SAML元数据文件和SSO

huangapple go评论84阅读模式
英文:

SAML metadata file and SSO

问题

目标

通过单点登录(SSO)导航到一个URL。

信息

我从第三方那里得到了一个SP SAML元数据文件。

问题

使用Java和JavaScript,我如何导航到终端URL?

我已经看过许多关于SAML架构的文章,但似乎找不到如何导航到终端的方法。我猜这甚至可以像测试JWT一样在Postman中测试。

更多信息

我对SAML还很陌生,但已经在这个主题上进行了阅读。从我所了解的情况来看,我是'Principal',而第三方是'Service Provider'。看起来他们使用onelogin生成了SP元数据文件。

例如:

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2020-10-14T14:43:29Z" cacheDuration="PT604800S" entityID="https://testentityid">
  <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>certificate</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>certificate</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://logoutendpoint"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://consumeendpoint" index="1"/>
  </md:SPSSODescriptor>
</md:EntityDescriptor>
英文:

Aim

To navigate to a url using SSO.

Info

I have been given a SP SAML metadata file by a third party.

Question

Using Java & JavaScript, how do I navigate to the endpoint url?

I have seen a number of articles on SAML architecture , but cannot seem to find how to just navigate to an endpoint. I presume this could even be tested in Postman just like a JWT can.

More info

I am new to SAML, but have been reading up on the topic. From what I can tell, is I am the 'Principal' and the third-party is the 'Service Provider'. It looks like they used onelogin to generate the SP metatdata file.

e.g.

&lt;?xml version=&quot;1.0&quot;?&gt;
&lt;md:EntityDescriptor xmlns:md=&quot;urn:oasis:names:tc:SAML:2.0:metadata&quot; validUntil=&quot;2020-10-14T14:43:29Z&quot; cacheDuration=&quot;PT604800S&quot; entityID=&quot;https://testentityid&quot;&gt;
  &lt;md:SPSSODescriptor AuthnRequestsSigned=&quot;false&quot; WantAssertionsSigned=&quot;false&quot; protocolSupportEnumeration=&quot;urn:oasis:names:tc:SAML:2.0:protocol&quot;&gt;
    &lt;md:KeyDescriptor use=&quot;signing&quot;&gt;
      &lt;ds:KeyInfo xmlns:ds=&quot;http://www.w3.org/2000/09/xmldsig#&quot;&gt;
        &lt;ds:X509Data&gt;
          &lt;ds:X509Certificate&gt;certificate&lt;/ds:X509Certificate&gt;
        &lt;/ds:X509Data&gt;
      &lt;/ds:KeyInfo&gt;
    &lt;/md:KeyDescriptor&gt;
    &lt;md:KeyDescriptor use=&quot;encryption&quot;&gt;
      &lt;ds:KeyInfo xmlns:ds=&quot;http://www.w3.org/2000/09/xmldsig#&quot;&gt;
        &lt;ds:X509Data&gt;
          &lt;ds:X509Certificate&gt;certificate&lt;/ds:X509Certificate&gt;
        &lt;/ds:X509Data&gt;
      &lt;/ds:KeyInfo&gt;
    &lt;/md:KeyDescriptor&gt;
    &lt;md:SingleLogoutService Binding=&quot;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect&quot; Location=&quot;https://logoutendpoint&quot;/&gt;
    &lt;md:NameIDFormat&gt;urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified&lt;/md:NameIDFormat&gt;
    &lt;md:AssertionConsumerService Binding=&quot;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST&quot; Location=&quot;https://consumeendpoint&quot; index=&quot;1&quot;/&gt;
  &lt;/md:SPSSODescriptor&gt;
&lt;/md:EntityDescriptor&gt;

答案1

得分: 1

主体是由IdP进行身份验证的用户。一个简单的流程基本上是使用SAML Web浏览器SSO配置文件

  1. 用户访问服务提供商(SP)的资源。
  2. SP检测到用户没有会话,并将浏览器重定向到IdP的SSO端点。
  3. IdP对用户(主体)进行身份验证。
  4. IdP将浏览器重定向到SP的AssertionConsumerService URL,同时在URL中编码了一个包含主体SAML属性的SAML响应。

这里有各种SAML请求/响应示例链接,SP重定向浏览器的各种方式,无论是通过GET还是POST SAML绑定。还有许多其他基本要素,比如基于元数据中的密钥的证书和签名(IdP和SP的元数据)。

通常情况下,您必须使用您的私钥对SAML请求进行签名,而另一个实体(例如IdP)会使用您SAML元数据中的公钥来验证该签名,即&lt;md:KeyDescriptor use=&quot;signing&quot;&gt;/X509Data/X509Certificate。不经请求的SAML响应发送到SP可能不相关,但需要使用IdP的私钥对其进行签名,而SP需要拥有IdP的公钥来验证签名。

英文:

The Principal is the user the IdP is authenticating. A simple flow is essentially, using the SAML Web Browser SSO Profile:

  1. User goes to a resource at a Service Provider (SP)
  2. The SP detects the user has no session and redirects the browser to the SSO endpoint of the IdP
  3. The IdP authenticates the user (Principal)
  4. The IdP redirects the browser to the SP's AssertionConsumerService URL along with a SAML Response encoded in the URL, which contains the Principal's SAML Attributes.

There are various SAML Request/Response examples here and various ways of the SP redirecting the browser, either via GET or POST SAML binding. Plus a lot of other essentials such as certificates and signatures based on keys in the metadata of each entity (IdP and SP).

Normally you have to sign a SAML Request using your private key and the other entity (IdP for example) verifies that signature using your public key from your SAML metadata, &lt;md:KeyDescriptor use=&quot;signing&quot;&gt;/X509Data/X509Certificate above. An unsolicited SAML Response sent to an SP may not be relevant but it would need to be signed with the private key of the IdP and the SP would need to have the public key of the IdP to verify the signature.

huangapple
  • 本文由 发表于 2020年10月13日 14:22:04
  • 转载请务必保留本文链接:https://go.coder-hub.com/64329657.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定