WSO2IS:SAML请求编码/解码

时间:2013-07-02 10:04:15

标签: authentication decode encode saml-2.0 wso2is

我正在使用WSO2 Identity Server 4.1.0。我已成功执行here (thank you)所述的步骤,以使本地SAML2使用者与本地WSO2身份服务器一起使用。

上述步骤描述了使用Tomcat webapp使用SAML请求“调用”WSO2身份服务器的登录页面。 webapp还将收到SAML响应。 webapp必须生成此SAML请求,以便它包含有效的颁发者,时间戳等。如果没有此请求,Identity Server将不提供登录页面。实际上,请求是一种预制。 SAML请求已编码。

我的目标是更好地了解此Web应用程序组成初始SAML请求的方式。使用SAML调试器后,我才能看到请求。如何使用解码器手动查看此SAML请求?

到目前为止我学到了什么:

  • 我已经了解here我们可以使用SAML 2.0 Debugger对saml请求和响应进行解码或编码。但我想知道如何以及如何编码/解码。
  • 我已经了解here可能需要URL解码器和Base64解码。所以我能够对/samlsso?SAMLRequest进行URL解码。它包含一个编码的assertionString。我无法对此字符串进行Base64解码。

请求HTTP标头: 此请求将发送到WSO2 Identity Server。

https://localhost:9443/samlsso

POST /samlsso HTTP/1.1
Host: localhost:9443
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: nl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://localhost:9443/samlsso?SAMLRequest=jZPBbtswDIZfRdA9seO0WyzEKbIUxQx0m5u4O%2BymyswiQJY8kU6zt5%2Fs2GsORdCrSP7k%2F5Fa3p1qw47gUTub8dk05gyscpW2vzP%2BXD5MFvxutURZm0asWzrYLfxpAYmFOouiD2S89VY4iRqFlTWgICV262%2BPIpnGovGOnHKGszUieAqNNs5iW4PfgT9qBc%2Fbx4wfiBoRRcYpaQ4OSSziRRx1%2Bsm0gtpFaigKOkRev7QEZ50w6iCU2wpOwUUyT5Ob2%2FQm5ezBeQX94BnfS4PAWX6f8WAzx0Ii6iO8BRDboIEkLWU8iWfzSfx5EidlnIp5Ima300%2Bz9BdnxeDoi7ZnTtfsv5yTUHwty2JS%2FNiVnP0ceYcEPtLtu%2FuPc5UjTb56o7SMLsVG6e%2BhOL8vnNHqL1sb4143HiQF5%2BRb6CHVkq636150Ndn3qaLpHCCBJc52Raf%2F1Eqj9xp8xvNuMh6N3YeLgapfQ9gZwYnYxtWN9Bo7DHCSigYQ4jJrY4LLLewvqHwYytU0JVQnHZ67I3h1vuqWCipMWXppsXGezizfnWc1cn7X2%2F%2Fo5YdZ%2FQM%3D&RelayState=null
Cookie: MSG13721655096400.5456646701125957=true; MSG13721655827030.13073174051588388=true; MSG13721677790000.949325276640498=true; menuPanel=visible; menuPanelType=main; current-breadcrumb=manage_menu%2Cmanage_saml_sso%23; requestedURI=../../carbon/admin/index.jsp; Modernizr=; JSESSIONID=E4B3DB007762167497588E63D2C396F6; MSG13727573306230.10612530425878663=true; region1_manage_menu=visible; ssoTokenId=E4B3DB007762167497588E63D2C396F6
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 806
username=admin&assertnConsumerURL=http%3A%2F%2Flocalhost%3A8080%2Fsaml2.demo%2Fconsumer&issuer=saml2.demo&id=0&subject=null&relyingPartySessionId=null&assertionString=jZPBbtswDIZfRdA9seO0WyzEKbIUxQx0m5u4O%2BymyswiQJY8kU6zt5%2Fs2GsORdCrSP7k%2F5Fa3p1qw47gUTub8dk05gyscpW2vzP%2BXD5MFvxutURZm0asWzrYLfxpAYmFOouiD2S89VY4iRqFlTWgICV262%2BPIpnGovGOnHKGszUieAqNNs5iW4PfgT9qBc%2Fbx4wfiBoRRcYpaQ4OSSziRRx1%2Bsm0gtpFaigKOkRev7QEZ50w6iCU2wpOwUUyT5Ob2%2FQm5ezBeQX94BnfS4PAWX6f8WAzx0Ii6iO8BRDboIEkLWU8iWfzSfx5EidlnIp5Ima300%2Bz9BdnxeDoi7ZnTtfsv5yTUHwty2JS%2FNiVnP0ceYcEPtLtu%2FuPc5UjTb56o7SMLsVG6e%2BhOL8vnNHqL1sb4143HiQF5%2BRb6CHVkq636150Ndn3qaLpHCCBJc52Raf%2F1Eqj9xp8xvNuMh6N3YeLgapfQ9gZwYnYxtWN9Bo7DHCSigYQ4jJrY4LLLewvqHwYytU0JVQnHZ67I3h1vuqWCipMWXppsXGezizfnWc1cn7X2%2F%2Fo5YdZ%2FQM%3D&RelayState=null&password=admin
HTTP/1.1 200 OK
Set-Cookie: ssoTokenId=E4B3DB007762167497588E63D2C396F6; Expires=Tue, 02-Jul-2013 19:32:45 GMT
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Content-Encoding: gzip
Vary: Accept-Encoding
Date: Tue, 02 Jul 2013 09:32:45 GMT
Server: WSO2 Carbon Server

上面请求中的'referer'包含SAML调试器可见的SAML请求。 

<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://localhost:8080/saml2.demo/consumer" AttributeConsumingServiceIndex="1239245949" ForceAuthn="false" ID="0" IsPassive="false" IssueInstant="2013-07-02T09:32:15.619Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
    <samlp:Issuer xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">saml2.demo</samlp:Issuer>
    <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="Isser"/>
    <samlp:RequestedAuthnContext Comparison="exact">
        <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

(似乎还不是完整的SAML请求,而且WSO2 IS正在内部编写完整的SAML请求。)

响应HTTP标头: 这是从WSO2身份服务器收到的响应。

http://localhost:8080/saml2.demo/consumer

POST /saml2.demo/consumer HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: nl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=E078F376C8ED303D28A200DD7AC28324; MSG13721655096400.5456646701125957=true; MSG13721655827030.13073174051588388=true; MSG13721677790000.949325276640498=true; menuPanel=visible; menuPanelType=main; current-breadcrumb=manage_menu%2Cmanage_saml_sso%23; requestedURI=../../carbon/admin/index.jsp; Modernizr=; MSG13727573306230.10612530425878663=true; region1_manage_menu=visible; ssoTokenId=E4B3DB007762167497588E63D2C396F6
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 1870
SAMLResponse=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22%3F%3E%0D%0A%3Csaml2p%3AResponse+ID%3D%22dnfomflkhhdjjgfoggoagcdopgnjmpajenlehbka%22+IssueInstant%3D%222013-07-02T09%3A32%3A45.635Z%22+Version%3D%222.0%22+xmlns%3Asaml2p%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aprotocol%22%3E%3Csaml2p%3AStatus%3E%3Csaml2p%3AStatusCode+Value%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Astatus%3ASuccess%22%2F%3E%3C%2Fsaml2p%3AStatus%3E%3Csaml2%3AAssertion+ID%3D%22dgamkdkadflnniggkelmjfakjljedhfdhnbpomdk%22+IssueInstant%3D%222013-07-02T09%3A32%3A45.635Z%22+Version%3D%222.0%22+xmlns%3Asaml2%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22%3E%3Csaml2%3AIssuer+Format%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Anameid-format%3Aentity%22%3Ehttps%3A%2F%2Flocalhost%3A9443%2Fsamlsso%3C%2Fsaml2%3AIssuer%3E%3Csaml2%3ASubject%3E%3Csaml2%3ANameID%3Eadmin%3C%2Fsaml2%3ANameID%3E%3Csaml2%3ASubjectConfirmation+Method%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Acm%3Abearer%22%3E%3Csaml2%3ASubjectConfirmationData+InResponseTo%3D%220%22+NotOnOrAfter%3D%222013-07-02T09%3A37%3A45.635Z%22+Recipient%3D%22http%3A%2F%2Flocalhost%3A8080%2Fsaml2.demo%2Fconsumer%22%2F%3E%3C%2Fsaml2%3ASubjectConfirmation%3E%3C%2Fsaml2%3ASubject%3E%3Csaml2%3AConditions+NotBefore%3D%222013-07-02T09%3A32%3A45.635Z%22+NotOnOrAfter%3D%222013-07-02T09%3A37%3A45.635Z%22%3E%3Csaml2%3AAudienceRestriction%3E%3Csaml2%3AAudience%3Esaml2.demo%3C%2Fsaml2%3AAudience%3E%3C%2Fsaml2%3AAudienceRestriction%3E%3C%2Fsaml2%3AConditions%3E%3Csaml2%3AAuthnStatement+AuthnInstant%3D%222013-07-02T09%3A32%3A45.635Z%22%3E%3Csaml2%3AAuthnContext%3E%3Csaml2%3AAuthnContextClassRef%3Eurn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aac%3Aclasses%3APassword%3C%2Fsaml2%3AAuthnContextClassRef%3E%3C%2Fsaml2%3AAuthnContext%3E%3C%2Fsaml2%3AAuthnStatement%3E%3C%2Fsaml2%3AAssertion%3E%3C%2Fsaml2p%3AResponse%3E&RelayState=null
HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Location: http://localhost:8080/saml2.demo/home.jsp?subject=admin
Content-Length: 0
Date: Tue, 02 Jul 2013 09:32:47 GMT

此处可以使用网址解码器显示SAMLResponse,例如this one

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response ID="dnfomflkhhdjjgfoggoagcdopgnjmpajenlehbka" IssueInstant="2013-07-02T09:32:45.635Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </saml2p:Status>
    <saml2:Assertion ID="dgamkdkadflnniggkelmjfakjljedhfdhnbpomdk" IssueInstant="2013-07-02T09:32:45.635Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://localhost:9443/samlsso</saml2:Issuer>
        <saml2:Subject>
            <saml2:NameID>admin</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData InResponseTo="0" NotOnOrAfter="2013-07-02T09:37:45.635Z" Recipient="http://localhost:8080/saml2.demo/consumer"/>
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2013-07-02T09:32:45.635Z" NotOnOrAfter="2013-07-02T09:37:45.635Z">
            <saml2:AudienceRestriction>
                <saml2:Audience>saml2.demo</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement AuthnInstant="2013-07-02T09:32:45.635Z">
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
    </saml2:Assertion>
</saml2p:Response>

1 个答案:

答案 0 :(得分:0)

即使这个线程已经老了,我也会遇到与新的5.1.0 Identity Server类似的问题。

SAMLRequest Url参数可通过第一个URL解码然后Base64对其进行充气来解码。 G。在https://www.samltool.com/decode.php

Url中还有其他参数,通常用&#34;&amp;&#34;必须排除才能获得成功的解码。在您的示例中尤其是&#34;&amp; relayState = null&#34;最后必须排除解码。

重定向绑定还会将放气的签名和使用的摘要算法作为参数。

这是从问题代码片段1中获取的SAMLRequest参数的解码和膨胀结果,它应该涵盖SAML调试器的结果。

<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    AssertionConsumerServiceURL="http://localhost:8080/saml2.demo/consumer"
    AttributeConsumingServiceIndex="1239245949" ForceAuthn="false" ID="0"
    IsPassive="false" IssueInstant="2013-07-02T09:32:15.619Z"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    Version="2.0">
    <samlp:Issuer xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">saml2.demo</samlp:Issuer>
    <samlp:NameIDPolicy AllowCreate="true"
    Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
    SPNameQualifier="Isser" />
    <samlp:RequestedAuthnContext Comparison="exact">
        <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
        </saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
相关问题
最新问题