发起 SAMLv2 SP:一个服务提供商和多个身份提供商

发布于 2024-10-07 22:18:11 字数 721 浏览 5 评论 0原文

我需要使用一个具有多个身份提供商(idps)的服务提供商,每个 idp 通过使用子域(即 http:// /subdomain1.mysite.com 连接到 idp1,http://subdomain2.mysite.com 连接到idp2 等,那么我的断言消费者服务 URL 看起来像这样 https://mysite.com/SAML/AssertionConsumerService.aspx< /a>.

问题是我需要知道 AssertionConsumerService.aspx 代码中的响应来自哪个 idp,以便我可以加载正确的证书。我尝试过发行者、响应目的地和其他方式,但没有成功。

有谁知道从响应和/或最佳实践中区分国内流离失所者的好方法?或者有一个标准的方法来做到这一点?

我正在使用 http://www.componentspace.com/Products/SAMLv20.aspx

I need to use one Service Provider with multiple identity providers(idps) each idp is connected to the sp by using a subdomain i.e. http://subdomain1.mysite.com connects to idp1, http://subdomain2.mysite.com connects to idp2 etc then my Assertion Consumer Service URL looks like this https://mysite.com/SAML/AssertionConsumerService.aspx.

The problem is I need to know what idp the response is coming from in the AssertionConsumerService.aspx code so I can load in the right certificate. I've tried the issuer, response destination and other means with no luck.

Does anyone know a good way to differentiate between idps from the response and/or best practices? Or is there a standard way to do this?

I'm using http://www.componentspace.com/Products/SAMLv20.aspx

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

大姐,你呐 2024-10-14 22:18:13

在我们的系统中,我们有一个代表客户端的实体(我们称之为“服务域”),并要求客户端通过名称来标识该实体,作为 Issuer 元素值或 Issuer SPProvidedID 属性值。我们端 (SP) 上的 SAML 配置与该“服务域”实体相关联,包括用于验证其数字签名的公钥证书等。

我想说使用 Issuer 值比尝试关闭子域更合适。

In our system, we have an entity that represents the client (we call it a "service domain") and require that the client identify that entity by name either as the Issuer element value or the Issuer SPProvidedID attribute value. SAML configuration on our end (SP) is associated with that "service domain" entity, including, for instance, the public key certificate for verifying their digital signature.

I'd say using the Issuer value is more appropriate than trying to key off subdomains.

三生一梦 2024-10-14 22:18:12

正如您所注意到的,如果所有 IDP 具有相同的 ACS URL,则断言中的目标将始终相同。

每个 IDP 至少应该(必须?)有自己独特的发行人,如果他们每个人都有自己签署的公共证书的话。根据我的经验,PingFederate 和其他服务器确保在验证响应时加载正确的配置信息。不知道为什么发行人在这种情况下也不适合您。

您可能会遇到这样的情况:来自同一家公司的“不同”IDP 可能会向您发送具有相同颁发者和不同 DSIG 证书和属性声明的响应,但在大多数情况下这种情况实际上不应该发生。

华泰
伊恩

As you have noticed, if you have the same ACS URL for all IDPs, then the Destination will always be the same in the Assertion.

Each IDP should (must?) have its own unique Issuer at the very least if they also each have their own public cert they are signing with. In my experience, PingFederate and other servers ensure it is loading the correct configuration information when validating a Response. Not sure why Issuer wouldn't work for you in this situation as well.

You can get into situations where "different" IDPs from the same company may be sending you Responses with the same Issuer and different DSIG certs and AttributeStatements but that should not really happen in most cases.

HTH
Ian

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文