英文:
saml Integrating Ruby(IDP) and Java(SP)
问题
我正在实现 SAML 单点登录(SSO)。在此中,IDP 使用 Ruby 编写,SP 使用 Java 编写。
对于 Ruby,我们正在使用 saml_idp 和 ruby-saml 这两个 gem。对于 Java,我正在尝试使用 spring-security-saml-dsl。
SP 发送的 SAML AuthnRequest 格式如下:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://localhost:9090/saml/SSO" Destination="https://localhost:3000/sso/saml" ForceAuthn="false" ID="a1g952c8gehic8503id5fbdi1cchhic" IsPassive="false" IssueInstant="2020-04-09T09:08:06.814Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://localhost:9090/saml/metadata</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<!-- 签名信息 -->
</ds:Signature>
</saml2p:AuthnRequest>
但是 IDP 不接受这个格式。经过调查,我发现 IDP 只允许以下格式:
<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://localhost:8000/saml/acs" Destination="http://localhost:3050/saml/saml_assertion" ID="_06f89146-44ad-48e3-9110-cf068b7cd639" IssueInstant="2020-04-09T07:15:16Z" Version="2.0">
<saml:Issuer>http://localhost:3050/saml/metadata</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/>
</samlp:AuthnRequest>
我应该如何让 spring-security-saml-dsl(Java SP)发送 'samlp' 格式而不是 'saml2p' 格式?或者如何让 saml_idp(Ruby IDP)同时接受 'saml2p' 格式呢?
英文:
I am implementing saml SSO. In this IDP is writen in ruby and SP is written in java.
for ruby we are using saml_idp & ruby-saml gems. For java i am trying to use spring-security-saml-dsl.
The saml authrequest from SP is in the following format
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://localhost:9090/saml/SSO" Destination="https://localhost:3000/sso/saml" ForceAuthn="false" ID="a1g952c8gehic8503id5fbdi1cchhic" IsPassive="false" IssueInstant="2020-04-09T09:08:06.814Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://localhost:9090/saml/metadata</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#a1g952c8gehic8503id5fbdi1cchhic"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>59Sqiz0XoMFOwgquHILLLnmtzb0=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>sign</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>cert</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
</saml2p:AuthnRequest>
But this is not getting accepted by the IDP. Upon investigating I found The IDP allows if the format is as given below
<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://localhost:8000/saml/acs" Destination="http://localhost:3050/saml/saml_assertion" ID="_06f89146-44ad-48e3-9110-cf068b7cd639" IssueInstant="2020-04-09T07:15:16Z" Version="2.0">
<saml:Issuer>http://localhost:3050/saml/metadata</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/>
</samlp:AuthnRequest>
How do i make either spring-security-saml-dsl(java SP) to send in 'samlp' format and not 'saml2p' ? or how do i make saml_idp(ruby IDP) to accept 'saml2p' format as well?
答案1
得分: 0
我在设置上完全错误了。因此出现了问题。这些库(saml_idp和ruby-saml)都接受'samlp'和'saml2p'前缀。我在我的SP中创建了带有HTTP-POST绑定的SAML AuthnRequest,并将其手动传递给IDP进行测试。在IDP中,使用SamlIdp::Controller.decode_request来解码此请求。这部分解码了请求。因此出现了问题。
当我从HTTP-POST绑定更改为HTTP-Redirect绑定时,这开始正常工作。看起来SamlIdp::Controller.decode_request期望AuthnRequest被压缩,而这在HTTP-Redirect绑定中发生。现在我能够成功地集成我的SP和IDP。
英文:
I was totally wrong in my setup. hence the issue. These libraries (saml_idp & ruby-saml) accepts both 'samlp' and 'saml2p' prefixes. I created saml AuthnRequest with HTTP-POST binding in my SP and passed this to IDP manually for testing.In the IDP SamlIdp::Controller.decode_request is being used to decode this request. This partially decoded the request. Hence the issue.
When i changed from HTTP-POST binding to HTTP-Redirect binding This started working. Seems this SamlIdp::Controller.decode_request expects the AuthnRequest to be compressed which happens in HTTP-Redirect binding. Now i am able to integrate both my SP and IDP successfully.
专注分享java语言的经验与见解,让所有开发者获益!
评论