我有一个配置了djangosaml2的SP。这针对simplesamlPHP IdP进行身份验证。 配置似乎是正确的,但IPD回应我的AuthnRequest应该签名。
这是我的djangosaml2配置:
SAML_CONFIG = {
# full path to the xmlsec1 binary programm
'xmlsec_binary': '/usr/bin/xmlsec1',
# your entity id, usually your subdomain plus the url to the metadata view
'entityid': 'https://<my_url>/saml2/metadata/',
# directory with attribute mapping
'attribute_map_dir': os.path.join(BASE_DIR, 'attribute-maps'),
# this block states what services we provide
'service': {
'sp' : {
'name': 'Federated SP',
'endpoints': {
'assertion_consumer_service': [
('https://<my_url>/saml2/acs/',
saml2.BINDING_HTTP_POST),
],
'single_logout_service': [
('https://<my_url>/saml2/ls/',
saml2.BINDING_HTTP_REDIRECT),
('https://<my_url>/saml2/ls/post',
saml2.BINDING_HTTP_POST),
],
},
# attributes that this project need to identify a user
'required_attributes': ['uid'],
'authn_requests_signed': "true",
'want_assertions_signed': "true",
'want_responses_signed': "true",
# attributes that may be useful to have but not required
'optional_attributes': [],
# in this section the list of IdPs we talk to are defined
'idp': {
'idpID': {
'single_sign_on_service': {
saml2.BINDING_HTTP_POST: "https://<their_url>/idp/SSO.saml2",
},
'single_logout_service': {
saml2.BINDING_HTTP_POST: "https://<their_url>/idp/SLO.saml2",
},
},
},
},
},
# where the remote metadata is stored
'metadata': {
'local': [os.path.join(BASE_DIR, 'saml-data/metadata.xml')],
},
# set to 1 to output debugging information
'debug': 1,
# certificate
'key_file': os.path.join(BASE_DIR, 'saml-data/mykey.key'), # private part
'cert_file': os.path.join(BASE_DIR, 'saml-data/mycert.pem'), # public part
'valid_for': 24, # how long is our metadata valid
}
这是我的AuthnRequest:
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceURL="https://MY_URL/saml2/acs/" Destination="https://THEIR_URL/idp/SSO.saml2" ID="id-438e1715fd5fe61333879b19e2238773" IssueInstant="2015-06-01T15:20:37Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://MY_URL/saml2/metadata/</saml:Issuer>
<ds:Signature Id="Signature1">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#id-438e1715fd5fe61333879b19e2238773">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>Ool+AyPuBNA1WmBEeOzDZJhLz7Y=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>MY_SIGNATURE</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MY_CERT</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
</samlp:AuthnRequest>
这是IdP的回应:
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" ID="gBreDljemX37io8bvhlEBeINLUm" IssueInstant="2015-06-01T15:20:53.388Z" InResponseTo="id-438e1715fd5fe61333879b19e2238773" Destination="https://MY_URL/saml2/acs/">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">idpdecathlon</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#gBreDljemX37io8bvhlEBeINLUm">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>f0jH/VawZS9hrx9ErTJfjLGneBM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>STUFF</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>THEIR_CERT</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>MODULUS</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" />
<samlp:StatusMessage>Signature required</samlp:StatusMessage>
</samlp:Status>
</samlp:Response>