SimpleSamlPHP (SP) 和 OKTA (IdP)
SimpleSamlPHP (SP) & OKTA (IdP)
我的本地计算机上有一个 Web 应用程序:https://test.staging.me
这是 PHP (cakephp) 应用程序。
我安装了 SimpleSamlPHP 并将其配置为服务提供商 (SP)。
我根据指令创建了一些测试:https://simplesamlphp.org/docs/stable/simplesamlphp-sp
我对 openidp.feide.no 的测试成功了。
但是我对 OKTA 有疑问。我为此创建了 "Test App Cakephp" 并分配了人员并配置了 SimpleSamlPHP。
但是登录后我得到了这个 SAML(没有用户属性):
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://test.staging.me/simplesamlphp/module.php/saml/sp/saml2-acs.php/okta-sp" ID="id12087736095048056708868080" IssueInstant="2015-04-07T15:49:27.571Z" Version="2.0" >
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >http://www.okta.com/exk3ov34irLCZc7Ti0h7</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#id12087736095048056708868080">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>pU2jLhg9A4w97r8NVnBKl3IQZLE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>VPDveGXR0s0aL87FHcwlgox2jpF8Ka68+35u5sAwtNPu6YGLeHBZXMM0VJBGubXaP43p7U/bOCEDN28Unvdu+r7nsPayg7KRJtEBG5IPS0aHAsAVvFWCNKwbj/F3V+mNfjj6tyCYxfUv0VzGYFx74sR4jyatwMWM0C8Tn5/
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAUx+YiPyMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="id120877360951785121155512781" IssueInstant="2015-04-07T15:49:27.571Z" Version="2.0" >
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >http://www.okta.com/exk3ov34irLCZc7Ti0h7</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#id120877360951785121155512781">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>lob8Do3NlCm0YApUEdGks7Lvj5g=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>cxCVxow1zv7/C9fyG3n8FqXLNUCx6J3WMzZSB7oOQhBCWt1x+EmkB/Hh3l1AajeCRe50uCZlSfy5eN1kpLQPy1oqyTH/i08cdnzeb94eMh06JRpljSrGFBRyNz7RfoHSs13v8R3PEweDsM0XIUhfX3oL2JpGm7yxwcm/+UZpI2eq
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAUx+YiPyMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU MBIGA1UECwwLU1NPUHJv
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">test1@my_domain.com</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2015-04-07T15:54:27.571Z" Recipient="https://test.staging.me/simplesamlphp/module.php/saml/sp/saml2-acs.php/okta-sp" />
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2015-04-07T15:44:27.571Z" NotOnOrAfter="2015-04-07T15:54:27.571Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >
<saml2:AudienceRestriction>
<saml2:Audience>https://test.staging.me/simplesamlphp/module.php/saml/sp/metadata.php/okta-sp</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2015-04-07T15:49:27.571Z" SessionIndex="id1428421767571.740119289" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
为了方便起见,我切断了 "ds:SignatureValue" 和 "ds:X509Certificate" 字段。
我的问题:为什么我收不到用户的属性?
谢谢 )
Okta 默认情况下不会在 <saml2:AttributeStatement> 中发送任何属性。要配置可选的属性语句,请查看 Configuring the Okta Template SAML 2.0 App。您可以发送的五个标准 Okta 配置文件属性是名字、姓氏、电子邮件和 Okta 用户名。
对于要包含在来自 Okta 的 SAMLResponse 中的用户名字和姓氏:
<saml2:AttributeStatement>
<saml2:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Thomas</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Kirk</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
您必须配置 Okta SAML 2.0 应用以包含以下属性声明:
FirstName|${user.firstName},LastName|${user.lastName}
除了标准的 Okta 配置文件属性(名字、姓氏、电子邮件和 Okta 用户名)之外,您还可以use additional attributes that have been pulled into Okta from Workday, Active Directory, and other LDAP directories。
我的本地计算机上有一个 Web 应用程序:https://test.staging.me
这是 PHP (cakephp) 应用程序。
我安装了 SimpleSamlPHP 并将其配置为服务提供商 (SP)。 我根据指令创建了一些测试:https://simplesamlphp.org/docs/stable/simplesamlphp-sp 我对 openidp.feide.no 的测试成功了。
但是我对 OKTA 有疑问。我为此创建了 "Test App Cakephp" 并分配了人员并配置了 SimpleSamlPHP。
但是登录后我得到了这个 SAML(没有用户属性):
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://test.staging.me/simplesamlphp/module.php/saml/sp/saml2-acs.php/okta-sp" ID="id12087736095048056708868080" IssueInstant="2015-04-07T15:49:27.571Z" Version="2.0" >
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >http://www.okta.com/exk3ov34irLCZc7Ti0h7</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#id12087736095048056708868080">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>pU2jLhg9A4w97r8NVnBKl3IQZLE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>VPDveGXR0s0aL87FHcwlgox2jpF8Ka68+35u5sAwtNPu6YGLeHBZXMM0VJBGubXaP43p7U/bOCEDN28Unvdu+r7nsPayg7KRJtEBG5IPS0aHAsAVvFWCNKwbj/F3V+mNfjj6tyCYxfUv0VzGYFx74sR4jyatwMWM0C8Tn5/
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAUx+YiPyMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="id120877360951785121155512781" IssueInstant="2015-04-07T15:49:27.571Z" Version="2.0" >
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >http://www.okta.com/exk3ov34irLCZc7Ti0h7</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#id120877360951785121155512781">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>lob8Do3NlCm0YApUEdGks7Lvj5g=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>cxCVxow1zv7/C9fyG3n8FqXLNUCx6J3WMzZSB7oOQhBCWt1x+EmkB/Hh3l1AajeCRe50uCZlSfy5eN1kpLQPy1oqyTH/i08cdnzeb94eMh06JRpljSrGFBRyNz7RfoHSs13v8R3PEweDsM0XIUhfX3oL2JpGm7yxwcm/+UZpI2eq
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAUx+YiPyMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU MBIGA1UECwwLU1NPUHJv
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">test1@my_domain.com</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2015-04-07T15:54:27.571Z" Recipient="https://test.staging.me/simplesamlphp/module.php/saml/sp/saml2-acs.php/okta-sp" />
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2015-04-07T15:44:27.571Z" NotOnOrAfter="2015-04-07T15:54:27.571Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >
<saml2:AudienceRestriction>
<saml2:Audience>https://test.staging.me/simplesamlphp/module.php/saml/sp/metadata.php/okta-sp</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2015-04-07T15:49:27.571Z" SessionIndex="id1428421767571.740119289" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
为了方便起见,我切断了 "ds:SignatureValue" 和 "ds:X509Certificate" 字段。
我的问题:为什么我收不到用户的属性? 谢谢 )
Okta 默认情况下不会在 <saml2:AttributeStatement> 中发送任何属性。要配置可选的属性语句,请查看 Configuring the Okta Template SAML 2.0 App。您可以发送的五个标准 Okta 配置文件属性是名字、姓氏、电子邮件和 Okta 用户名。
对于要包含在来自 Okta 的 SAMLResponse 中的用户名字和姓氏:
<saml2:AttributeStatement>
<saml2:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Thomas</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Kirk</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
您必须配置 Okta SAML 2.0 应用以包含以下属性声明:
FirstName|${user.firstName},LastName|${user.lastName}
除了标准的 Okta 配置文件属性(名字、姓氏、电子邮件和 Okta 用户名)之外,您还可以use additional attributes that have been pulled into Okta from Workday, Active Directory, and other LDAP directories。