SAML 请求 - 声明多个协议绑定
我已经实现了一个 SAML 服务提供程序来支持 ASP.Net Web 门户的单点登录,该门户是在客户端站点上配置的收缩包装软件,并且必须能够与任何符合 SAML 的身份提供程序进行交互。
我的断言消费者服务 (ACS) 页面将通过 GET 和 POST 方法接受 SAML 响应。
据我了解 SAML 协议,SAML 请求 ProtocolBinding 属性指定响应支持哪些协议。目前,我的请求指定了 HTTP 重定向绑定。不过,我想声明我支持 HTTP-Redirect (GET) 和 HTTP-POST (POST)。在搜索了比我想重申的更多的 SAML 文档后,我无法找到用于声明多个受支持的协议绑定的语法(或者它是否有效)。
虽然我可以使此声明可配置,但我的首选是声明这两个绑定,以便身份提供程序无需额外配置我的门户即可工作。
以下是我的身份验证请求的示例。请,如果有人知道为 ProtocolBinding 声明 HTTP-Redirect 和 HTTP-POST 的方法,我将非常感谢您的输入!
<?xml version="1.0" encoding="utf-8"?>
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="[AUTHN_ID]"
Version="2.0"
IssueInstant="[ISSUE_INSTANT]"
ProtocolBinding="urn:oasis:names.tc:SAML:2.0:bindings:HTTP-Redirect"
ProviderName="[PROVIDER_NAME]"
AssertionConsumerServiceURL="[ACS_URL]">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
PortalEntityID
</saml:Issuer>
<samlp:NameIDPolicy
AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
</samlp:AuthnRequest>
预先感谢任何可以提供帮助的人!
I have implemented a SAML Service Provider to support Single Sign On for an ASP.Net web portal, which is a shrink-wrap software configured on clients' sites and must be able to interact with any SAML-compliant Identity Provider.
My Assertion Consumer Service (ACS) page will accept the SAML Response through both GET and POST methods.
As I understand the SAML protocol, the SAML Request ProtocolBinding property specifies which protocols are supported for the response. Currently, my request specifies the HTTP-Redirect binding. However, I would like to declare that I support both HTTP-Redirect (GET) and HTTP-POST (POST). After searching through more SAML documentation than I care to reiterate, I am unable to find the syntax for declaring multiple supported protocol bindings (or whether it is even valid to do so).
While I could make this declaration configurable, my preference would be to declare both bindings so that the Identity Provider will work without additional configuration of my portal.
Below is a sample of my Authentication Request. Please, if anyone knows a way to declare both HTTP-Redirect AND HTTP-POST for the ProtocolBinding, I would greatly appreciate your input!
<?xml version="1.0" encoding="utf-8"?>
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="[AUTHN_ID]"
Version="2.0"
IssueInstant="[ISSUE_INSTANT]"
ProtocolBinding="urn:oasis:names.tc:SAML:2.0:bindings:HTTP-Redirect"
ProviderName="[PROVIDER_NAME]"
AssertionConsumerServiceURL="[ACS_URL]">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
PortalEntityID
</saml:Issuer>
<samlp:NameIDPolicy
AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
</samlp:AuthnRequest>
Thanks in advance to anyone who can help!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
AuthnRequest 上的 ProtocolBinding 属性用于指定 IdP 在发送 SAML 响应 XML 时使用的预期绑定。 HTTP-Redirect 不是此处使用的有效选项,因为 URL 查询字符串可能存在长度限制; SAML 响应(尤其是已签名的响应)可能会相当长。我将引用 SAML 规范 [SAMLProf]:
The ProtocolBinding attribute on AuthnRequest is used to specify the expected binding to be used by the IdP when sending their SAML Response XML. HTTP-Redirect isn't a valid option to use here, because of the possible length restriction on the URL querystring; a SAML Response, especially if it's signed, can be pretty lengthy. I'll quote from the SAML spec [SAMLProf]:
经过大量研究后,您似乎只能在单个 SAML 请求中声明一个协议绑定。
After considerable research, it seems that you can only declare one Protocol Binding in a single SAML request.