SAML 元数据文件和 SSO
[英]SAML metadata file and SSO
问题描述
Aim
目的
To navigate to a url using SSO.使用 SSO 导航到 url。
Info信息
I have been given a SP SAML metadata file by a third party.我收到了第三方提供的 SP SAML 元数据文件。
Question题
Using Java & JavaScript, how do I navigate to the endpoint url?使用 Java 和 JavaScript,如何导航到端点 url?
I have seen a number of articles on SAML architecture , but cannot seem to find how to just navigate to an endpoint.我看过许多关于 SAML 架构的文章,但似乎无法找到如何导航到端点。 I presume this could even be tested in Postman just like a JWT can.我认为这甚至可以像 JWT 一样在 Postman 中进行测试。
More info更多信息
I am new to SAML, but have been reading up on the topic.我是 SAML 的新手,但一直在阅读该主题。 From what I can tell, is I am the 'Principal' and the third-party is the 'Service Provider'.据我所知,我是“委托人”,第三方是“服务提供商”。 It looks like they used onelogin to generate the SP metatdata file.看起来他们使用onelogin来生成 SP 元数据文件。
eg例如
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2020-10-14T14:43:29Z" cacheDuration="PT604800S" entityID="https://testentityid">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>certificate</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>certificate</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://logoutendpoint"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://consumeendpoint" index="1"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
1 个解决方案
解决方案1
1 2020-10-13 09:47:08
The Principal is the user the IdP is authenticating. Principal 是 IdP 正在验证的用户。 A simple flow is essentially, using the SAML Web Browser SSO Profile :一个简单的流程本质上是使用SAML Web 浏览器 SSO 配置文件:
- User goes to a resource at a Service Provider (SP)用户转到服务提供商 (SP) 处的资源
- The SP detects the user has no session and redirects the browser to the SSO endpoint of the IdP SP 检测到用户没有会话并将浏览器重定向到 IdP 的 SSO 端点
- The IdP authenticates the user (Principal) IdP 对用户(委托人)进行身份验证
- The IdP redirects the browser to the SP's
AssertionConsumerServiceURL along with a SAML Response encoded in the URL, which contains the Principal's SAML Attributes.IdP 将浏览器重定向到 SP 的AssertionConsumerServiceURL 以及 URL 中编码的 SAML 响应,其中包含主体的 SAML 属性。
There are various SAML Request/Response examples here and various ways of the SP redirecting the browser, either via GET or POST SAML binding.这里有各种 SAML 请求/响应示例,以及 SP 通过GET或POST SAML 绑定重定向浏览器的各种方式。 Plus a lot of other essentials such as certificates and signatures based on keys in the metadata of each entity (IdP and SP).加上许多其他基本要素,例如基于每个实体(IdP 和 SP)元数据中的密钥的证书和签名。
Normally you have to sign a SAML Request using your private key and the other entity (IdP for example) verifies that signature using your public key from your SAML metadata, <md:KeyDescriptor use="signing">/X509Data/X509Certificate above.通常,您必须使用您的私钥对 SAML 请求进行签名,并且其他实体(例如 IdP)使用您的 SAML 元数据中的公钥验证该签名, <md:KeyDescriptor use="signing">/X509Data/X509Certificate以上。 An unsolicited SAML Response sent to an SP may not be relevant but it would need to be signed with the private key of the IdP and the SP would need to have the public key of the IdP to verify the signature.发送给 SP 的主动 SAML 响应可能不相关,但需要使用 IdP 的私钥进行签名,并且 SP 需要拥有 IdP 的公钥来验证签名。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.