如何生成有效的SAML声明签名?

时间:2019-10-08 11:04:46

标签: single-sign-on saml-2.0 xml-signature

我正在尝试为SAML 2.0协议构建身份提供程序。我正在使用Python 3.6开发IDP后端,并且发现了一些示例来生成SAML断言并对其进行签名。

我发现的示例生成了断言:

<saml2:Assertion
    xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_0a2e10fb4e6245499bdb82d1e61f0d2f" IssueInstant="2019-10-07T13:40:45.611826+00:00" Version="2.0">
    <saml2:Issuer>https://alpha-id.ianum.com/SSO/SAML2/Redirect?idSamlIdp=saml_idp_2ottgAnc2sWHmAkiy6Mh</saml2:Issuer>
    <saml2:Subject>
        <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">f.castelli@ianum.com</saml2:NameID>
        <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml2:SubjectConfirmationData InResponseTo="id-5d8425907fc84102b167bbaf380d5dc5" NotOnOrAfter="2019-10-07T13:55:45.611826+00:00" Recipient="https://www.dropbox.com/saml_login"></saml2:SubjectConfirmationData>
        </saml2:SubjectConfirmation>
    </saml2:Subject>
    <saml2:Conditions NotBefore="2019-10-07T13:37:45.611826+00:00" NotOnOrAfter="2019-10-07T13:55:45.611826+00:00">
        <saml2:AudienceRestriction>
            <saml2:Audience>Dropbox</saml2:Audience>
        </saml2:AudienceRestriction>
    </saml2:Conditions>
    <saml2:AuthnStatement AuthnInstant="2019-10-07T13:40:45.611826+00:00">
        <saml2:AuthnContext>
            <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
        </saml2:AuthnContext>
    </saml2:AuthnStatement>
</saml2:Assertion>

它会生成断言的摘要:

<ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
    <ds:Reference URI="#_0a2e10fb4e6245499bdb82d1e61f0d2f">
        <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
        <ds:DigestValue>8+OwpT3G8PO2JsuySxMlZ3cy/Dw=</ds:DigestValue>
    </ds:Reference>
</ds:SignedInfo>

然后使生成的摘要签名。我尝试使用https://www.samltool.com/validate_response.php验证响应,但显示为Signature validation failed. We have no idea about the key

您知道哪种方法可以为断言生成签名吗?

0 个答案:

没有答案
相关问题
最新问题