如何在身份提供者 (IdP) 发起的 SAML sso 中维护状态参数? [英] How to maintain state parameter in Identity Provider (IdP) initiated SAML sso?
问题描述
我从用于 SAML 的基于服务提供商的 SSO 开始.由于用户在继续登录之前必须输入他的电子邮件,因此启动了一个状态变量并将其传递给 SSO.它通过回调 URL 返回,因此出于完整性目的再次检查.它可以抵御 CSRF 攻击.
I started with Service Provider based SSO for SAML. Since the user had to enter his email before proceeding with the login, a state variable was initiated and passed on to the SSO. It comes back through the callback URL and hence was check again for the sanity purpose. It protected against CSRF attacks.
现在,IdP 发起的 SSO 根本不允许我设置状态变量.登录从身份提供者开始,并且只向应用程序提供一个身份验证令牌.我从一开始就不知道是哪个用户在进行身份验证.如果我删除状态变量检查,它也可能触发 CSRF 攻击.
Now IdP initiated SSO doesn't allow me to set state variable at all. Login starts at Identity Provider and only an auth token is provided to the app. I do not know which user is authenticating from the beginning. If I remove the state variable check, it could trigger a CSRF attack as well.
我还在 rails 中使用了 omniauth,这使得状态变量成为强制参数,而 SSO 提供程序是 auth0.
I am also using omniauth in rails which makes state variable a compulsory param and SSO provider is auth0.
将状态变量附加到 IdP 发起的 SSO 解决方案的方法是什么?
What is the way to attach state variable to IdP initiated SSO solutions?
推荐答案
IDP-init-SSO SAML 流中 RelayState 参数的实际标准值是您要发送的 URL用户在 SP 处成功验证 SAML 断言后.这适用于绝大多数 SAML 部署.
The de-facto standard value of the RelayState parameter in IDP-init-SSO SAML flows is the URL that you want to send the user to after successful validation of the SAML assertion at the SP. That would work for the vast majority of SAML deployments out there.
然而,该机制确实不能防止 CSRF 攻击,这就是为什么规范对 IDP-init-SSO 中 RelayState 的值保持沉默,并允许 IDP 和SP 通过该参数的值来防止 CSRF.一种这样的机制是在 RelayState 中使用签名值,但如上所述,没有任何东西是标准化的,因此它取决于 IDP 和 SP 之间的双边协议,该协议不能扩展.
However, that mechanism indeed does not protect against CSRF attacks this is why the spec is silent on the value of RelayState in IDP-init-SSO and leaves it open to agree on mechanisms between IDP and SP to prevent CSRF through the value of that parameter. One such mechanism would be to use a signed value in the RelayState but as said, nothing is standardized and it would thus depend on a bi-lateral agreement between IDP and SP which does not scale.
总而言之:将您希望用户转到的 URL 值作为您发送给 SP 的未经请求的"SAML 响应中的 RelayState 值发送.如何让 IDP 的 SAML 堆栈做到这一点是特定于实现的.对于 Auth0,您可以在以下位置阅读:https://auth0.com/docs/protocols/saml/saml-configuration#idp-initiated-sso,在你的情况下,它看起来像:<代码>https://{accountname}.auth0.com/samlp/YOUR_CLIENT_ID?RelayState=http://FINAL_DESTINATION_URL
In summary: send the value of the URL that you want the user to go to as the RelayState value in the "unsolicited" SAML Response that you send to the SP. How you get the IDP's SAML stack to do that is implementation specific. For Auth0 you can read on this at: https://auth0.com/docs/protocols/saml/saml-configuration#idp-initiated-sso, and in your case it would look like:
https://{accountname}.auth0.com/samlp/YOUR_CLIENT_ID?RelayState=http://FINAL_DESTINATION_URL
这篇关于如何在身份提供者 (IdP) 发起的 SAML sso 中维护状态参数?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
