SP 可以通过多个 URL 访问,如何让所有 URL 与 IDP 一起使用 [英] SP can be accessed by a number of URLs, how to have all the URLs work with an IDP
问题描述
我使用 Spring Security SAML 让我的应用程序充当 SP.我能够完成端到端的解决方案.但是,当用户想要使用多个 URL 访问应用程序时,我面临一个问题.我已使用 Assertion Consumer Service URL 将 SP 元数据配置为 mywebsite:8080/myapp/saml/SSO.
I am using Spring Security SAML to have my application act as an SP. I was able to have the end-to-end solution done. However, I am facing a problem when the user wants to access the application using more than one URL. I have configured my SP metadata with the Assertion Consumer Service URL to be mywebsite:8080/myapp/saml/SSO.
用户也可以通过全域名访问应用mywebsite.fulldomainname:8080/myapp/
The user can also access the application through the full domain name mywebsite.fulldomainname:8080/myapp/
如果用户访问第二个 URL,SP 应用程序将重定向到 IDP,IDP 将返回第一个 URL,该 URL 将失败并给出以下消息:响应的 InResponseToField 与发送的消息不对应
If the user accesses the second URL, The SP application will redirect to the IDP which will return the first URL which will fail giving this message: InResponseToField of the Response doesn't correspond to sent message
即使我使用了 EmptyStorageFactory,它仍然会在 AbstractProfileBase.verifyEndpoint 中失败
Even if I used the EmptyStorageFactory, it will still fail in the AbstractProfileBase.verifyEndpoint
我该如何解决?
推荐答案
SAML 安全模型的一部分是验证预期的端点 - IDP 想要传递 SAML 消息的地方 - 和 SP 实际收到消息的端点 - 两者需要匹配.因此,您的 SP 元数据需要包含有关它期望传递 SAML 消息的 URL 的正确信息.如果 SP 元数据的 URL 与 IDP 传送消息的 URL 不同,您将在 verifyEndpoint 中遇到错误.
Part of the SAML's security model is verification of the intended endpoint - where IDP wants to deliver a SAML message - and endpoint where SP actually received the message - the two need to match. Therefore your SP metadata needs to include correct information about the URL where it expects SAML messages to be delivered. You will encounter errors in the verifyEndpoint in case the SP metadata has different URL than where your IDP delivers the message.
Spring SAML 允许您为同一部署定义多个不同的元数据(具有不同的 URL).因此,您可以通过为 mywebsite:8080/myapp 生成一个元数据,为 mywebsite.fulldomainname:8080/myapp/ 生成另一个元数据并将两者导入您的配置来解决您的问题.每一个都必须有不同的 entityId,并且还需要单独导入到您的 IDP.
Spring SAML allows you to define multiple different metadata (with different URLs) for the same deployment. So you can solve your problem by generating one metadata for mywebsite:8080/myapp, the other for mywebsite.fulldomainname:8080/myapp/ and importing both to your configuration. Each of those will have to have a different entityId and will also need to be separately imported to your IDP.
您可以在 Spring SAML 手册第 7.2 章 - 预配置元数据.
这篇关于SP 可以通过多个 URL 访问,如何让所有 URL 与 IDP 一起使用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
