我应该如何为SAML WebSSO配置文件实现HTTP POST协议绑定？ [英] How should I be implementing the HTTP POST Protocol Binding for SAML WebSSO Profile?

问题描述

我已经使用HTTP POST协议绑定在Web SSO的SAML配置文件之后实现了我的服务提供商和识别提供商。但是，如果来自服务提供商的HTTP POST没有绑定到会话上的会话，我对身份提供商如何提供< AuthnStatement> 感到困惑。身份提供者。

I've implemented my Service Provider and Identify Provider following the SAML Profile for Web SSO using HTTP POST Protocol Binding. However, I am a bit confused as to how the Identity Provider will provide an <AuthnStatement> if the HTTP POST coming from the Service Provider is not tied to a session on the Identity Provider.

有人可以告诉我如何做到这一点吗？

Could someone enlighten me how one would be able to do this?

另一种方法我可以使用的是HTTP重定向绑定，但这需要用户代理干预（即浏览器），通常使用User-Agent作为pass-thru中介来促进请求 - 响应消息交换。因此，我宁愿使用HTTP POST，因为消息交换发生在服务器端，因此用户看不到屏幕上发生任何事情。

The other approach I could use is the HTTP Redirect Binding, but that requires User-Agent intervention (i.e., the browser), often using the User-Agent simply as a pass-thru intermediary to faciliate the Request-Response message exchange. I'd rather use HTTP POST for this reason, because the message exchange occurs server-side, so the user sees nothing happening on their screen.

但是，对于我如何能够将会话与请求联系起来，使用HTTP重定向更有意义。由于通过用户代理促进了HTTP重定向，因此对IdP的请求将具有会话（如果先前已经过身份验证）。 我不知道如何在HTTP重定向上发送< AuthnRequest> 。 由JST回答

However, using HTTP Redirect makes more sense to me with respect to how I'd be able to tie a session to a request. Since the HTTP Redirect is facilitated via a User-Agent, the request to the IdP will have a session (if previously authenticated). What I don't get though is how to send an <AuthnRequest> on a HTTP Redirect. Answered by JST

所以我有点困惑，很想听听其他人在做什么。以下是我的问题：

So I'm a bit confused and would love to hear what other people are doing. Here are my questions again:

1. 使用HTTP POST协议绑定 IsPassive 选项< AuthnRequest> ，如何将服务提供商提出的请求与身份提供商的会话联系起来？换句话说，如果POST来自服务提供商（在技术上是匿名会话），身份提供商如何知道谁在发出请求？


2. 使用HTTP重定向协议绑定，如果我使用HTTP重定向，如何向身份提供者发送< AuthnRequest> ？ JST回答

1. Using the HTTP POST Protocol Binding with the IsPassive option the <AuthnRequest>, how do I tie a request made by the Service Provider to a session on the Identity Provider? In other words, how does the Identity Provider know who is making the request if the POST is coming from the Service Provider which is technically an anonymous session?
2. Using the HTTP Redirect Protocol Binding, how do I send an <AuthnRequest> to the Identity Provider if I am using a HTTP Redirect? Answered by JST

---

更新

如果我在上面的解释中不清楚，请注意混淆。我正在实现IdP和SP（通过插件）。 IdP是一个现有的应用程序，我希望SP（第三方系统）用于身份验证（即Web SSO）。我正在开发一个简单的PoC。 SP实际上是第三方Spring应用程序，我正在开发一个插件来执行SAML操作。

---

UPDATE

Sorry for the confusion if I was unclear in my explanation above. I am implementing both the IdP and SP (via a plugin). The IdP is an existing application for which I want the SP (a third-party system) to use for authentication (i.e., Web SSO). I am developing a simple PoC at the moment. The SP is actually a third-party Spring application for which I am developing a plugin to perform the SAML operations.

我应该提到我试图这样做 IsPassive 选项，这意味着用户代理在消息交换期间不起作用。它只是启动SAML派对的催化剂。对？考虑到这一点，假设用户在步骤1中是匿名的，SP会向IdP发送什么以允许IdP确定用户是否已经过身份验证？由于IsPassive，HTTP POST不通过User-Agent发送

I should have mentioned that I am trying to do this using the IsPassive option, that meaning the User-Agent doesn't come into play during the message exchange. It is simply the catalyst that gets the SAML-party started. Right? With that in mind, given that the user is anonymous at Step 1, what does the SP send to the IdP to allow the IdP figure out whether the user is already authenticated? Because of IsPassive, the HTTP POST isn't sent via the User-Agent

问题1修订：当 AuthnRequset 与<$ c $一起发送时，IdP如何解析委托人c> IsPassive 选项？

直接来自SAML 2.0配置文件，第15页，第417行到第419行：

Straight from the SAML 2.0 Profiles document, page 15, lines 417 to 419:

在步骤4中，通过身份提供的身份证明
是通过某种方式提供的
超出此配置文件的范围。

In step 4, the principal is identified by the identity provide by some means outside the scope of this profile.

我真正想要解释的是如何实现某些方法。

What I'm really after is an explanation how to implement some means.

推荐答案

要记住的是，IdP上的会话与SP上的会话之间没有任何关联。他们彼此不了解，只能通过SAML消息进行通信。 SP发起的SAML SSO的一般步骤是：

The thing to keep in mind is that there's no connection between a session on the IdP and a session on the SP. They don't know about each other, and communicate only through the SAML messages. The general steps for SP-initiated SAML SSO are:

1. 匿名用户访问SP的资源（页面）。


2. SP标识用户需要在IdP进行身份验证。


3. SP构造AuthnRequest并发送给IdP。


4. IdP做某种身份验证，构建SAML响应并发送给SP。


5. SP验证响应，如果有效，则执行识别SP用户并将其转至最初请求的资源所需的一切。

1. Anonymous user visits resource (page) at SP.
2. SP identifies that user needs to be authenticated at IdP.
3. SP constructs AuthnRequest and sends to IdP.
4. IdP does some sort of authentication, constructs SAML Response and sends to SP.
5. SP validates Response and, if valid, does whatever is necessary to identify user at SP and get them to originally requested resource.

是的，确实需要某种方式将SP的AuthnRequest连接到IdP的响应。 SAML规范涵盖了这一点：SP的AuthnRequest包含ID值，IdP的相应响应必须包含具有该ID值的InResponseTo属性（在其SubjectConfirmationData元素上）。认证请求协议还允许SP将RelayState参数传递给IdP，然后IdP必须与SAML响应一起传递。您（在SP角色中）可以使用该RelayState值来捕获状态信息，从而允许用户中继到最初请求的资源。

Yes, there does need to be some way to connect the SP's AuthnRequest to the IdP's Response. That's covered by the SAML spec: the SP's AuthnRequest includes an ID value, and the corresponding response from the IdP MUST include an InResponseTo attribute (on its SubjectConfirmationData element) with that ID value. The Authentication Request Protocol also allows the SP to pass a RelayState parameter to the IdP, which the IdP is then REQUIRED to pass along unchanged with the SAML Response. You (in the SP role) can use that RelayState value to capture state information allowing the user to be relayed to the originally requested resource.

这意味着当您实现SP，您需要一些记录ID和RelayState值的机制，您的Response处理需要验证它接收的InResponseTo和RelayState值。您如何选择创建和解释RelayState值取决于您，但请记住，存在长度限制。 （我们使用与本地保存的状态数据相对应的随机GUID值，这具有额外的优点，即不对RelayState值赋予任何暗示。）

That implies that when you implement an SP, you'll need some mechanism for recording ID and RelayState values, and your Response processing needs to validate InResponseTo and RelayState values it receives. How you choose to create and interpret RelayState values is up to you, but keep in mind that there is a length limit. (We use random GUID values corresponding to locally saved state data, which has the extra advantage of not giving any hint of meaning to the RelayState values.)

IdP如何知道谁在提出要求吗？ AuthnRequest必须包含标识SP的Issuer元素。它还可能包含AssertionConsumerServiceURL（要向其发送Response的URL），或者IdP可能具有Issuer到正确URL的本地映射。

How does the IdP know who is making the request? The AuthnRequest must include an Issuer element that identifies the SP. It might also contain an AssertionConsumerServiceURL (the URL to which the Response is to be sent), or the IdP may have a local mapping of the Issuer to the proper URL.

如何使用HTTP重定向发送AuthnRequest？除了使用GET而不是POST之外，使用POST和Redirect发送的AuthnRequest之间的唯一区别是AuthnRequest XML必须被压缩（使用DEFLATE编码）。

How do you send an AuthnRequest using HTTP Redirect? The only difference between AuthnRequest sent using POST vs. Redirect, besides using GET rather than POST, is that the AuthnRequest XML has to get compressed (using the DEFLATE encoding).

希望回答你的大部分问题。

Hope that answers most of your questions.

这篇关于我应该如何为SAML WebSSO配置文件实现HTTP POST协议绑定？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！