SAML 2.0密码验证 [英] SAML 2.0 password authentication

查看:300
本文介绍了SAML 2.0密码验证的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我知道SAML如何用于单点登录(SSO).也就是说,从SP重定向到IDP并从SAML响应/声明中获取用户的身份.

I'm aware of how SAML is used for single sign on (SSO). That is, redirection to IDP from SP and getting the user's identity from the SAML response/assertion.

我的问题是-SAML 2.0规范是否定义了如何将用户名和密码作为SAML请求xml的一部分进行身份验证?请注意,我不是在谈论单点登录,而只是希望对用户名/密码进行身份验证.

My question is - Does SAML 2.0 specification define how to pass username and password as part of a SAML request xml for authentication? Note that I'm not talking about single sign on and just want authentication of username/password.

谢谢

推荐答案

SAML标准支持在<AuthnRequest><saml:Subject>字段(即身份验证请求)中传递用户标识符.

The SAML standard supports passing a user identifier in the <saml:Subject> field of the <AuthnRequest> (i.e. the request for authentication).

但是,没有内置支持将密码作为AuthnRequest的一部分进行传递.恕我直言,这样做违反了SAML2的原则,因为它希望Idp仅在身份验证时使用密码.通常,Idp可以使用其认为合适的任何方式来确认受试者的身份.这可以是密码,也可以是证书,也可以是通过SMS的一次交换时间.还是其他的-这取决于Idp.

There is however no built in support for passing a password as part of the AuthnRequest. IMHO doing so goes against the principles of SAML2 as that expects the Idp to only use a password when authenticating. Normally the Idp may use any means it finds suitable to confirm the identity of the subject. That could be a password, but also a certificate or a one time pad exchange over SMS. Or something else - it's up to the Idp.

也就是说,在<AuthnRequest>中有一个<Extensions>元素可以用来携带密码.这样做需要仔细考虑安全性,因为AuthnRequest内容并非旨在保密.如果使用Http重定向绑定,则内容将记录在Web服务器中,并在浏览器历史记录中可见.如果使用Http POST绑定,则浏览器仍然可以看到密码.我建议使用SOAP或Artifact绑定来确保将数据直接从SP传输到Idp.但是请注意,这些绑定在框架中的支持要少得多.

That said, there is an <Extensions> element in the <AuthnRequest> that could be used to carry a password. Doing so would require careful security considerations as the AuthnRequest contents are not designed to be kept secret. If using the Http Redirect binding the contents are logged in a web server and visible in browser history. If using the Http POST binding the password is still visible to the browser. I would suggest using the SOAP or Artifact binding to make sure the data is transferred directly from the SP to the Idp. Note however that those bindings have considerable less support in frameworks.

这篇关于SAML 2.0密码验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆