如何在身份提供商(IdP)启动的SAML SSO中维护状态参数? [英] How to maintain state parameter in Identity Provider (IdP) initiated SAML sso?

问题描述

我从SAML的基于服务提供商的SSO开始.由于用户必须先输入电子邮件才能继续登录，因此将启动状态变量并将其传递给SSO.它通过回调URL返回，因此出于理智的目的再次进行了检查.它可以防御CSRF攻击.

I started with Service Provider based SSO for SAML. Since the user had to enter his email before proceeding with the login, a state variable was initiated and passed on to the SSO. It comes back through the callback URL and hence was check again for the sanity purpose. It protected against CSRF attacks.

现在，由IdP启动的SSO根本不允许我设置状态变量.登录从身份提供者开始，并且仅向该应用程序提供身份验证令牌.我不知道哪个用户从一开始就进行身份验证.如果删除状态变量检查，它也会触发CSRF攻击.

Now IdP initiated SSO doesn't allow me to set state variable at all. Login starts at Identity Provider and only an auth token is provided to the app. I do not know which user is authenticating from the beginning. If I remove the state variable check, it could trigger a CSRF attack as well.

我还在rails中使用omniauth，这使状态变量成为强制性参数，而SSO提供程序是auth0.

I am also using omniauth in rails which makes state variable a compulsory param and SSO provider is auth0.

将状态变量附加到由IdP发起的SSO解决方案的方法是什么?

What is the way to attach state variable to IdP initiated SSO solutions?

推荐答案

IDP-init-SSO SAML流中RelayState参数的实际标准值是您要在成功后将用户发送到的URL在SP处验证SAML断言.这将适用于绝大多数SAML部署.

The de-facto standard value of the RelayState parameter in IDP-init-SSO SAML flows is the URL that you want to send the user to after successful validation of the SAML assertion at the SP. That would work for the vast majority of SAML deployments out there.

但是，该机制确实不能抵御CSRF攻击，这就是为什么规范对IDP-init-SSO中的RelayState的值保持沉默的原因，并使其开放以就IDP和SP之间的机制达成共识，以防止CSRF通过该参数的值.一种这样的机制是在RelayState中使用带符号的值，但是正如所说的，没有什么标准化的，因此这将取决于IDP和SP之间的双边协议，该协议不会扩展.

However, that mechanism indeed does not protect against CSRF attacks this is why the spec is silent on the value of RelayState in IDP-init-SSO and leaves it open to agree on mechanisms between IDP and SP to prevent CSRF through the value of that parameter. One such mechanism would be to use a signed value in the RelayState but as said, nothing is standardized and it would thus depend on a bi-lateral agreement between IDP and SP which does not scale.

摘要:作为发送给SP的未经请求的" SAML响应中的RelayState值，发送用户希望用户访问的URL的值.如何获得IDP的SAML堆栈是特定于实现的.对于Auth0，您可以阅读以下内容: https://auth0 .com/docs/protocols/saml/saml-configuration#idp-initiated-sso ，您的情况如下所示: https://{accountname}.auth0.com/samlp/YOUR_CLIENT_ID?RelayState=http://FINAL_DESTINATION_URL

In summary: send the value of the URL that you want the user to go to as the RelayState value in the "unsolicited" SAML Response that you send to the SP. How you get the IDP's SAML stack to do that is implementation specific. For Auth0 you can read on this at: https://auth0.com/docs/protocols/saml/saml-configuration#idp-initiated-sso, and in your case it would look like: https://{accountname}.auth0.com/samlp/YOUR_CLIENT_ID?RelayState=http://FINAL_DESTINATION_URL

这篇关于如何在身份提供商(IdP)启动的SAML SSO中维护状态参数?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！