SAML 2.0 - SP 中的多个 AssertionConsumerService [英] SAML 2.0 - Multiple AssertionConsumerService in SP
问题描述
我实施了 SAML 2.0 SP.
我有一个带有端点 https://my.domain.com/mng/samlLogin 的登录 servlet,所以在我定义的 SP 元数据文件中:
I implement a SAML 2.0 SP.
I have a login servlet with endpoint https://my.domain.com/mng/samlLogin, so in the SP metadata file I define:
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://my.domain.com/mng/samlLogin" index="0" isDefault="true"/>
并在 AssertionConsumerServiceURL 下的 AuthenRequest 中发送此端点.
现在,我有另一个具有不同功能的 servlet,它需要根据 SAML 验证用户作为其流程的一部分.
因此,我需要将新 servlet 的 URL 定义为附加端点,例如 https://my.domain.com/mng/myServletSamlLogin ,这将获得 SAML 身份验证响应.
这可能吗?我可以为同一个绑定 (HTTP-POST) 定义多个 AssertionConsumerService 元素吗?
And send this endpoint in the AuthenRequest under the AssertionConsumerServiceURL.
Now, I have another servlet with a different functionality, and it needs to validate the user against SAML as part of its flow.
So I need to define the new servlet's URL as an additional endpoint, let's say https://my.domain.com/mng/myServletSamlLogin , which will get SAML authentication reponse.
Is this possible? Can I define multiple AssertionConsumerService elements for the same binding (HTTP-POST)?
谢谢!
推荐答案
是的,您可以在具有相同绑定的 SAML 2.0 SP 元数据中包含额外的 AssertionConsumerServiceURL,而无需事先将其发布并配置为 SP 元数据交换的一部分.
Yes, you can include additional <md:AssertionConsumerService> elements in the SAML 2.0 SP metadata with the same binding, each with its own unique index. Alternatively you can choose to sign the authentication requests as the SP in which case you can freely specify an AssertionConsumerServiceURL without the requirement that it was published and configured earlier as part of the SP metadata exchange.
这都符合规范,但请注意(与高级"SAML 选项一样)您的里程可能会有所不同.支持跨不同的 SAML 实现.
This is all spec compliant but be aware (as always with "advanced" SAML options) that your mileage may vary wrt. support across different SAML implementations.
这篇关于SAML 2.0 - SP 中的多个 AssertionConsumerService的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
