使用SAML2将SiteMinder配置为AWS Cognito userpool identityProvider

时间:2019-10-23 21:10:40

标签: metadata saml-2.0 siteminder aws-userpools

当cognito将SAMLREQUEST发送到IDP时,该请求并不具有IDP期望的所有信息。

SP正在发送以下请求:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest AssertionConsumerServiceURL="assertionURL" Destination="destinaUrl" ID="_a4b38e68-8e69-4a5d-927b-01e16da92ca7" IssueInstant="2019-10-23T15:14:36.339Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:blah:blah</saml2:Issuer>
</saml2p:AuthnRequest>

但是,通过手动测试,以下SAMLREQUEST可以工作:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest AssertionConsumerServiceURL="https://uat-marley.auth.us-east-1.amazoncognito.com/saml2/idpresponse" Destination="https://ssofed-qa.metlife.com/affwebservices/public/saml2sso?SPID=urn:amazon:cognito:sp:us-east-1_k4dn6EP6k" ID="_a4b38e68-8e69-4a5d-927b-01e16da92ca7" IssueInstant="2019-10-23T15:14:36.339Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:amazon:cognito:sp:us-east-1_k4dn6EP6k</saml2:Issuer>
<saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"/>
</saml2p:AuthnRequest>

唯一的区别是此行:

<saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"/>

由于AWS userpools身份联合身份验证配置仅需要IDP元数据才能与IDPS集成,我假设我需要调整元数据以更改SAMLREQUEST以包括NamePolicyId元素。

我一直在使用此文档尝试其他元素: http://www.datypic.com/sc/saml2/s-saml-schema-metadata-2.0.xsd.html

我也一直在使用此网站来构建元数据:https://www.samltool.com/idp_metadata.php

也: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-integrating-3rd-party-saml-providers.html

Idps示例元数据:

<EntityDescriptor ID="SM172d8336f5cde29cebbfed3478bc49c5ee3f72a813a3" entityID="urn:entity:id" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <IDPSSODescriptor WantAuthnRequestsSigned="true" ID="SM1d149b29837b56846f0e9a85ae92be6449ffd58ef1e" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <KeyDescriptor use="signing">
            <KeyInfo Id="myid" xmlns:ns1="http://www.w3.org/2000/09/xmldsig#">
                <X509Data>
                    <X509IssuerSerial>
                        <X509IssuerName>
              issuer info
                        </X509IssuerName>
                        <X509SerialNumber>
                            number
                        </X509SerialNumber>
                    </X509IssuerSerial>
                    <X509Certificate>
          some cert
                    </X509Certificate>
                    <X509SubjectName>
          relevant info
                    </X509SubjectName>
                </X509Data>
            </KeyInfo>
        </KeyDescriptor>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="redirect url" />
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="post url" />
    </IDPSSODescriptor>
</EntityDescriptor>

我想知道如何调整idps元数据,以便cognito知道要发送此<saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"/> 在SAMLREQUEST中。

谢谢您的任何帮助,我已经为此苦苦挣扎了一段时间。

0 个答案:

没有答案
相关问题
最新问题