP 我需要SAML IdP或SP - SAML IdP or SP, which do I need 使用现有的 Idp 和 SP 在 Laravel 中集成 SAML - Integrate SAML in Laravel using existing Idp and SP 我们如何设置应用程序(SP)以在PHP的SAML中使用集中式公司IdP? - How do we set up an application (SP) to use the centralized company IdP in SAML in PHP? SAML是否可以将非PingFederate SP与PingFederate IdP连接? - SAML can a non PingFederate SP be connected with a PingFederate IdP? SimpleSAMLphp无法检索IdP'http://simpleidp/simplesaml/saml2/idp/metadata.php'的元数据,因为它不是此SP的有效IdP - SimpleSAMLphp Cannot retrieve metadata for IdP 'http://simpleidp/simplesaml/saml2/idp/metadata.php' because it isn't a valid IdP for this SP 如何为单个IdP配置多个SP - How to configure multiple SP for a single IdP simplesaml是否像SP一样为IdP提供任何API? - Does simplesaml provide any API for IdP as it does for SP? PHP SAML IdP优先 - PHP SAML IdP First
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM