SAML 2.0 是否允许向 IdP 发送 SP 数据? [英] Does SAML 2.0 allow to send SP data to IdP?
问题描述
我正在阅读 SAML 规范并尝试使用 Keycloak 和 Shibboleth IdP,但我不确定如何在 SP 启动的登录中实现一项功能.
I'm reading the SAML specification and experimenting with Keycloak and Shibboleth IdPs and I'm not sure how to implement one feature in an SP-initiated login.
我有一项服务,过去通常在其登录页面上显示 SP 状态信息(例如应用程序版本、状态).切换到使用 IdP 登录页面后,我想继续在 IdP 的登录页面上显示此类每个 SP 的附加信息.我对数据交换感兴趣,而不是对登录页面本身进行模板化.
I have a service that traditionally used to have an SP status information displayed on its login page (e.g. application version, status). After switching to using an IdP login page I'd like to keep displaying such per-SP additional information on the login page of the IdP. I'm interested in the data exchange, not in templating the login page itself.
SAML 2.0 规范是否允许出于登录目的向 IdP 发送任意数据?如果没有,还有哪些其他选项可用于使用 SP 生成的数据来装饰 IdP 登录页面?
Does SAML 2.0 specification allow for sending arbitrary data to the IdP for the purpose of logging in? If not, what are other options that can be used to decorate IdP login page using SP-generated data?
推荐答案
排序.从 SP 到 IdP 的身份验证请求允许具有自定义"扩展(扩展父元素),扩展的内容由您决定.来自规范:
Sort of. The authentication request from SP to IdP is allowed to have "custom" extensions (the Extensions parent element), the content of the extensions is up to you. From the spec:
[可选] 此扩展点包含可选协议消息扩展元素之间达成一致通信方.无需扩展架构即可利用这个扩展点,即使提供了一个,松懈的验证设置不要求扩展到有效.SAML 扩展元素必须是命名空间限定的非 SAML 定义的命名空间.
[Optional] This extension point contains optional protocol message extension elements that are agreed on between the communicating parties. No extension schema is required in order to make use of this extension point, and even if one is provided, the lax validation setting does not impose a requirement for the extension to be valid. SAML extension elements MUST be namespace-qualified in a non-SAML-defined namespace.
如果您正在编写自己的 IdP,您当然可以使用扩展程序并使用它做任何您想做的事情.标准"(商业/OSS)IdP 不知道如何处理您的扩展.看看 Shibboleth 或 Keycloak 库是否解析 Extensions 元素并为您提供内容,这将是一个有趣的测试.
If you're writing your own IdP, you could certainly make use of Extensions and do whatever you wish with it. "Standard" (commercial/OSS) IdPs won't know what to do with your extension. It'd be an interesting test to see if Shibboleth or Keycloak libraries parse the Extensions element and give you the contents.
另一种更标准的可能性是使用 RelayState.这是一种符合规范的方式,可以传递一些特定于提供者的状态信息,包括.从 SP 到 IdP:
The other, more standard possibility is using RelayState. This is a spec-compliant way of passing some provider-specific state information around, incl. from SP to IdP:
3.1.1 RelayState 的使用 一些绑定定义了一个RelayState"机制来保存和传送状态信息.当这种机制用于传送请求消息作为 SAML 的初始步骤协议,它对选择和使用绑定随后用于传达响应.也就是说,如果一个 SAML请求消息伴随着 RelayState 数据,然后是 SAML响应者必须使用绑定返回其 SAML 协议响应还支持 RelayState 机制,它必须放置准确的它收到的 RelayState 数据随请求放入相应的响应中的 RelayState 参数.
3.1.1 Use of RelayState Some bindings define a "RelayState" mechanism for preserving and conveying state information. When such a mechanism is used in conveying a request message as the initial step of a SAML protocol, it places requirements on the selection and use of the binding subsequently used to convey the response. Namely, if a SAML request message is accompanied by RelayState data, then the SAML responder MUST return its SAML protocol response using a binding that also supports a RelayState mechanism, and it MUST place the exact RelayState data it received with the request into the corresponding RelayState parameter in the response.
同样,所有 IdP 或下堆栈库都将解析 RelayState,但他们如何从那里处理它取决于他们对规范的阅读.一方面,规范要求 RelayState 为 80 字节,并通过签名或其他方式"进行完整性保护.IdP 和 SP 通常会忽略此限制.
Again, all IdPs or downstack libraries will parse RelayState but how they handle it from there depends on their reading of the spec. For one, the spec requires RelayState to be 80 bytes and integrity protection via a signature or "other means". This limitation is often ignored by IdPs and SPs.
您想在 IdP 登录页面上显示哪些特定于 SP 的信息?
What SP-specific information are you trying to display on IdP login page?
这篇关于SAML 2.0 是否允许向 IdP 发送 SP 数据?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
