SAML 工件的目的是什么? [英] What is the purpose of a SAML Artifact?

问题描述

我看过一堆关于如何通过重定向在身份提供者 (IdP)、服务提供者 (SP) 和浏览器之间传递的流程图.但是现在对我来说似乎没有必要，所以我知道我错过了一些东西.

有人可以向我提供一个需要(或非常有用)与不使用 SAML Artifact 相比的用例吗?

I've seen a bunch of flow chart on how it is passed around between Identity Provider (IdP), Service Provider (SP), and Browser via Redirects. However it seems unnecessary to me right now, so i know i'm missing something.

Can someone provide me a use case where a SAML Artifact is required (or very useful) compared to not using one?

谢谢.

推荐答案

通常，工件绑定的目的是减少通过浏览器本身的 SAML 消息流.这可能是由于浏览器限制(对查询字符串/POST 有效负载大小有限制的浏览器)或不支持 JavaScript(对于自动提交的表单)，甚至是为了改进 SAML 消息传输方式的安全模型.通过使用工件，通过 SAML 断言/属性声明携带的敏感数据不会通过浏览器，因此可以对最终用户或站点与最终用户之间的攻击者隐藏.这些机密数据只能通过反向渠道查找在站点之间直接解析.

Typically, the intent of the artifact binding is to reduce the flow of SAML messages through the browser itself. This could be due to browser restrictions (browsers that have limits on query string / POST payload size) or no support for JavaScript (for auto-submitted forms), or even to improve the security model of how the SAML messages are transported. By using artifacts, sensitive data carried through the SAML Assertion / Attribute Statement is not passed through the browser, so it can be hidden from the end user or attackers between your site and the end user. This confidential data would only be directly resolved between sites through a back channel lookup.

SAML 2.0 绑定规范的第 3.6.2 节 总结得最好:

HTTP Artifact 绑定适用于 SAML请求者和响应者需要使用 HTTP 用户代理进行通信作为中间人，但中间人的限制排除或阻止整个消息的传输(或消息交换)通过这.这可能是出于技术原因或由于不愿将消息内容暴露给中介(如果使用加密是不切实际的).请注意，因为需要随后使用另一个同步解决工件绑定，如 SOAP，之间必须存在直接通信路径SAML 消息发送方和接收方的反向工件的传输(消息和工件的接收者必须能够向工件发送请求发行人).工件发行者还必须保持状态，而工件未决，这对负载平衡有影响环境.

The HTTP Artifact binding is intended for cases in which the SAML requester and responder need to communicate using an HTTP user agent as an intermediary, but the intermediary's limitations preclude or discourage the transmission of an entire message (or message exchange) through it. This may be for technical reasons or because of a reluctance to expose the message content to the intermediary (and if the use of encryption is not practical). Note that because of the need to subsequently resolve the artifact using another synchronous binding, such as SOAP, a direct communication path must exist between the SAML message sender and recipient in the reverse direction of the artifact's transmission (the receiver of the message and artifact must be able to send a request back to the artifact issuer). The artifact issuer must also maintain state while the artifact is pending, which has implications for load-balanced environments.

这篇关于SAML 工件的目的是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！