Apache如何知道SAML响应已通过身份验证

时间:2018-07-09 20:01:06

标签: apache saml okta simplesamlphp

我是Apache和SAML的新手。我的my_app_httpd.conf文件具有以下配置,该文件将未经身份验证的请求重定向到可以正常工作的OKTA。

<Location />
ErrorDocument 401 "/simplesaml/module.php/core/authenticate.php?as=default-sp"
</Location>

但是在进行身份验证后,如果收到SAML响应,则apache无法理解,它将再次重定向到同一URL进行身份验证。这会导致不确定的循环。

任何人都可以告诉我如何设置apache配置,以便它了解OKTA已验证请求,并且应允许访问网页。

下面是响应SAML。

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
             Destination="http://10.184.10.216/nagios"
             ID="id3356034041494549348655095"
             InResponseTo="_f9c91306b7eb6162db46c5e24ed72f3632b17cc392"
             IssueInstant="2018-07-09T19:31:46.388Z"
             Version="2.0"
             xmlns:xs="http://www.w3.org/2001/XMLSchema"
             >
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
              Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
              >http://www.okta.com/exkfgc14a31f6JWtQ0h7</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
        <ds:Reference URI="#id3356034041494549348655095">
            <ds:Transforms>
                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                    <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                                            PrefixList="xs"
                                            />
                </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
            <ds:DigestValue>D6hXy7yCw4MpfQjE+vcACd3WedArnDr7d4jFjEt5yvw=</ds:DigestValue>
        </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>hidden</ds:SignatureValue>
    <ds:KeyInfo>
        <ds:X509Data>hidden</ds:X509Certificate>
        </ds:X509Data>
    </ds:KeyInfo>
</ds:Signature>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                 ID="id33560340415149882013321527"
                 IssueInstant="2018-07-09T19:31:46.388Z"
                 Version="2.0"
                 xmlns:xs="http://www.w3.org/2001/XMLSchema"
                 >
    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
                  xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                  >http://www.okta.com/exkfgc14a31f6JWtQ0h7</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#id33560340415149882013321527">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                                                PrefixList="xs"
                                                />
                    </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <ds:DigestValue>6dGcam+MkWY7/0LWUEoV7U40u/Qb7694fnbwERfTEhE=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>hidden</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>hiddendata</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">emailofuser</saml2:NameID>
        <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml2:SubjectConfirmationData InResponseTo="_f9c91306b7eb6162db46c5e24ed72f3632b17cc392"
                                           NotOnOrAfter="2018-07-09T19:36:46.388Z"
                                           Recipient="http://10.184.10.216/nagios"
                                           />
        </saml2:SubjectConfirmation>
    </saml2:Subject>
    <saml2:Conditions NotBefore="2018-07-09T19:26:46.388Z"
                      NotOnOrAfter="2018-07-09T19:36:46.388Z"
                      xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                      >
        <saml2:AudienceRestriction>
            <saml2:Audience>http://10.184.10.216/nagios/</saml2:Audience>
        </saml2:AudienceRestriction>
    </saml2:Conditions>
    <saml2:AuthnStatement AuthnInstant="2018-07-09T19:31:46.388Z"
                          SessionIndex="_f9c91306b7eb6162db46c5e24ed72f3632b17cc392"
                          xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                          >
        <saml2:AuthnContext>
            <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
        </saml2:AuthnContext>
    </saml2:AuthnStatement>
    <saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml2:Attribute Name="FirstName"
                         NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                         >
            <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                  xsi:type="xs:string"
                                  >username</saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute Name="LastName"
                         NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                         >
            <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                  xsi:type="xs:string"
                                  >Nataliya</saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute Name="Email"
                         NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                         >
            <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                  xsi:type="xs:string"
                                  >emailofuser</saml2:AttributeValue>
        </saml2:Attribute>
    </saml2:AttributeStatement>
</saml2:Assertion>

1 个答案:

答案 0 :(得分:1)

SimpleSAMLphp通常在您的应用程序中用作对用户进行身份验证的库-它不是apache模块。您可以使用SSP的AuthMemCookie模块来允许Apache使用SSP存储的会话数据。