1个以上的< saml:assertions>是否有效?在SAML令牌响应中 [英] Is it valid to have more than 1 <saml:assertions> in a SAML Token response

问题描述

我正在尝试在现有的SAML令牌系统与JWT令牌架构之间提供兼容性.当前系统会生成具有以下结构的SAML令牌:

I am trying to provide compatibility between an existing SAML token system with JWT token schema. The current system generates SAML tokens with a structure as follows:

在一个SAML令牌中包含多个是否是有效的，如果是，下面的JWT表示形式是什么

Is it even valid to have more than one in a SAML token and if yes what would be the JWT representation for the below

<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response ID="aed9fa15c020fde" InResponseTo="acd3a67cb14a1d94" IssueInstant="2015-02-18T18:58:14.262Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">......</saml:Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <saml:Assertion ID="5d41027a4e2c2855" IssueInstant="2015-02-18T18:58:14.262Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">......</saml:Issuer>
    <saml:Subject>
      <saml:NameID NameQualifier="USER" SPProvidedID="1047259662">ab_idl1</saml:NameID>
    </saml:Subject>
    <saml:Conditions NotBefore="2015-02-18T18:48:14.262Z" NotOnOrAfter="2015-06-20T18:58:14.262Z"/>
  </saml:Assertion>
  <saml:Assertion ID="5ea9fbba7ab940c0" IssueInstant="2015-02-18T18:58:14.262Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Issuer>APPID-b1713f46d4e1</saml:Issuer>
    <saml:Subject>
      <saml:NameID NameQualifier="USER" SPProvidedID="1047259662">user_name_app_name</saml:NameID>
    </saml:Subject>
    <saml:Conditions NotBefore="2015-02-18T18:48:14.262Z" NotOnOrAfter="2015-06-20T18:58:14.262Z"/>
    <saml:AttributeStatement>
      <saml:Attribute FriendlyName="user_id1" Name="user_id">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user_name_app_name</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>

推荐答案

SAML规范允许在单个响应中包含多个断言，但是目前尚没有很多SAML实现可以产生这样的SAML消息.或食用它.

The SAML specification allows for including multiple assertions in a single response but there are not a lot of SAML implementations out there that would be able to produce such a SAML message or consume it.

可比较的JWT表示形式可能包含两个声明("5d41027a4e2c2855"和"5ea9fbba7ab940c0"，其值设置为包含属性名称/值对的嵌套JWT对象.SAML断言和JWT之间没有形式上的映射

A comparable JWT representation would probably consist of two claims ("5d41027a4e2c2855" and "5ea9fbba7ab940c0" with their values set to a nested JWT object that includes the attributes name/value pairs. There's no formal mapping between a SAML assertion and a JWT.

这篇关于1个以上的< saml:assertions>是否有效?在SAML令牌响应中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！