使用 python 登录到 SAML/Shibboleth 认证服务器 [英] Logging into SAML/Shibboleth authenticated server using python
问题描述
我正在尝试通过 python 登录我大学的服务器,但我完全不确定如何生成适当的 HTTP POST、创建密钥和证书以及我可能不熟悉的其他部分需要遵守 SAML 规范.我可以用我的浏览器登录就好了,但我希望能够使用 python 登录和访问服务器内的其他内容.
I'm trying to login my university's server via python, but I'm entirely unsure of how to go about generating the appropriate HTTP POSTs, creating the keys and certificates, and other parts of the process I may be unfamiliar with that are required to comply with the SAML spec. I can login with my browser just fine, but I'd like to be able to login and access other contents within the server using python.
作为参考,这里是网站
我尝试过使用 mechanize 登录(选择表单、填充字段、通过 mechanize.Broswer.submit() 等单击提交按钮控件)无济于事;登录站点每次都会被吐回去.
I've tried logging in by using mechanize (selecting the form, populating the fields, clicking the submit button control via mechanize.Broswer.submit(), etc.) to no avail; the login site gets spat back each time.
此时,我愿意使用最适合该任务的语言来实施解决方案.基本上,我想以编程方式登录到 SAML 身份验证服务器.
At this point, I'm open to implementing a solution in whichever language is most suitable to the task. Basically, I want to programatically login to SAML authenticated server.
推荐答案
基本上,您必须了解 SAML 身份验证过程背后的工作流程.不幸的是,目前没有 PDF 文件似乎真的可以很好地帮助我们了解浏览器在访问受 SAML 保护的网站时会执行哪些操作.
Basically what you have to understand is the workflow behind a SAML authentication process. Unfortunately, there is no PDF out there which seems to really provide a good help in finding out what kind of things the browser does when accessing to a SAML protected website.
也许你应该看看这样的东西:http://www.docstoc.com/docs/33849977/Workflow-to-Use-Shibboleth-Authentication-to-Sign很明显:http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language.尤其要注意这个方案:
Maybe you should take a look to something like this: http://www.docstoc.com/docs/33849977/Workflow-to-Use-Shibboleth-Authentication-to-Sign and obviously to this: http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language. In particular, focus your attention to this scheme:
当我试图理解 SAML 的工作方式时,我做了什么,因为文档太很差,我写下了(是的!写在纸上)浏览器正在执行的所有步骤第一个到最后一个.我使用了 Opera,将其设置为不允许自动重定向(300、301、302 响应代码等),并且不启用 Javascript.然后我写下了服务器发送给我的所有 cookie、正在做什么以及出于什么原因.
What I did when I was trying to understand SAML way of working, since documentation was so poor, was writing down (yes! writing - on the paper) all the steps the browser was doing from the first to the last. I used Opera, setting it in order to not allow automatic redirects (300, 301, 302 response code, and so on), and also not enabling Javascript. Then I wrote down all the cookies the server was sending me, what was doing what, and for what reason.
也许这太费力了,但通过这种方式,我能够用 Java 编写一个库,它适合这项工作,而且速度和效率也令人难以置信.也许有一天我会公开它...
Maybe it was way too much effort, but in this way I was able to write a library, in Java, which is suited for the job, and incredibily fast and efficient too. Maybe someday I will release it public...
您应该明白的是,在 SAML 登录中,有两个角色在扮演:IDP(身份提供者)和 SP(服务提供者).
What you should understand is that, in a SAML login, there are two actors playing: the IDP (identity provider), and the SP (service provider).
我很确定您是从另一个页面点击了访问受保护的网站"之类的页面到达了您在问题中引用的链接.如果您多加注意,您会注意到您点击的链接不是显示身份验证表单的链接.这是因为单击从 IDP 到 SP 的链接是 SAML 的步骤.第一步,实际上.它允许 IDP 定义您是谁,以及您尝试访问其资源的原因.因此,基本上您需要做的是向您遵循的链接发出请求以访问网络表单,并获取它将设置的 cookie.您看不到的是 SAMLRequest 字符串,它被编码到链接后面的 302 重定向中,发送到建立连接的 IDP.
I'm quite sure that you reached the link you reference in your question from another page clicking to something like "Access to the protected website". If you make some more attention, you'll notice that the link you followed is not the one in which the authentication form is displayed. That's because the clicking of the link from the IDP to the SP is a step for the SAML. The first step, actally. It allows the IDP to define who are you, and why you are trying to access its resource. So, basically what you'll need to do is making a request to the link you followed in order to reach the web form, and getting the cookies it'll set. What you won't see is a SAMLRequest string, encoded into the 302 redirect you will find behind the link, sent to the IDP making the connection.
我认为这就是你不能机械化整个过程的原因.您只需连接到表单,无需进行身份识别!
I think that it's the reason why you can't mechanize the whole process. You simply connected to the form, with no identity identification done!
这个很简单.请小心!现在设置的 cookie 与上面的 cookie 不同.您现在正在连接到一个完全不同的网站.这就是使用 SAML 的原因:不同的网站,相同的凭据.因此,您可能希望将这些由成功登录提供的身份验证 cookie 存储到不同的变量中.IDP 现在将向您发回一个响应(在 SAMLRequest 之后):SAMLResponse.您必须检测它获取登录结束的网页的源代码.事实上,这个页面是一个包含响应的大表单,在 JS 中有一些代码会在页面加载时自动添加它.您必须获取页面的源代码,对其进行解析以去除所有 HTML 无用的内容,并获得 SAMLResponse(加密).
This one is easy. Please be careful! The cookies that are now set are not the same of the cookies above. You're now connecting to a utterly different website. That's the reason why SAML is used: different website, same credentials. So you may want to store these authentication cookies, provided by a successful login, to a different variable. The IDP now is going to send back you a response (after the SAMLRequest): the SAMLResponse. You have to detect it getting the source code of the webpage to which the login ends. In fact, this page is a big form containing the response, with some code in JS which automatically subits it, when the page loads. You have to get the source code of the page, parse it getting rid of all the HTML unuseful stuff, and getting the SAMLResponse (encrypted).
现在您已准备好结束程序.您必须将上一步中获得的 SAMLResponse(通过 POST,因为您正在模拟表单)发送到 SP.通过这种方式,它将提供访问您想要访问的受保护内容所需的 cookie.
Now you're ready to end the procedure. You have to send (via POST, since you're emulating a form) the SAMLResponse got in the previous step, to the SP. In this way, it will provide the cookies needed to access to the protected stuff you want to access.
Aaaaand,你完成了!
Aaaaand, you're done!
同样,我认为您必须做的最宝贵的事情是使用 Opera 并分析 SAML 所做的所有重定向.然后,在您的代码中复制它们.没那么难,只要记住 IDP 和 SP 完全不同.
Again, I think that the most precious thing you'll have to do is using Opera and analyzing ALL the redirects SAML does. Then, replicate them in your code. It's not that difficult, just keep in mind that the IDP is utterly different than the SP.
这篇关于使用 python 登录到 SAML/Shibboleth 认证服务器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
