使用python登录到SAML/Shibboleth身份验证服务器 [英] Logging into SAML/Shibboleth authenticated server using python

问题描述

我正在尝试通过python登录大学的服务器，但我完全不确定如何去生成适当的HTTP POST，创建密钥和证书以及该过程中我可能不熟悉的其他部分必须符合SAML规范.我可以用浏览器很好地登录，但是我希望能够使用python登录和访问服务器中的其他内容.

I'm trying to login my university's server via python, but I'm entirely unsure of how to go about generating the appropriate HTTP POSTs, creating the keys and certificates, and other parts of the process I may be unfamiliar with that are required to comply with the SAML spec. I can login with my browser just fine, but I'd like to be able to login and access other contents within the server using python.

作为参考，这里是网站

我尝试过使用机械化登录(选择表单，填充字段，通过mechanize.Broswer.submit()等单击提交按钮控件)无济于事；每次登录网站都会吐口水.

I've tried logging in by using mechanize (selecting the form, populating the fields, clicking the submit button control via mechanize.Broswer.submit(), etc.) to no avail; the login site gets spat back each time.

在这一点上，我愿意采用最适合该任务的语言来实施解决方案.基本上，我想以编程方式登录到经过SAML身份验证的服务器.

At this point, I'm open to implementing a solution in whichever language is most suitable to the task. Basically, I want to programatically login to SAML authenticated server.

推荐答案

基本上，您需要了解的是SAML身份验证过程背后的工作流程.不幸的是，目前还没有PDF可以真正帮助您找到访问受SAML保护的网站时浏览器的工作方式.

Basically what you have to understand is the workflow behind a SAML authentication process. Unfortunately, there is no PDF out there which seems to really provide a good help in finding out what kind of things the browser does when accessing to a SAML protected website.

也许您应该看一下这样的东西: http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language .特别要注意此方案:

Maybe you should take a look to something like this: http://www.docstoc.com/docs/33849977/Workflow-to-Use-Shibboleth-Authentication-to-Sign and obviously to this: http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language. In particular, focus your attention to this scheme:

当我试图理解SAML的工作方式时，由于文档如此较差，我所做的就是写下(是！在纸上写)浏览器正在执行的所有步骤从头到尾.我使用Opera，将其设置为不以允许自动重定向(300、301、302响应代码，依此类推)，并且也未启用Javascript. 然后，我记下了服务器发送给我的所有cookie，正在做什么，出于什么原因.

What I did when I was trying to understand SAML way of working, since documentation was so poor, was writing down (yes! writing - on the paper) all the steps the browser was doing from the first to the last. I used Opera, setting it in order to not allow automatic redirects (300, 301, 302 response code, and so on), and also not enabling Javascript. Then I wrote down all the cookies the server was sending me, what was doing what, and for what reason.

也许这是花了很多力气，但是通过这种方式，我能够用Java编写适合该工作的库，并且也越来越快和高效.也许有一天我会公开发布它...

Maybe it was way too much effort, but in this way I was able to write a library, in Java, which is suited for the job, and incredibily fast and efficient too. Maybe someday I will release it public...

您应该了解的是，在SAML登录中，有两个参与者在扮演:IDP(身份提供者)和SP(服务提供者).

What you should understand is that, in a SAML login, there are two actors playing: the IDP (identity provider), and the SP (service provider).

我非常确定您从另一个页面单击访问受保护的网站"之类的内容时，就获得了您在问题中引用的链接.如果您再注意一点，您会发现所跟踪的链接是不是显示身份验证表单的链接.这是因为单击从IDP到SP的链接是SAML的 step .实际上，第一步. 它允许IDP定义您是谁，以及您为何尝试访问其资源. 因此，基本上，您需要做的就是请求您所跟踪的链接以到达Web表单，并获取将要设置的cookie.您将看不到的是SAMLRequest字符串，该字符串编码为链接的302重定向，您将在链接后面找到该字符串，并将其发送给进行连接的IDP.

I'm quite sure that you reached the link you reference in your question from another page clicking to something like "Access to the protected website". If you make some more attention, you'll notice that the link you followed is not the one in which the authentication form is displayed. That's because the clicking of the link from the IDP to the SP is a step for the SAML. The first step, actally. It allows the IDP to define who are you, and why you are trying to access its resource. So, basically what you'll need to do is making a request to the link you followed in order to reach the web form, and getting the cookies it'll set. What you won't see is a SAMLRequest string, encoded into the 302 redirect you will find behind the link, sent to the IDP making the connection.

我认为这就是您无法机械化整个过程的原因.您只需连接到表单，而无需完成身份识别！

I think that it's the reason why you can't mechanize the whole process. You simply connected to the form, with no identity identification done!

这很容易.请注意！ 现在设置的cookie与上面的cookie不同.您现在正在连接一个完全不同的网站.这就是使用SAML的原因:不同的网站，相同的凭据. 因此，您可能希望将由成功登录提供的身份验证cookie存储到其他变量. 现在，IDP将向您发送响应(在SAMLRequest之后):SAMLResponse.您必须检测到它才能获得登录结束的网页的源代码.实际上，此页面是包含响应的大表格，在页面加载时，JS中的一些代码会自动将其替换.您必须获取页面的源代码，对其进行分析以消除所有HTML无效的内容，并获取SAMLResponse(已加密).

This one is easy. Please be careful! The cookies that are now set are not the same of the cookies above. You're now connecting to a utterly different website. That's the reason why SAML is used: different website, same credentials. So you may want to store these authentication cookies, provided by a successful login, to a different variable. The IDP now is going to send back you a response (after the SAMLRequest): the SAMLResponse. You have to detect it getting the source code of the webpage to which the login ends. In fact, this page is a big form containing the response, with some code in JS which automatically subits it, when the page loads. You have to get the source code of the page, parse it getting rid of all the HTML unuseful stuff, and getting the SAMLResponse (encrypted).

现在您准备结束该过程.您必须(通过POST，因为您正在模拟表单)将在上一步中获得的SAMLResponse发送到SP.这样，它将提供访问您要访问的受保护内容所需的cookie.

Now you're ready to end the procedure. You have to send (via POST, since you're emulating a form) the SAMLResponse got in the previous step, to the SP. In this way, it will provide the cookies needed to access to the protected stuff you want to access.

Aaaaand，您完成了！

Aaaaand, you're done!

同样，我认为您最需要做的就是使用Opera并分析SAML所做的所有重定向.然后，将它们复制到您的代码中.并不是那么困难，只要记住IDP与SP完全不同即可.

Again, I think that the most precious thing you'll have to do is using Opera and analyzing ALL the redirects SAML does. Then, replicate them in your code. It's not that difficult, just keep in mind that the IDP is utterly different than the SP.

这篇关于使用python登录到SAML/Shibboleth身份验证服务器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！