1. 首页
  2. 问答
  3. SAML 2.0声明的正确格式是什么?

SAML 2.0声明的正确格式是什么?

2012-05-25 66 views
4

我们有一位客户试图使用ADFS将SSO应用于我们的Web应用程序。我们正在使用ComponentSpace SAML 2.0库。被发送给我们的说法是这样的:SAML 2.0声明的正确格式是什么?

<Assertion ID="_b8a24809-ab6b-4acd-ad6a-8bcb97bb1889" IssueInstant="2012-05-24T13:30:33.917Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> 
    <Issuer>http://example.com/adfs/services/trust</Issuer> 
    <Subject> 
     <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</NameID> 
     <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> 
      <SubjectConfirmationData NotOnOrAfter="2012-05-24T13:35:33.920Z" Recipient="https://example.com/default.aspx" /> 
     </SubjectConfirmation> 
    </Subject> 
    <Conditions NotBefore="2012-05-24T13:30:33.907Z" NotOnOrAfter="2012-05-24T14:30:33.907Z"> 
     <AudienceRestriction> 
      <Audience>https://example.com</Audience> 
     </AudienceRestriction> 
    </Conditions> 
    <AttributeStatement> 
     <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"> 
      <AttributeValue>[email protected]</AttributeValue> 
     </Attribute> 
    </AttributeStatement> 
    <AuthnStatement AuthnInstant="2012-05-24T13:30:33.756Z" SessionIndex="_b8a24809-ab6b-4acd-ad6a-8bcb97bb1889"> 
     <AuthnContext> 
       <AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef> 
     </AuthnContext> 
    </AuthnStatement> 
</Assertion>

的ComponentSpace库是拉动从HTTP后全SamlResponse但报告没有断言(即samlResponse.GetAssertions()计数== 0)。如果我使用ComponentSpace示例它的工作原理,但我注意到我使用ComponentSpace库创建的所有元素都以“saml:”作为前缀(因为我相信它应该是这样)。

ComponentSpace库应该能够找到不带saml:前缀的断言,还是有办法配置ADFS以正确发送它?

来源

2012-05-25 Brad Patton

+1

我们的SAML组件(http://www.componentspace.com/saml)在访问XML元素等时忽略前缀。相反,元素由标记名称和名称空间标识,这是在XML中执行操作的正确方法。因此,我们不回复标记名称为saml,而是在urn:oasis:names:tc:SAML:2.0:assertion命名空间等下查找Assertion元素。 – 2012-08-04 07:40:32

回答

3

事实证明,上述XML是有效的(ADFS添加命名空间整体XML而不是每个元素)。问题在于ComponentSpace库有不同的获取签名或加密断言的方法,我只是调用通用的GetAssertions。 ADFS正在生成已签名的断言,我需要调用其他函数。

这是我们最终的代码:

IList<EncryptedAssertion> encryptedAssertions = samlResponse.GetEncryptedAssertions(); 
if (encryptedAssertions.Count > 0 && x509Certificate != null) { 

    // Decrypt the assertion 
    EncryptedAssertion encryptedAssertion = encryptedAssertions[0]; 
    XmlElement decryptedElement = encryptedAssertion.DecryptToXml(x509Certificate, null); 
    LogMessage("Decrypted assertion: " + decryptedElement.OuterXml); 

    // Then verify the signature. 
    VerifySignature(x509Certificate, decryptedElement); 
    samlAssertion = new SAMLAssertion(decryptedElement); 
} else { 

    if (samlResponse.GetSignedAssertions().Count > 0) { 
     // Get the signed assertion and verify the signature. 
     XmlElement signedAssertionElement = samlResponse.GetSignedAssertions()[0]; 
     LogMessage("Signed assertion: " + signedAssertionElement.OuterXml); 

     VerifySignature(x509Certificate, signedAssertionElement); 
     samlAssertion = new SAMLAssertion(signedAssertionElement); 
    } else { 
     // Assertion is not encrypted or signed. 
     if (samlResponse.GetAssertions().Count > 0) { 
      samlAssertion = samlResponse.GetAssertions()[0]; 
      LogMessage("Assertion: " + samlAssertion.ToXml().OuterXml); 
     } else { 
      LogFatalError("No assertions in response"); 
     } 
    } 
}

来源

2012-06-06 19:43:40

2

正确的SAML响应应包含名称空间限定元件

<saml2p:Response Destination="https://www.google.com/a/squaresquare.biz/acs" IssueInstant="2010-08-04T17:47:20.956Z" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" InResponseTo="djfnhepndikoonjjkeomgplmkjofobhdbdieihpa" Version="2.0" ID="_bd24b4a3514fd93800d2a43cafc98edb"> 
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://my.ssodemo.url.demo.google.com/idp/shibboleth</saml2:Issuer> 
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
    <ds:SignedInfo> 
     <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod> 
     <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod> 
     <ds:Reference URI="#_bd24b4a3514fd93800d2a43cafc98edb"> 
     <ds:Transforms> 
      <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform> 
      <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> 
      <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="dssaml2saml2p"></ec:InclusiveNamespaces> 
      </ds:Transform> 
     </ds:Transforms> 
     <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod> 
     <ds:DigestValue>m/lUCS3nvfGuSJFKAtIz+ZrfxTU=</ds:DigestValue> 
     </ds:Reference> 
    </ds:SignedInfo> 
    <ds:SignatureValue>PLdYgU9u5KirVrMHNSwYvk6fQ401dMbpuiDXpapKf0eOKC6pN3g7tnTEzvfOaXhkDNXVmGN+lXQ6iUDppWpdO2MbvPVZabOBPU1aAO+CWI53ciC0rYsxpFzQLLMC/7x9Wk7VFFmYEecxAJV+lTWvp8ZKXvwqZbhiTO/23EC0xconGhnwSvKjJWQuLnMMaFWSjDFYyzgsp34cR7aX/eqhhJyA/rr2uFdmgEdagAl+/17ppgHgthgK+PJtX16AALtsoXonv6uybRCX/YiDRvM1VsdwusVq5tXh9V+bTMZcgi/3Eh+Em/OZp0En8pqOngvL19U4LfqG0yJZjoDGkpHuhA==</ds:SignatureValue> 
    <ds:KeyInfo> 
     <ds:X509Data> 
     <ds:X509Certificate>MIIDgjCCAmqgAwIBAgIVAKgIqbzZl7+0p2qjxJFVJs3DE/jxMA0GCSqGSIb3DQEBBQUAMDAxLjAsBgNVBAMTJWh0dHA6Ly93cGgtdWJpcTI3LmhvdC5jb3JwLmdvb2dsZS5jb20wHhcNMTAwNzIxMTcxNTA5WhcNMzAwNzIxMTcxNTA5WjAwMS4wLAYDVQQDEyVodHRwOi8vd3BoLXViaXEyNy5ob3QuY29ycC5nb29nbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAioQsJycRmjPjB2xlH0iSGn14lNbO/jIVgiGIlzZwlPkH1s2TTdwoTKKQBSe2s8AnJ4LliXlne/qWun3peYht0+RhejtB20L+Bw/I+iKQBGpHzgIKdkPGZnemWl9KqWQ/ZYKnY2x6qMEBmhUfYZcawzs26em5a+iaYlrTJNVEZ+QwWvg2/EOJvJNyBkSfXyxia5eAHV38Uy7xn0G5Zc9ge4ckCYj6b8a/UxpPJM61KztzY5coDwReQsDBq+DciGALJPbFk4783TW...etc.etc</ds:X509Certificate> 
     </ds:X509Data> 
    </ds:KeyInfo> 
    </ds:Signature> 
    <saml2p:Status> 
    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></saml2p:StatusCode> 
    </saml2p:Status> 
    <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" IssueInstant="2010-08-04T17:47:20.956Z" ID="_73fe28bcbb68e93df954d8e2f25097b1"> 
    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://my.ssodemo.url.demo.google.com/idp/shibboleth</saml2:Issuer> 
    <saml2:Subject> 
     <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">my_username</saml2:NameID> 
     <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> 
     <saml2:SubjectConfirmationData NotOnOrAfter="2010-08-04T17:52:20.956Z" InResponseTo="djfnhepndikoonjjkeomgplmkjofobhdbdieihpa" Recipient="https://www.google.com/a/squaresquare.biz/acs" Address="172.24.6.38"></saml2:SubjectConfirmationData> 
     </saml2:SubjectConfirmation> 
    </saml2:Subject> 
    <saml2:Conditions NotOnOrAfter="2010-08-04T17:52:20.956Z" NotBefore="2010-08-04T17:47:20.956Z"> 
     <saml2:AudienceRestriction> 
     <saml2:Audience>google.com</saml2:Audience> 
     </saml2:AudienceRestriction> 
    </saml2:Conditions> 
    <saml2:AuthnStatement SessionIndex="f306dd2bff4e9b3ba9218bd70fbaa87404d38a4c79547ac1edc9436a9f222213" AuthnInstant="2010-08-04T17:47:20.953Z"> 
     <saml2:SubjectLocality Address="172.24.6.38"></saml2:SubjectLocality> 
     <saml2:AuthnContext> 
     <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> 
     </saml2:AuthnContext> 
    </saml2:AuthnStatement> 
    </saml2:Assertion> 
</saml2p:Response>

来源

2012-05-26 05:24:27

4

命名空间的资格是可选的。

来源

2012-09-30 15:09:43 Lili

相关问题

 相关问题