我应该如何为 SAML WebSSO 配置文件实现 HTTP POST 协议绑定? [英] How should I be implementing the HTTP POST Protocol Binding for SAML WebSSO Profile?

问题描述

我已经使用 HTTP POST 协议绑定按照 Web SSO 的 SAML 配置文件实现了我的服务提供者和识别提供者.但是，如果来自服务提供者的 HTTP POST 未绑定到身份提供者上的会话，我对身份提供者将如何提供 <AuthnStatement> 感到有些困惑.

I've implemented my Service Provider and Identify Provider following the SAML Profile for Web SSO using HTTP POST Protocol Binding. However, I am a bit confused as to how the Identity Provider will provide an <AuthnStatement> if the HTTP POST coming from the Service Provider is not tied to a session on the Identity Provider.

有人可以启发我如何做到这一点吗?

Could someone enlighten me how one would be able to do this?

我可以使用的另一种方法是 HTTP 重定向绑定，但这需要 User-Agent 干预(即浏览器)，通常使用 User-Agent 作为传递中介来促进请求-响应消息交换.由于这个原因，我宁愿使用 HTTP POST，因为消息交换发生在服务器端，所以用户在他们的屏幕上看不到任何东西.

The other approach I could use is the HTTP Redirect Binding, but that requires User-Agent intervention (i.e., the browser), often using the User-Agent simply as a pass-thru intermediary to faciliate the Request-Response message exchange. I'd rather use HTTP POST for this reason, because the message exchange occurs server-side, so the user sees nothing happening on their screen.

但是，对于我如何将会话与请求联系起来，使用 HTTP 重定向对我来说更有意义.由于 HTTP 重定向是通过用户代理进行的，因此对 IdP 的请求将有一个会话(如果之前已通过身份验证).我不明白的是如何在 HTTP 重定向上发送 . 由 JST 回答

However, using HTTP Redirect makes more sense to me with respect to how I'd be able to tie a session to a request. Since the HTTP Redirect is facilitated via a User-Agent, the request to the IdP will have a session (if previously authenticated). What I don't get though is how to send an <AuthnRequest> on a HTTP Redirect. Answered by JST

所以我有点困惑，很想听听其他人在做什么.这里又是我的问题:

So I'm a bit confused and would love to hear what other people are doing. Here are my questions again:

1. 使用带有 IsPassive 选项和 的 HTTP POST 协议绑定，我如何将服务提供商发出的请求与身份会话相关联供应商?换句话说，如果 POST 来自技术上是匿名会话的服务提供者，那么身份提供者如何知道谁在发出请求?
2. 使用 HTTP 重定向协议绑定，如果我使用 HTTP 重定向，我如何将 发送到身份提供者? 由 JST 回答

1. Using the HTTP POST Protocol Binding with the IsPassive option the <AuthnRequest>, how do I tie a request made by the Service Provider to a session on the Identity Provider? In other words, how does the Identity Provider know who is making the request if the POST is coming from the Service Provider which is technically an anonymous session?
2. Using the HTTP Redirect Protocol Binding, how do I send an <AuthnRequest> to the Identity Provider if I am using a HTTP Redirect? Answered by JST

<小时>

更新

如果我在上面的解释中不清楚，很抱歉造成混乱.我正在实施 IdP 和 SP(通过插件).IdP 是我希望 SP(第三方系统)用于身份验证(即 Web SSO)的现有应用程序.我目前正在开发一个简单的 PoC.SP 实际上是一个第三方 Spring 应用程序，我正在为其开发一个插件来执行 SAML 操作.

---

UPDATE

Sorry for the confusion if I was unclear in my explanation above. I am implementing both the IdP and SP (via a plugin). The IdP is an existing application for which I want the SP (a third-party system) to use for authentication (i.e., Web SSO). I am developing a simple PoC at the moment. The SP is actually a third-party Spring application for which I am developing a plugin to perform the SAML operations.

我应该提到我正在尝试使用 IsPassive 选项来执行此操作，这意味着用户代理在消息交换期间不会发挥作用.它只是启动 SAML 派对的催化剂.对?考虑到这一点，假设用户在第 1 步是匿名的，那么 SP 向 IdP 发送什么信息以允许 IdP 确定用户是否已通过身份验证?由于 IsPassive，HTTP POST 不通过用户代理发送

I should have mentioned that I am trying to do this using the IsPassive option, that meaning the User-Agent doesn't come into play during the message exchange. It is simply the catalyst that gets the SAML-party started. Right? With that in mind, given that the user is anonymous at Step 1, what does the SP send to the IdP to allow the IdP figure out whether the user is already authenticated? Because of IsPassive, the HTTP POST isn't sent via the User-Agent

问题 1 已修订:当 AuthnRequset 与 IsPassive 选项一起发送时，IdP 如何解析主体?

Question 1 Revised: How does the IdP resolve the Principal when the AuthnRequset is sent with the IsPassive option on?

直接来自 SAML 2.0 Profiles 文档，第 15 页，第 417 到 419 行:

Straight from the SAML 2.0 Profiles document, page 15, lines 417 to 419:

在第 4 步中，确定委托人以某种方式提供的身份超出此配置文件的范围.

In step 4, the principal is identified by the identity provide by some means outside the scope of this profile.

我真正想要的是解释如何实现一些方法.

What I'm really after is an explanation how to implement some means.

推荐答案

要记住的是，IdP 上的会话和 SP 上的会话之间没有联系.它们彼此不了解，仅通过 SAML 消息进行通信.SP 发起的 SAML SSO 的一般步骤是:

The thing to keep in mind is that there's no connection between a session on the IdP and a session on the SP. They don't know about each other, and communicate only through the SAML messages. The general steps for SP-initiated SAML SSO are:

1. 匿名用户访问 SP 的资源(页面).
2. SP 确定用户需要在 IdP 进行身份验证.
3. SP 构建 AuthnRequest 并发送到 IdP.
4. IdP 进行某种身份验证、构建 SAML 响应并发送到 SP.
5. SP 验证响应，如果有效，则采取一切必要措施在 SP 识别用户并使他们获得最初请求的资源.

是的，确实需要某种方式将 SP 的 AuthnRequest 连接到 IdP 的响应.SAML 规范涵盖了这一点:SP 的 AuthnRequest 包括一个 ID 值，来自 IdP 的相应响应必须包括一个具有该 ID 值的 InResponseTo 属性(在其 SubjectConfirmationData 元素上).身份验证请求协议还允许 SP 将 RelayState 参数传递给 IdP，然后要求 IdP 与 SAML 响应一起传递不变.您(作为 SP 角色)可以使用该 RelayState 值来捕获状态信息，从而允许将用户中继到最初请求的资源.

Yes, there does need to be some way to connect the SP's AuthnRequest to the IdP's Response. That's covered by the SAML spec: the SP's AuthnRequest includes an ID value, and the corresponding response from the IdP MUST include an InResponseTo attribute (on its SubjectConfirmationData element) with that ID value. The Authentication Request Protocol also allows the SP to pass a RelayState parameter to the IdP, which the IdP is then REQUIRED to pass along unchanged with the SAML Response. You (in the SP role) can use that RelayState value to capture state information allowing the user to be relayed to the originally requested resource.

这意味着当您实现 SP 时，您需要某种机制来记录 ID 和 RelayState 值，并且您的响应处理需要验证它收到的 InResponseTo 和 RelayState 值.您选择如何创建和解释 RelayState 值取决于您，但请记住，存在长度限制.(我们使用与本地保存的状态数据相对应的随机 GUID 值，这具有额外的优势，即不会对 RelayState 值给出任何暗示.)

That implies that when you implement an SP, you'll need some mechanism for recording ID and RelayState values, and your Response processing needs to validate InResponseTo and RelayState values it receives. How you choose to create and interpret RelayState values is up to you, but keep in mind that there is a length limit. (We use random GUID values corresponding to locally saved state data, which has the extra advantage of not giving any hint of meaning to the RelayState values.)

IdP 如何知道是谁提出请求?AuthnRequest 必须包含标识 SP 的 Issuer 元素.它还可能包含一个 AssertionConsumerServiceURL(响应要发送到的 URL)，或者 IdP 可能具有颁发者到正确 URL 的本地映射.

How does the IdP know who is making the request? The AuthnRequest must include an Issuer element that identifies the SP. It might also contain an AssertionConsumerServiceURL (the URL to which the Response is to be sent), or the IdP may have a local mapping of the Issuer to the proper URL.

如何使用 HTTP 重定向发送 AuthnRequest?除了使用 GET 而不是 POST 之外，使用 POST 发送的 AuthnRequest 与重定向之间的唯一区别是 AuthnRequest XML 必须被压缩(使用 DEFLATE 编码).

How do you send an AuthnRequest using HTTP Redirect? The only difference between AuthnRequest sent using POST vs. Redirect, besides using GET rather than POST, is that the AuthnRequest XML has to get compressed (using the DEFLATE encoding).

希望能回答您的大部分问题.

Hope that answers most of your questions.

这篇关于我应该如何为 SAML WebSSO 配置文件实现 HTTP POST 协议绑定?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！