Identity Server Saml2AuthExtensions Idp启动的SSO [英] Identity Server Saml2AuthExtensions Idp initiated SSO
问题描述
我们目前已将身份服务器设置为带有Sustainsys/Saml2扩展名,以允许3个第三方客户端通过sso登录到我们的产品,该请求由客户端点击登录页面以启动请求来发起.
We currently have our identity server setup with Sustainsys/Saml2 extensions to allows 3 party clients to login to our product via sso, where the request is initiated by the client hitting our login page to start the request.
我们现在有一个客户,您想要在该软件中添加链接以启动该过程,从而创建ldp发起的请求.
We now have a customer you want to put a link into there own software to start the process, creating a ldp initiated request.
我的问题是我该如何使用身份服务器和Saml2AuthExtensions实现此目的.我看了一眼,我看不到任何可能允许它通过的额外内容.它是开箱即用的,还是我需要设置其他内容?
My question is how do i go about implementing this using identity server and the Saml2AuthExtensions. I've had a look and i cant see anything extra that might allow this through. Does it just work out of the box, or do i need to setup something else?
欢呼声
推荐答案
SAML2标准支持"Idp启动的登录",可以在Sustainsys.Saml2库中启用 AllowUnsolicitedAuthnResponse 标志来启用该功能.Idp.但是,这是一个坏主意,因为idp启动的流在设计上很容易受到会话固定攻击的攻击.我见过人们使IdentityServer与idp启动登录一起工作,但这很尴尬,因为IdentityServer并不是为支持它而构建的.
The SAML2 standard supports "Idp initiated sign on", which can be enabled in the Sustainsys.Saml2 library with the AllowUnsolicitedAuthnResponse flag on the Idp. It is however a bad idea, because the idp initiated flow is by design vulnerable to session pinning attacks. I have seen people make IdentityServer work with idp initiated sign on, but it's awkward, because IdentityServer is not built to support it.
使用OIDC方式要好得多.让客户直接链接到客户端应用程序(我假设最终目标是使用OIDC的IdentityServer客户端).然后,在客户端上创建一个终结点,以启动OIDC登录IdSrv,其amr值向IdSrv指示应使用Saml2进行身份验证.这可以提供一种解决方案,其中用户单击链接,转到客户端,重定向到IdSrv,重定向到Saml2 Idp,并在其中自动登录(使用Windows Auth或现有会话).然后,它们会自动重定向回IdSrv,后者又重定向回目标应用程序.
It's much better to use the OIDC way. Have the customer put a link directly to the client application (I assume that the end goal is a client to IdentityServer, using OIDC). Then create an endpoint on the client that initiates an OIDC sign on to IdSrv, with an amr value indicating to IdSrv that Saml2 should be used for authentication. That can give a solution where the user clicks a link, goes to the client, is redirect to IdSrv, is redirected to the Saml2 Idp where they are automatically signed in (using e.g. Windows Auth or an existing session). Then they are automatically redirected back to IdSrv which redirects back to the target application.
从用户的角度来看,他们拥有一个链接,该链接将自动将他们登录到应用程序.
From the users' perspective they have a link that will automatically log them in to the application.
这篇关于Identity Server Saml2AuthExtensions Idp启动的SSO的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
