我们有SAML的情况。 我们是服务提供商,它是由SP发起的。 我们有2个网站 - 登陆SP网站和实际的SP网站。 登陆SP网站只有一个登陆页面,它将链接到实际的SP网站。 要求是登陆SP网站和实际SP网站都使用一个IDP网站(以最自然的方式,可以预期)。因此,应满足以下要求。
如果用户发起登陆SP网站的请求,并且假设用户已经过身份验证,那么当用户点击登陆SP网站中的链接到实际SP网站时,应验证用户令牌。我们可以为此进行自定义编码,但希望限制为SAML协议设置。请让我知道如何在SAML设置中完成。可以在IDP和Actual SP网站上进行哪些配置来实现此目的。
如果用户通过登陆SP网站链接进入实际SP网站,在IDP中进行身份验证后,他会将实际SP网站的网址标记为书签。退出(会话结束)然后再次在IDP登录后,IDP将如何将用户直接发送到实际的SP网站(当只有登陆SP网站可以在IDP中提及为SP时)。有没有办法告诉IDP第二个IDP网址(实际的SP网站)。我在元数据中看到了AsssertionConsumerURL和Audience作为处理这个问题的紧密匹配,但我看到两者都有问题。 AsssertionConsumerURL仅支持一个网址和受众需要条件,您将如何为此案件撰写条件。
答案 0 :(得分:2)
I run a federated system of 20,000+ SAML IDPs and a number of related websites, as well as working with various identity management standards committees.
My answer is assuming you are working in a federated environment where you will be providing the SAML metadata for your system to another party that runs an IDP.
To communicate to IDPs that you have multiple endpoints as the same entity, you will want to include both AssertionConsumerService URLs in your entity's SAML metadata. See SAML 2.0 - Multiple AssertionConsumerService in SP and line 748 http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf .
Audience is a slightly different thing to check. To implement SAML secure from various attacks, the IDP will use the audience to communicate the parties to which the user is being authenticated. See http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf §4.1.4.2 and §4.1.4.3 for the use of the audience value. https://fusionsecurity.blogspot.com/2011/08/5-minutes-or-less-on-saml-audiences.html seems a reasonable gloss.
SP initiated means the user begins the flow at the SP. I'm going to give some examples because i'm not certain your requirements of a second landing page are entirely necessary.
Assume an application at https://example.com/. The landing page at https://example.com/ does not require any authentication and has a "login" link. There are pages at, say, https://example.com/catalog/[ID], which can be viewed by unauthenticated users AND authenticated users (also with "login" button when not authenticated). Finally there are pages at https://example.com/profile/[ID] that can only be accessed by authenticated users.
For authentication, define one acs https://example.com/acs.html .
I'll add here that we expect a customer to have multiple IDPs -- educational institutions and hospitals and federal agencies often support users from different sources. We have a "WAYF" or "Where are you from?" page that allows a user to select an IDP if the customer has multiple IDPs.
The "ideal" flow starts with a user at the landing page, moving to a catalog page, eventually logging in, and then visiting a profile. However, they may bookmark a profile.
When the user follows that bookmark to the a page that requires authentication, the code initates a SAML request to the IDP (going through the WAYF if needed) and saves state so that when the user is returned to the ACS with a successful authentication, they can be returned to the profile page.
This is discussed at §4.1.5. Usability https://kantarainitiative.github.io/SAMLprofiles/saml2int.html#_metadata_and_trust_management .
I think this addresses your questions although my example considers the landing page part of the same website. I'm a little unclear as to your separate website requirement.