SAML 2.0响应和KeyInfo元素

时间:2017-09-21 19:36:39

标签: web single-sign-on saml-2.0

全部,我对SAML 2.0响应提出了一个简短的问题,我一直在使用它作为我的网络SSO的一部分。我们是身份提供商,我们将SAML令牌发送给我们的服务提供商(SP)。 SP希望我们在发送之前签署整个。我们已经向SP发送了我们的公共证书。证书详细信息是否在生成的SAML 2.0响应中的元素下?是IDP还是服务提供商(SP)。我们没有SP的公共证书

<samlp2:Response xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" ID="_71b134e9-1ab3-4680-90a4-3b95c8530a59" Version="2.0" IssueInstant="2017-09-21T17:29:21.6178748Z" Destination="https://sp.com" xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol">
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
      <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
      <Reference URI="#_79b534eb-9771-4d22-9d61-d4dc5997be70">
        <Transforms>
          <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
        <DigestValue>RzEq/7vrq</DigestValue>
      </Reference>
    </SignedInfo>
    <SignatureValue>jQCx6BZyoW+okh+zxwrd</SignatureValue>
    <KeyInfo>
      <X509Data>
        <X509IssuerSerial>
          <X509IssuerName>CN=CA, DC=us, DC=local</X509IssuerName>
          <X509SerialNumber>1248841732558767</X509SerialNumber>
        </X509IssuerSerial>
        <X509Certificate>MIIEpTCCA42gAwIBAgITOAAAARWJYtXzIdPzr</X509Certificate>
      </X509Data>
    </KeyInfo>
  </Signature>
  <samlp2:Status>
    <samlp2:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
  </samlp2:Status>
  <saml2:Assertion Version="2.0" ID="_79b534eb-9771-4d22-9d61-d4dc5997be70" IssueInstant="2017-09-21T17:29:21.6208748Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml2:Issuer>https://mycompany.com/</saml2:Issuer>
    <saml2:Subject>
      <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">TestUser</saml2:NameID>
      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml2:SubjectConfirmationData NotBefore="2017-09-21T17:29:21.6218748Z" NotOnOrAfter="2017-09-21T17:33:21.6218748Z" />
      </saml2:SubjectConfirmation>
    </saml2:Subject>
    <saml2:Conditions NotBefore="2017-09-21T17:29:21.6218748Z" NotOnOrAfter="2017-09-21T17:33:21.6218748Z" />
    <saml2:AuthnStatement AuthnInstant="2017-09-21T17:29:21.6228748Z" SessionNotOnOrAfter="2017-09-21T17:34:21.6228748Z">
      <saml2:AuthnContext>
        <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
      </saml2:AuthnContext>
    </saml2:AuthnStatement>
    <saml20:AttributeStatement xmlns:saml20="urn:oasis:names:tc:SAML:2.0:assertion">
      <saml20:Attribute Name="MyCompany" NameFormat="www.sp.com">
        <saml20:AttributeValue>test value</saml20:AttributeValue>
      </saml20:Attribute>
    </saml20:AttributeStatement>
  </saml2:Assertion>
</samlp2:Response>

1 个答案:

答案 0 :(得分:1)

响应中的证书应该是IDP中的证书。通过这种方式,SP可以确保IDP签署了响应,并且用户代理(或其他任何人)都没有对其进行操作。

相关问题
最新问题