如何使用 XSL 转换从 SAML 响应中获取数据?
How to get Data from SAML Response using XSL Transformation?
我正在尝试使用 Azure AD 作为身份提供者(从现在开始是 IdP)在我们的企业软件上启用 SAML 单点登录服务。
不断得到
HTTP 错误:500
访问问题.../myhost/client/SAML2/POST。原因:
Cannot create authentication master data from: ...
<root>
<party isgroup="0" isactive="1" isvisible="1" issystem="0" auth_extern="2" auth_standard="0" sync_extern="0" login="[NameID]" count_invalid_logins="0" display_name="[USER DISPLAY NAME]" name="[USER_LAST_NAME]" firstname="USER_FIRST_NAME" locale="[LANG_CODE]" email="[USER_EMAIL]" main_role="[ROLE]" main_domain="[CENSHARE_DOMAIN]" main_domain2="[CENSHARE_2ND_DOMAIN]" expiry_date="2019-11-29T19:38:55.528Z">
<party_role role="userrole" domain="[CENSHARE_DOMAIN]" domain2="[CENSHARE_2ND_DOMAIN]" enabled="1"/>
</party>
</root>
由于我收到了 IdP 的回复,看来我没有正确映射数据。这几天一直困扰着我,我找不到解决方案。
来自 AAD 的 SAML 响应:
<Assertion ID="_787xe00" IssueInstant="2019-10-30T19:50:32.912Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>
https://sts.windows.net/178x117/
</Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="#_7877x7e00">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>
Sx7lGM=
</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
ca1+K4aeUV07UJsA9TjChAaj6rKAsYU92ZsRWrlwvbeMpGXptyQBXfUJII1azvqNgtv4Cdqom+hZhdblablaCDmQ==
</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>
blablaP9dHmv+Mzhe9i5wjs
</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
boxx@xxxx.at //DATA THAT I WANT TO CATCH FOR STARTERS
</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="_46e00b1831xbb0a43a" NotOnOrAfter="2019-10-30T19:55:32.912Z" Recipient="https://myhost/client/SAML2/POST"/>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2019-10-30T19:45:32.896Z" NotOnOrAfter="2019-10-30T20:50:32.896Z">
<AudienceRestriction>
<Audience>
https://myhost/client/client
</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
<AttributeValue>
1784x931fe8117
</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
<AttributeValue>
3e33xaf0
</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
<AttributeValue>
Borislav
</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
<AttributeValue>
https://sts.windows.net/1784xfe8117/
</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
<AttributeValue>
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
<AttributeValue>
Borislav
</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
<AttributeValue>
M
</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue>
borisxxxx@xxxxxx.at
</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
<AttributeValue>
borisxxxxx@xxxxx.at
</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2019-10-30T16:29:23.770Z" SessionIndex="_7877x00">
<AuthnContext>
<AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:Password
</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
这是我的 XSL 转换
<xsl:stylesheet version="2.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
exclude-result-prefixes="#all" >
<xsl:template match="saml:Assertion">
//**** Do i need some params here to fetch the data? ****
<root>
<party isgroup="0"
isactive="1"
isvisible="1"
issystem="0"
auth_extern="2"
auth_standard="0"
sync_extern="0"
login="[USER NAMEID]" ---!!!!-- think that this is problematic
count_invalid_logins="0"
display_name="[USER DISPLAY NAME]"
name="[USER_LAST_NAME]"
firstname="USER_FIRST_NAME"
locale="[LANG_CODE]"
email="[USER_EMAIL]"
main_role="[ROLE]"
main_domain="[OUR_DOMAIN]" main_domain2="[OUR_2ND_DOMAIN]">
<xsl:attribute name="expiry_date"
select="xs:dateTime(current-dateTime())
+ xs:dayTimeDuration('P30D')"/>
<party_role role="userrole"
domain="[OUR_DOMAIN]"
domain2="[OUR_2ND_DOMAIN]"
enabled="1"/>
</party>
</root>
</xsl:template>
</xsl:stylesheet>
我做错了什么?
我出于明显的原因更改了数据 :) 提前致谢。
因为我没有得到答案,所以我尽力自己找出答案:)
答案很简单:在模板匹配之后的代码片段中,我们需要根据需要添加变量,使用 XPath 表达式获取数据,然后在转换中使用相同的变量。示例:
<xsl:variable name="user-name-id" select="saml:Subject/saml:NameID"/>
然后像调用任何其他变量一样调用它:
login="{$user-name-id}"
我们只需要遵循 SAML 断言中 XML 结构的路径。
我正在尝试使用 Azure AD 作为身份提供者(从现在开始是 IdP)在我们的企业软件上启用 SAML 单点登录服务。 不断得到 HTTP 错误:500 访问问题.../myhost/client/SAML2/POST。原因:
Cannot create authentication master data from: ...
<root>
<party isgroup="0" isactive="1" isvisible="1" issystem="0" auth_extern="2" auth_standard="0" sync_extern="0" login="[NameID]" count_invalid_logins="0" display_name="[USER DISPLAY NAME]" name="[USER_LAST_NAME]" firstname="USER_FIRST_NAME" locale="[LANG_CODE]" email="[USER_EMAIL]" main_role="[ROLE]" main_domain="[CENSHARE_DOMAIN]" main_domain2="[CENSHARE_2ND_DOMAIN]" expiry_date="2019-11-29T19:38:55.528Z">
<party_role role="userrole" domain="[CENSHARE_DOMAIN]" domain2="[CENSHARE_2ND_DOMAIN]" enabled="1"/>
</party>
</root>
由于我收到了 IdP 的回复,看来我没有正确映射数据。这几天一直困扰着我,我找不到解决方案。 来自 AAD 的 SAML 响应:
<Assertion ID="_787xe00" IssueInstant="2019-10-30T19:50:32.912Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>
https://sts.windows.net/178x117/
</Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="#_7877x7e00">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>
Sx7lGM=
</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
ca1+K4aeUV07UJsA9TjChAaj6rKAsYU92ZsRWrlwvbeMpGXptyQBXfUJII1azvqNgtv4Cdqom+hZhdblablaCDmQ==
</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>
blablaP9dHmv+Mzhe9i5wjs
</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
boxx@xxxx.at //DATA THAT I WANT TO CATCH FOR STARTERS
</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="_46e00b1831xbb0a43a" NotOnOrAfter="2019-10-30T19:55:32.912Z" Recipient="https://myhost/client/SAML2/POST"/>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2019-10-30T19:45:32.896Z" NotOnOrAfter="2019-10-30T20:50:32.896Z">
<AudienceRestriction>
<Audience>
https://myhost/client/client
</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
<AttributeValue>
1784x931fe8117
</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
<AttributeValue>
3e33xaf0
</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
<AttributeValue>
Borislav
</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
<AttributeValue>
https://sts.windows.net/1784xfe8117/
</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
<AttributeValue>
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
<AttributeValue>
Borislav
</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
<AttributeValue>
M
</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue>
borisxxxx@xxxxxx.at
</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
<AttributeValue>
borisxxxxx@xxxxx.at
</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2019-10-30T16:29:23.770Z" SessionIndex="_7877x00">
<AuthnContext>
<AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:Password
</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
这是我的 XSL 转换
<xsl:stylesheet version="2.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
exclude-result-prefixes="#all" >
<xsl:template match="saml:Assertion">
//**** Do i need some params here to fetch the data? ****
<root>
<party isgroup="0"
isactive="1"
isvisible="1"
issystem="0"
auth_extern="2"
auth_standard="0"
sync_extern="0"
login="[USER NAMEID]" ---!!!!-- think that this is problematic
count_invalid_logins="0"
display_name="[USER DISPLAY NAME]"
name="[USER_LAST_NAME]"
firstname="USER_FIRST_NAME"
locale="[LANG_CODE]"
email="[USER_EMAIL]"
main_role="[ROLE]"
main_domain="[OUR_DOMAIN]" main_domain2="[OUR_2ND_DOMAIN]">
<xsl:attribute name="expiry_date"
select="xs:dateTime(current-dateTime())
+ xs:dayTimeDuration('P30D')"/>
<party_role role="userrole"
domain="[OUR_DOMAIN]"
domain2="[OUR_2ND_DOMAIN]"
enabled="1"/>
</party>
</root>
</xsl:template>
</xsl:stylesheet>
我做错了什么? 我出于明显的原因更改了数据 :) 提前致谢。
因为我没有得到答案,所以我尽力自己找出答案:)
答案很简单:在模板匹配之后的代码片段中,我们需要根据需要添加变量,使用 XPath 表达式获取数据,然后在转换中使用相同的变量。示例:
<xsl:variable name="user-name-id" select="saml:Subject/saml:NameID"/>
然后像调用任何其他变量一样调用它:
login="{$user-name-id}"
我们只需要遵循 SAML 断言中 XML 结构的路径。