SAML 2.0:如何配置断言消费者服务 URL [英] SAML 2.0: How to configure Assertion Consumer Service URL
问题描述
我正在实施一个 SAML 2.0 服务提供者,它使用 Okta 作为身份提供者.我想配置断言消费者服务 (ACS) URL,以便来自我的服务提供商应用的 SAML 2.0 反映在断言中.
I am implementing a SAML 2.0 Service Provider which uses Okta as the Identity Provider. I would like to configure the Assertion Consumer Service (ACS) URL so that the SAML 2.0 from my Service Provider app is reflected back in the assertion.
但是,我注意到 Okta 身份提供程序改为发送在 Okta 配置中配置的 SSO 端点并忽略实际发送的 ACS.另外,我收到一个错误,可能来自 SP 的 ACS 与那里的元数据不匹配.
However, I am noticing that the Okta Identity Provider instead sends the SSO Endpoint configured in the Okta configuration and ignores the ACS that was actually sent. Also, I get an error perhaps the ACS from SP doesn't match the meta-data there.
如果 ACS URL 不是向 IDP 发送短 ID 以使其反映在断言中的正确方式,那么还有什么其他机制可以用于此目的.
If ACS URL is not the right way to send a short ID to IDP for it to reflect back in the assertion, what other mechanism can be used for this purpose.
示例:
SP 应用发送的 SAML 2.0 SAMLRequest 为:
The SAML 2.0 SAMLRequest sent by the SP app is:
assertion_consumer_service_url:https://host.com:port/saml/consume?entityId=N&myName=username
assertion_consumer_service_url: https: //host.com:port/saml/consume? entityId=N&myName=username
Identity Provider 上的配置有元数据:
The configuration on Identity Provider has the meta-data:
单点登录网址:https://host.com:port/saml/consume?entityId=N
Single Sign-on URL: https: //host.com:port/saml/consume?entityId=N
请注意,myName 会从一个请求更改为下一个请求,因为这是我们验证响应是否具有与发送的原始用户名匹配的 name_id 的方式.
Note that the myName changes from one request to the next, as it is our way of verifying that the response has name_id which matches the original username being sent.
此外,如果服务提供者有办法让身份提供者断言 SP 管理的名称(例如用户名),那也可以满足我们的需求.如何指定这一点?
Also, if there is a way for the Service Provider to let the Identity Provider assert that an SP-managed name (such as username), that would be fine for our needs. How does one specify this?
谢谢
推荐答案
在 SAML 中,假设 ACS 对于 SP 是静态的.要将响应与原始 AuthnRequest 相关联,您应该保存传出 AuthnRequest 的 ID,然后使用接收到的响应的 InResponseTo.
In SAML, the ACS is assumed to be static for a SP. To correlate the Response with the originating AuthnRequest you should save the ID of the outgoing AuthnRequest and then use the InResponseTo of the received response.
SP 可以向 AuthnRequest 添加主题,告诉 IdP 您想要验证的用户名.它在 的第 3.4.1 节中定义SAML2 核心规范.
The SP can add a subject to the AuthnRequest, telling the IdP what username you want to have authenticated. It's defined in section 3.4.1 in the SAML2 Core spec.
这篇关于SAML 2.0:如何配置断言消费者服务 URL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
