假设执行SP-init SSO,则使用HTTP-Redirect Binding而不是HTTP-POST绑定并需要带符号的AuthnRequest。它意味着在URL中包含SAMLRequest。HTTP重定向绑定SAML请求
Q1。我需要在URL中包含签名还是嵌入在SAMLRequest中?
重定向URL是
http://idp.example.com/SSOService.php?SAMLRequest= {VAL1} &签名= {VAL2} & SigAlg = {VAL3}
与我SAMLRequest(无签名)
<samlp:AuthnRequest ID="" Version="2.0" IssueInstant="2015-05-22T02:47:38Z" Destination="" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"></saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true" />
<samlp:RequestedAuthnContext Comparison="exact" />
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:AuthnRequest>
或
http://idp.example.com/SSOService.php?SAMLRequest= {val1}
我SAMLRequest(嵌入与签名)
<samlp:AuthnRequest ID="" Version="2.0" IssueInstant="2015-05-22T02:47:38Z" Destination="" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"></saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true" />
<samlp:RequestedAuthnContext Comparison="exact" />
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>v5h...</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>M4...</SignatureValue>
</Signature>
</samlp:AuthnRequest>
Q2。将base64和url编码为url参数的值是否正确?
Q3。 X509证书包含在我的SP元数据中,是否是base64编码的?
我有一个证书cert.pem文件,我需要使它base64编码或直接包括证书。
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
SPMetadata.xml
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIFnzCCA4egAwI...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
对于A2,参数应该是网址编码还是网址解码? –
编辑,以澄清发件人的角度的东西 –