英文:
SAML metadata file and SSO
问题
目标
通过单点登录(SSO)导航到一个URL。
信息
我从第三方那里得到了一个SP SAML元数据文件。
问题
使用Java和JavaScript,我如何导航到终端URL?
我已经看过许多关于SAML架构的文章,但似乎找不到如何导航到终端的方法。我猜这甚至可以像测试JWT一样在Postman中测试。
更多信息
我对SAML还很陌生,但已经在这个主题上进行了阅读。从我所了解的情况来看,我是'Principal',而第三方是'Service Provider'。看起来他们使用onelogin生成了SP元数据文件。
例如:
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2020-10-14T14:43:29Z" cacheDuration="PT604800S" entityID="https://testentityid">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>certificate</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>certificate</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://logoutendpoint"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://consumeendpoint" index="1"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
英文:
Aim
To navigate to a url using SSO.
Info
I have been given a SP SAML metadata file by a third party.
Question
Using Java & JavaScript, how do I navigate to the endpoint url?
I have seen a number of articles on SAML architecture , but cannot seem to find how to just navigate to an endpoint. I presume this could even be tested in Postman just like a JWT can.
More info
I am new to SAML, but have been reading up on the topic. From what I can tell, is I am the 'Principal' and the third-party is the 'Service Provider'. It looks like they used onelogin to generate the SP metatdata file.
e.g.
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2020-10-14T14:43:29Z" cacheDuration="PT604800S" entityID="https://testentityid">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>certificate</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>certificate</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://logoutendpoint"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://consumeendpoint" index="1"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
答案1
得分: 1
主体是由IdP进行身份验证的用户。一个简单的流程基本上是使用SAML Web浏览器SSO配置文件:
- 用户访问服务提供商(SP)的资源。
- SP检测到用户没有会话,并将浏览器重定向到IdP的SSO端点。
- IdP对用户(主体)进行身份验证。
- IdP将浏览器重定向到SP的
AssertionConsumerServiceURL,同时在URL中编码了一个包含主体SAML属性的SAML响应。
这里有各种SAML请求/响应示例链接,SP重定向浏览器的各种方式,无论是通过GET还是POST SAML绑定。还有许多其他基本要素,比如基于元数据中的密钥的证书和签名(IdP和SP的元数据)。
通常情况下,您必须使用您的私钥对SAML请求进行签名,而另一个实体(例如IdP)会使用您SAML元数据中的公钥来验证该签名,即<md:KeyDescriptor use="signing">/X509Data/X509Certificate。不经请求的SAML响应发送到SP可能不相关,但需要使用IdP的私钥对其进行签名,而SP需要拥有IdP的公钥来验证签名。
英文:
The Principal is the user the IdP is authenticating. A simple flow is essentially, using the SAML Web Browser SSO Profile:
- User goes to a resource at a Service Provider (SP)
- The SP detects the user has no session and redirects the browser to the SSO endpoint of the IdP
- The IdP authenticates the user (Principal)
- The IdP redirects the browser to the SP's
AssertionConsumerServiceURL along with a SAML Response encoded in the URL, which contains the Principal's SAML Attributes.
There are various SAML Request/Response examples here and various ways of the SP redirecting the browser, either via GET or POST SAML binding. Plus a lot of other essentials such as certificates and signatures based on keys in the metadata of each entity (IdP and SP).
Normally you have to sign a SAML Request using your private key and the other entity (IdP for example) verifies that signature using your public key from your SAML metadata, <md:KeyDescriptor use="signing">/X509Data/X509Certificate above. An unsolicited SAML Response sent to an SP may not be relevant but it would need to be signed with the private key of the IdP and the SP would need to have the public key of the IdP to verify the signature.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论