从 IDP 向 SP 发送 SAML 断言 [英] Sending a SAML assertion from IDP to SP

问题描述

当用户查看 SP 并单击登录"按钮时，会打开一个指向 IDP 登录表单的弹出窗口.在用户提供他们的用户名/密码并在弹出窗口中提交登录表单后，假设凭据有效，我如何将 IDP 生成的 SAML 断言返回给 SP.我可以使用 window.postMessage 吗?

When the user is viewing the SP and he clicks the "Login" button, a popup pointing to the IDP's login form is opened. After the user provides their username/password and submits the login form within the popup, assuming the credentials are valid, how can I get the SAML assertion generated by the IDP back to the SP. Can I use window.postMessage?

推荐答案

IDP 的响应(包括 SAML 断言)将发送到您的 SP 的 Assertion Consumer Service URL.此时，您可以使用它做任何您想做的事情，并假设 SAML 断言是正确的，在 SP 级别创建一个经过身份验证的登录会话.

The response (including the SAML assertion) of the IDP will be send to the Assertion Consumer Service URL of your SP. At this point you can do everything you want with it and assuming the SAML assertion is correct, create an authenticated login session at the SP level.

根据您的用例，您现在可以退出弹出窗口并刷新(可能部分)父窗口，以便它选择登录用户.您可以使用 windows.opener 对象来调用父窗口上的函数.window.postMessage 的主要用途是在跨域的窗口/框架之间发送数据.但是因为您在 SP URL 上接收响应，所以您不应该需要这个.

Depending on your use case you could now exit the popup and refresh (maybe partially) the parent window so it will pick up the logged in user. You could use the windows.opener object to call a function on the parent window. The main use of window.postMessage is to send data between window/frames across domains. But because your a receiving the response on a SP URL you should not need this.

根据您的故事，我想知道您是否通过发送 来执行 SP 发起的 SSOAuthnRequest 到 IDP?

Based on your story I am wondering if your are doing an SP initiated SSO by sending an AuthnRequest to the IDP?

这篇关于从 IDP 向 SP 发送 SAML 断言的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！