为 OpenAM 编写 SAML2 AuthnRequest

发布于 2024-12-11 07:23:22 字数 2210 浏览 0 评论 0原文

我正在尝试为 OpenAM 编写 SAML2 AuthnRequest。我有一个可以执行 get 操作的 URL，但在将其写入 XHTML post 表单时遇到问题。

带有查询字符串的工作 URL 是

http://internal.authhost.com:8080/opensso/idpssoinit?NameIDFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:transient&metaAlias=%2FMYRealm%2Fidp&am p;spEntityID=https%3A%2F%2Fsaml.salesforce.com&binding=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Abindings%3AHTTP-POST&RelayState=webj_captureCustomerDetails

我的 html 表单如下所示：

<form action="http://internal.authhost.com:8080/opensso/idpssoinit" method="post" target="new">
  <input type="text" name="SAMLRequest" value="PHNhbWxwOkF1dGhuUmV..."></input>
  <input type="text" name="RelayState" value="webj_captureCustomerDetails"></input>
  <input type="submit"/>
</form>

SAMLRequest 的值是 Base 64 编码表示形式

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="_d7607d551380ac97853a6ff4907c4ef01219be97dd" Version="2.0"
    IssueInstant="2008-05-27T07:46:06Z" ForceAuthn="true" IsPassive="false"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    AssertionConsumerServiceURL="https://cs4.salesforce.com/?saml=lkjhkljhkljhkjhlkjh"
    ProviderName="https://saml.salesforce.com">
    <saml:Issuer>https://saml.salesforce.com</saml:Issuer>
    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
        AllowCreate="true"/>
</samlp:AuthnRequest>

发出此表单会导致来自 OpenAM 的错误消息，指出“服务提供商 ID 为空”

我可以立即看到 XML 不包含 metaAlias=/ MYRealm/idp 参数，但消息表明它也找不到 spEntityID=https://saml.salesforce.com 参数。

请告知需要在 XML 中的何处指定这两个属性（metaAlias 和 spEntityID）。

指定 OpenAM COT / IdP 配置如何映射 SAML AuthnRequest 消息的链接也将受到赞赏。

原文

I am trying to compose a SAML2 AuthnRequest for OpenAM. I have a URL that I can perform a get against that works, but am having problems composing this into the XHTML post form.

The working URL with query string is

http://internal.authhost.com:8080/opensso/idpssoinit?NameIDFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:transient&metaAlias=%2FMYRealm%2Fidp&spEntityID=https%3A%2F%2Fsaml.salesforce.com&binding=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Abindings%3AHTTP-POST&RelayState=webj_captureCustomerDetails

My html form looks like:

<form action="http://internal.authhost.com:8080/opensso/idpssoinit" method="post" target="new">
  <input type="text" name="SAMLRequest" value="PHNhbWxwOkF1dGhuUmV..."></input>
  <input type="text" name="RelayState" value="webj_captureCustomerDetails"></input>
  <input type="submit"/>
</form>

with the value of SAMLRequest being the Base 64 encoded representation of

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="_d7607d551380ac97853a6ff4907c4ef01219be97dd" Version="2.0"
    IssueInstant="2008-05-27T07:46:06Z" ForceAuthn="true" IsPassive="false"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    AssertionConsumerServiceURL="https://cs4.salesforce.com/?saml=lkjhkljhkljhkjhlkjh"
    ProviderName="https://saml.salesforce.com">
    <saml:Issuer>https://saml.salesforce.com</saml:Issuer>
    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
        AllowCreate="true"/>
</samlp:AuthnRequest>

Issuing this form results in an error message from OpenAM stating "Service Provider ID is null"

I can immediately see that the XML does not contain the metaAlias=/MYRealm/idp argument, but the message suggests that it cannot find the spEntityID=https://saml.salesforce.com argument either.

Please advise on where these two properties (metaAlias and spEntityID) need to be specified in the XML.

A link to somewhere specifying how OpenAM COT / IdP configuration maps against SAML AuthnRequest message would also be appreciated.

分享到QQ

分享到微博