简体繁体 English

SAML SSO 不确定用户如何访问受 IDP 发起的 SAML 的受保护 SP 页面

[英]SAML SSO Unsure how a user gets to the protected SP page for IDP initiated SAML

原文 2021-12-01 23:50:26 1 1 single-sign-on/ saml/ idp

I currently maintain an in-house SAML IDP written utilising LightSaml.我目前维护一个使用 LightSaml 编写的内部 SAML IDP。 This has served the company well for the last 2 years working with SP initiated SSO.在与 SP 发起的 SSO 合作的过去 2 年中，这为公司提供了良好的服务。 I have recently been tasked with implementing IDP initiated SSO and I'm not able to work out how the user is automatically redirected to the desired protected page once they're authenticated.我最近的任务是实施 IDP 发起的 SSO，但我无法弄清楚用户在通过身份验证后如何自动重定向到所需的受保护页面。

In SP initiated SSO, the user starts at the page they want, therefore the SP knows where they want to end up after being authenticated.在 SP 发起的 SSO 中，用户从他们想要的页面开始，因此 SP 在通过身份验证后知道他们想要结束的位置。 So in this case, the SP handles the final redirection.所以在这种情况下，SP 处理最终的重定向。

In IDP initiated SSO, the SP doesn't actually know what protected page the user wants, so could someone explain what happens after the IDP sends the auth response to the SP?在 IDP 发起的 SSO 中，SP 实际上并不知道用户想要什么受保护的页面，所以有人可以解释 IDP 向 SP 发送身份验证响应后会发生什么吗？

Thanks in advance.提前致谢。

1 个解决方案

In IdP-initiated SSO, along with the SAML response, the IdP can send relay state.在 IdP 发起的 SSO 中，连同 SAML 响应，IdP 可以发送中继 state。 This relay state is the URL the SP should redirect to once SSO completes.此继电器 state 是 SSO 完成后 SP 应重定向到的 URL。 If no relay state is sent, the SP will most likely redirect to some default page.如果没有发送中继 state，SP 很可能会重定向到某个默认页面。

A typical scenario is that the IdP has a portal page with one or more links representing different pages at the SP.一个典型的场景是 IdP 有一个门户页面，其中一个或多个链接代表 SP 的不同页面。 If the user clicks link #1, the IdP initiates SSO to the SP and sets the relay state to the page #1 URL.如果用户单击链接 #1，IdP 会向 SP 发起 SSO，并将继电器 state 设置为页面 #1 URL。 If the user clicks link #2, the IdP initiates SSO to the SP and sets the relay state to the page #2 URL.如果用户单击链接 #2，IdP 会向 SP 发起 SSO，并将继电器 state 设置为页面 #2 URL。