SAML身份验证和自定义重定向URL [英] SAML authentication and custom redirect URL
问题描述
我们正在研究在我们的应用程序中实现基于SAML的SSO身份验证的过程,我想知道是否有可能通过SAML指定自定义重定向URL.换句话说,我们能否在身份提供者中配置一个服务提供者,并让服务提供者通过SAML请求指定登录后身份提供者应将用户重定向到的位置?
We're in the process of looking into implementing SAML based SSO authentication in our applications and I'm wondering if it's possible to specify custom redirect URLs via SAML. In other words can we have a single Service Provider configured in the Identity Provider and have the Service Provider via the SAML request specify where the Identity Provider should redirect the user to after logging in?
之所以要寻找这样的东西,是因为我们的应用程序在不同的服务器上运行,具体取决于它们所处的开发阶段(开发,测试,登台,生产).如果我们不必为要迁移到SAML SSO的每个应用程序在身份提供程序中配置四个单独的服务提供程序条目,那就太好了.
The reason why we're looking for something like this is because our applications run on different servers depending on which stage of development they are in (dev, test, staging, prod). It would be great if we didn't have to configure four separate Service Provider entries in the Identity Provider for every single application we'll be migrating over to SAML SSO.
推荐答案
每个SP都有自己的断言消费者服务终结点,在该终结点上,SAMLResponse受到了验证.
Each SP has its own Assertion Consumer Service endpoint where the SAMLResponse is validated.
SP所做的一项检查是验证SAMLResponse是否已发送到正确的ACS端点,因此您不能在测试服务器上处理为生产服务器构建的SAMLResponse.
One of the checks that the SP does is verify that the SAMLResponse was sent to the right ACS endpoint, so you cant process a SAMLResponse built for the prod server at the test server.
如果您决定在1个唯一的SP终结点中处理所有SAMLResponses,而您的想法是使用"RelayState"参数来指示从SP到IdP,则在ACS处理完SAMLResponse之后将用户重定向到何处,您可以设置所有环境都可读的全局会话,因为没有安全/标准的方法将处理后的数据从传送到最终端点.
If you decide to process all the SAMLResponses in 1 unique SP endpoints and your idea is to use the "RelayState" parameter to indicate from the SP to the IdP where to redirect the user after process the SAMLResponse at the ACS you may set a global session readable by all the environments because there is no secure/standard method to send the processed data from the to the final endpoint.
如果无法设置所有环境都可读的全局会话,则必须在IdP中注册所有SP.
If you are not able to set a global session readable by all environments then you must register all the SPs in the IdP.
这篇关于SAML身份验证和自定义重定向URL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
