如何向 SAML IDP 元数据添加声明
How add claims to SAML IDP metadata
我构建了SSO集成项目,我将作为IDP身份提供者,我们的第三方将作为SP服务提供者。
我使用了这个代码https://github.com/OTA-Insight/djangosaml2idp to prepare my Idp. everything is ok and I already tested it by https://sptest.iamshowcase.com/。
但我有一个问题
我如何向这个生成的元数据添加声明,以便帮助我们的 SP 使用它?
这里是生成的元数据文件:
<ns0:EntityDescriptor entityID="http://localhost:9000/idp/metadata/" validUntil="2022-11-06T12:46:57Z">
<ns0:Extensions>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#md5"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha224"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
</ns0:Extensions>
<ns0:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="false">
<ns0:KeyDescriptor use="signing">
<ns2:KeyInfo>
<ns2:X509Data>
<ns2:X509Certificate>
MIID/TCCAuWgAwIBAgIUd3caFbHlYy3TQxRxYS4e/8ya0bYwDQYJKoZIhvcNAQEL BQAwgY0xCzAJBgNVBAYTAlNBMQ8wDQYDVQQIDAZSaXlhZGgxDzANBgNVBAcMBlJp eWFkaDELMAkGA1UECgwCSVQxCzAJBgNVBAsMAklUMRcwFQYDVQQDDA5sb2NhbGhv c3Q6OTAwMDEpMCcGCSqGSIb3DQEJARYabS5hbG51ZmFpc2kydGFrYW1vbC5jb20u c2EwHhcNMjExMDE3MDkzMTQwWhcNMzExMDE3MDkzMTQwWjCBjTELMAkGA1UEBhMC U0ExDzANBgNVBAgMBlJpeWFkaDEPMA0GA1UEBwwGUml5YWRoMQswCQYDVQQKDAJJ VDELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmxvY2FsaG9zdDo5MDAwMSkwJwYJKoZI hvcNAQkBFhptLmFsbnVmYWlzaTJ0YWthbW9sLmNvbS5zYTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALLSHO71t9ewIWjIIQcrGlzMlDTwQ0DwQEUkYiw9 wgqRRaBrvEthraYkCB8OPho9fUORB46UxFQeYMq7r0Njdc8Zv/MRmu1uQFWwk0DT Qr39coL5528OhktEotTO0LHbSoxpATiAGfmTA/UeQ+eSYPUKKdo4Dd/UEmzz19Dq pqK2I38v6hnb41XyR71zE+W/IalvJR3p2JODAmsiN3nIP2kbdviKZiy0bXkrzODe dZmc4v4p86v3X9SH/zJ2upcA3s9dGqcBok15shzVAqJnd3uNZzRwn8ZxW36Vv6xy LBxJv/viLFH9xX8beR4h8KWrGK2rgM7KuJHo1tGrEzJmA+0CAwEAAaNTMFEwHQYD VR0OBBYEFA6pioh/oBZg8ANNThtWfGxx2mWxMB8GA1UdIwQYMBaAFA6pioh/oBZg 8ANNThtWfGxx2mWxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB AHt4m2hdFZp/ZxxcAsUD1Acweiibq+NqmSU6LJURK7Qw/CJUQFL845RXkzbbVnhq /HEvesd0qnmLgd8qH7voHCn6tFTWLk6kw6Axj4cv0qW4PKoz37PVKgG5mNiijgXX 3VbulniOqkuXqoijNb9pZvV63TFXtzz+BkM4uivs9cu8ndKU+sqiUgZGYe+xSIcl j8qP9DeU4D5XaSYKUSOIXbLJebklxbnpnGunM6O0ZWdVwfbV6U4FwTqnZtQWHT0m A5q+hK6L9CrBBkMP+12ACbBgENF6JrsVGyBN36FdAbA/uwTsynMdwn4zMC1xefj0 6/w0SoJP54KNrj9dG7AwXq4=
</ns2:X509Certificate>
</ns2:X509Data>
</ns2:KeyInfo>
</ns0:KeyDescriptor>
<ns0:KeyDescriptor use="encryption">
<ns2:KeyInfo>
<ns2:X509Data>
<ns2:X509Certificate>
MIID/TCCAuWgAwIBAgIUd3caFbHlYy3TQxRxYS4e/8ya0bYwDQYJKoZIhvcNAQEL BQAwgY0xCzAJBgNVBAYTAlNBMQ8wDQYDVQQIDAZSaXlhZGgxDzANBgNVBAcMBlJp eWFkaDELMAkGA1UECgwCSVQxCzAJBgNVBAsMAklUMRcwFQYDVQQDDA5sb2NhbGhv c3Q6OTAwMDEpMCcGCSqGSIb3DQEJARYabS5hbG51ZmFpc2kydGFrYW1vbC5jb20u c2EwHhcNMjExMDE3MDkzMTQwWhcNMzExMDE3MDkzMTQwWjCBjTELMAkGA1UEBhMC U0ExDzANBgNVBAgMBlJpeWFkaDEPMA0GA1UEBwwGUml5YWRoMQswCQYDVQQKDAJJ VDELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmxvY2FsaG9zdDo5MDAwMSkwJwYJKoZI hvcNAQkBFhptLmFsbnVmYWlzaTJ0YWthbW9sLmNvbS5zYTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALLSHO71t9ewIWjIIQcrGlzMlDTwQ0DwQEUkYiw9 wgqRRaBrvEthraYkCB8OPho9fUORB46UxFQeYMq7r0Njdc8Zv/MRmu1uQFWwk0DT Qr39coL5528OhktEotTO0LHbSoxpATiAGfmTA/UeQ+eSYPUKKdo4Dd/UEmzz19Dq pqK2I38v6hnb41XyR71zE+W/IalvJR3p2JODAmsiN3nIP2kbdviKZiy0bXkrzODe dZmc4v4p86v3X9SH/zJ2upcA3s9dGqcBok15shzVAqJnd3uNZzRwn8ZxW36Vv6xy LBxJv/viLFH9xX8beR4h8KWrGK2rgM7KuJHo1tGrEzJmA+0CAwEAAaNTMFEwHQYD VR0OBBYEFA6pioh/oBZg8ANNThtWfGxx2mWxMB8GA1UdIwQYMBaAFA6pioh/oBZg 8ANNThtWfGxx2mWxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB AHt4m2hdFZp/ZxxcAsUD1Acweiibq+NqmSU6LJURK7Qw/CJUQFL845RXkzbbVnhq /HEvesd0qnmLgd8qH7voHCn6tFTWLk6kw6Axj4cv0qW4PKoz37PVKgG5mNiijgXX 3VbulniOqkuXqoijNb9pZvV63TFXtzz+BkM4uivs9cu8ndKU+sqiUgZGYe+xSIcl j8qP9DeU4D5XaSYKUSOIXbLJebklxbnpnGunM6O0ZWdVwfbV6U4FwTqnZtQWHT0m A5q+hK6L9CrBBkMP+12ACbBgENF6JrsVGyBN36FdAbA/uwTsynMdwn4zMC1xefj0 6/w0SoJP54KNrj9dG7AwXq4=
</ns2:X509Certificate>
</ns2:X509Data>
</ns2:KeyInfo>
</ns0:KeyDescriptor>
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:9000/idp/slo/post/"/>
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:9000/idp/slo/redirect/"/>
<ns0:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
</ns0:NameIDFormat>
<ns0:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</ns0:NameIDFormat>
<ns0:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</ns0:NameIDFormat>
<ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:9000/idp/sso/post/"/>
<ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:9000/idp/sso/redirect/"/>
</ns0:IDPSSODescriptor>
</ns0:EntityDescriptor>
这是我的尝试,是否正确?
第一次尝试: 添加 AttributeConsumingService?但我不确定 SPSSODescriptor 标签?
<ns0:EntityDescriptor entityID="http://localhost:9000/idp/metadata/">
<ns0:Extensions>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#md5"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha224"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
</ns0:Extensions>
<ns0:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="true">
<ns0:KeyDescriptor use="signing">
<ns2:KeyInfo>
<ns2:X509Data>
<ns2:X509Certificate>
MIID/TCCAuWgAwIBAgIUd3caFbHlYy3TQxRxYS4e/8ya0bYwDQYJKoZIhvcNAQEL BQAwgY0xCzAJBgNVBAYTAlNBMQ8wDQYDVQQIDAZSaXlhZGgxDzANBgNVBAcMBlJp eWFkaDELMAkGA1UECgwCSVQxCzAJBgNVBAsMAklUMRcwFQYDVQQDDA5sb2NhbGhv c3Q6OTAwMDEpMCcGCSqGSIb3DQEJARYabS5hbG51ZmFpc2kydGFrYW1vbC5jb20u c2EwHhcNMjExMDE3MDkzMTQwWhcNMzExMDE3MDkzMTQwWjCBjTELMAkGA1UEBhMC U0ExDzANBgNVBAgMBlJpeWFkaDEPMA0GA1UEBwwGUml5YWRoMQswCQYDVQQKDAJJ VDELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmxvY2FsaG9zdDo5MDAwMSkwJwYJKoZI hvcNAQkBFhptLmFsbnVmYWlzaTJ0YWthbW9sLmNvbS5zYTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALLSHO71t9ewIWjIIQcrGlzMlDTwQ0DwQEUkYiw9 wgqRRaBrvEthraYkCB8OPho9fUORB46UxFQeYMq7r0Njdc8Zv/MRmu1uQFWwk0DT Qr39coL5528OhktEotTO0LHbSoxpATiAGfmTA/UeQ+eSYPUKKdo4Dd/UEmzz19Dq pqK2I38v6hnb41XyR71zE+W/IalvJR3p2JODAmsiN3nIP2kbdviKZiy0bXkrzODe dZmc4v4p86v3X9SH/zJ2upcA3s9dGqcBok15shzVAqJnd3uNZzRwn8ZxW36Vv6xy LBxJv/viLFH9xX8beR4h8KWrGK2rgM7KuJHo1tGrEzJmA+0CAwEAAaNTMFEwHQYD VR0OBBYEFA6pioh/oBZg8ANNThtWfGxx2mWxMB8GA1UdIwQYMBaAFA6pioh/oBZg 8ANNThtWfGxx2mWxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB AHt4m2hdFZp/ZxxcAsUD1Acweiibq+NqmSU6LJURK7Qw/CJUQFL845RXkzbbVnhq /HEvesd0qnmLgd8qH7voHCn6tFTWLk6kw6Axj4cv0qW4PKoz37PVKgG5mNiijgXX 3VbulniOqkuXqoijNb9pZvV63TFXtzz+BkM4uivs9cu8ndKU+sqiUgZGYe+xSIcl j8qP9DeU4D5XaSYKUSOIXbLJebklxbnpnGunM6O0ZWdVwfbV6U4FwTqnZtQWHT0m A5q+hK6L9CrBBkMP+12ACbBgENF6JrsVGyBN36FdAbA/uwTsynMdwn4zMC1xefj0 6/w0SoJP54KNrj9dG7AwXq4=
</ns2:X509Certificate>
</ns2:X509Data>
</ns2:KeyInfo>
</ns0:KeyDescriptor>
<ns0:KeyDescriptor use="encryption">
<ns2:KeyInfo>
<ns2:X509Data>
<ns2:X509Certificate>
MIID/TCCAuWgAwIBAgIUd3caFbHlYy3TQxRxYS4e/8ya0bYwDQYJKoZIhvcNAQEL BQAwgY0xCzAJBgNVBAYTAlNBMQ8wDQYDVQQIDAZSaXlhZGgxDzANBgNVBAcMBlJp eWFkaDELMAkGA1UECgwCSVQxCzAJBgNVBAsMAklUMRcwFQYDVQQDDA5sb2NhbGhv c3Q6OTAwMDEpMCcGCSqGSIb3DQEJARYabS5hbG51ZmFpc2kydGFrYW1vbC5jb20u c2EwHhcNMjExMDE3MDkzMTQwWhcNMzExMDE3MDkzMTQwWjCBjTELMAkGA1UEBhMC U0ExDzANBgNVBAgMBlJpeWFkaDEPMA0GA1UEBwwGUml5YWRoMQswCQYDVQQKDAJJ VDELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmxvY2FsaG9zdDo5MDAwMSkwJwYJKoZI hvcNAQkBFhptLmFsbnVmYWlzaTJ0YWthbW9sLmNvbS5zYTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALLSHO71t9ewIWjIIQcrGlzMlDTwQ0DwQEUkYiw9 wgqRRaBrvEthraYkCB8OPho9fUORB46UxFQeYMq7r0Njdc8Zv/MRmu1uQFWwk0DT Qr39coL5528OhktEotTO0LHbSoxpATiAGfmTA/UeQ+eSYPUKKdo4Dd/UEmzz19Dq pqK2I38v6hnb41XyR71zE+W/IalvJR3p2JODAmsiN3nIP2kbdviKZiy0bXkrzODe dZmc4v4p86v3X9SH/zJ2upcA3s9dGqcBok15shzVAqJnd3uNZzRwn8ZxW36Vv6xy LBxJv/viLFH9xX8beR4h8KWrGK2rgM7KuJHo1tGrEzJmA+0CAwEAAaNTMFEwHQYD VR0OBBYEFA6pioh/oBZg8ANNThtWfGxx2mWxMB8GA1UdIwQYMBaAFA6pioh/oBZg 8ANNThtWfGxx2mWxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB AHt4m2hdFZp/ZxxcAsUD1Acweiibq+NqmSU6LJURK7Qw/CJUQFL845RXkzbbVnhq /HEvesd0qnmLgd8qH7voHCn6tFTWLk6kw6Axj4cv0qW4PKoz37PVKgG5mNiijgXX 3VbulniOqkuXqoijNb9pZvV63TFXtzz+BkM4uivs9cu8ndKU+sqiUgZGYe+xSIcl j8qP9DeU4D5XaSYKUSOIXbLJebklxbnpnGunM6O0ZWdVwfbV6U4FwTqnZtQWHT0m A5q+hK6L9CrBBkMP+12ACbBgENF6JrsVGyBN36FdAbA/uwTsynMdwn4zMC1xefj0 6/w0SoJP54KNrj9dG7AwXq4=
</ns2:X509Certificate>
</ns2:X509Data>
</ns2:KeyInfo>
</ns0:KeyDescriptor>
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:9000/idp/slo/post/"/>
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:9000/idp/slo/redirect/"/>
<ns0:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
</ns0:NameIDFormat>
<ns0:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</ns0:NameIDFormat>
<ns0:AttributeConsumingService index="1">
<ns0:ServiceName xml:lang="en"/>
<ns0:RequestedAttribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="username" isRequired="true"/>
<ns0:RequestedAttribute Name="urn:oid:1.2.840.113549.1.9.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="email" isRequired="true"/>
<ns0:RequestedAttribute Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="first_name" isRequired="true"/>
<ns0:RequestedAttribute Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="last_name" isRequired="true"/>
</ns0:AttributeConsumingService>
</ns0:SPSSODescriptor>
</ns0:EntityDescriptor>
第二次尝试: 或将 AttributeConsumingService 添加到 IDPSSODescriptor,如下所示?
<ns0:EntityDescriptor entityID="http://localhost:9000/idp/metadata/" validUntil="2022-11-06T12:46:57Z">
<ns0:Extensions>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#md5"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha224"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
</ns0:Extensions>
<ns0:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="false">
<ns0:KeyDescriptor use="signing">
<ns2:KeyInfo>
<ns2:X509Data>
<ns2:X509Certificate>
MIID/TCCAuWgAwIBAgIUd3caFbHlYy3TQxRxYS4e/8ya0bYwDQYJKoZIhvcNAQEL BQAwgY0xCzAJBgNVBAYTAlNBMQ8wDQYDVQQIDAZSaXlhZGgxDzANBgNVBAcMBlJp eWFkaDELMAkGA1UECgwCSVQxCzAJBgNVBAsMAklUMRcwFQYDVQQDDA5sb2NhbGhv c3Q6OTAwMDEpMCcGCSqGSIb3DQEJARYabS5hbG51ZmFpc2kydGFrYW1vbC5jb20u c2EwHhcNMjExMDE3MDkzMTQwWhcNMzExMDE3MDkzMTQwWjCBjTELMAkGA1UEBhMC U0ExDzANBgNVBAgMBlJpeWFkaDEPMA0GA1UEBwwGUml5YWRoMQswCQYDVQQKDAJJ VDELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmxvY2FsaG9zdDo5MDAwMSkwJwYJKoZI hvcNAQkBFhptLmFsbnVmYWlzaTJ0YWthbW9sLmNvbS5zYTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALLSHO71t9ewIWjIIQcrGlzMlDTwQ0DwQEUkYiw9 wgqRRaBrvEthraYkCB8OPho9fUORB46UxFQeYMq7r0Njdc8Zv/MRmu1uQFWwk0DT Qr39coL5528OhktEotTO0LHbSoxpATiAGfmTA/UeQ+eSYPUKKdo4Dd/UEmzz19Dq pqK2I38v6hnb41XyR71zE+W/IalvJR3p2JODAmsiN3nIP2kbdviKZiy0bXkrzODe dZmc4v4p86v3X9SH/zJ2upcA3s9dGqcBok15shzVAqJnd3uNZzRwn8ZxW36Vv6xy LBxJv/viLFH9xX8beR4h8KWrGK2rgM7KuJHo1tGrEzJmA+0CAwEAAaNTMFEwHQYD VR0OBBYEFA6pioh/oBZg8ANNThtWfGxx2mWxMB8GA1UdIwQYMBaAFA6pioh/oBZg 8ANNThtWfGxx2mWxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB AHt4m2hdFZp/ZxxcAsUD1Acweiibq+NqmSU6LJURK7Qw/CJUQFL845RXkzbbVnhq /HEvesd0qnmLgd8qH7voHCn6tFTWLk6kw6Axj4cv0qW4PKoz37PVKgG5mNiijgXX 3VbulniOqkuXqoijNb9pZvV63TFXtzz+BkM4uivs9cu8ndKU+sqiUgZGYe+xSIcl j8qP9DeU4D5XaSYKUSOIXbLJebklxbnpnGunM6O0ZWdVwfbV6U4FwTqnZtQWHT0m A5q+hK6L9CrBBkMP+12ACbBgENF6JrsVGyBN36FdAbA/uwTsynMdwn4zMC1xefj0 6/w0SoJP54KNrj9dG7AwXq4=
</ns2:X509Certificate>
</ns2:X509Data>
</ns2:KeyInfo>
</ns0:KeyDescriptor>
<ns0:KeyDescriptor use="encryption">
<ns2:KeyInfo>
<ns2:X509Data>
<ns2:X509Certificate>
MIID/TCCAuWgAwIBAgIUd3caFbHlYy3TQxRxYS4e/8ya0bYwDQYJKoZIhvcNAQEL BQAwgY0xCzAJBgNVBAYTAlNBMQ8wDQYDVQQIDAZSaXlhZGgxDzANBgNVBAcMBlJp eWFkaDELMAkGA1UECgwCSVQxCzAJBgNVBAsMAklUMRcwFQYDVQQDDA5sb2NhbGhv c3Q6OTAwMDEpMCcGCSqGSIb3DQEJARYabS5hbG51ZmFpc2kydGFrYW1vbC5jb20u c2EwHhcNMjExMDE3MDkzMTQwWhcNMzExMDE3MDkzMTQwWjCBjTELMAkGA1UEBhMC U0ExDzANBgNVBAgMBlJpeWFkaDEPMA0GA1UEBwwGUml5YWRoMQswCQYDVQQKDAJJ VDELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmxvY2FsaG9zdDo5MDAwMSkwJwYJKoZI hvcNAQkBFhptLmFsbnVmYWlzaTJ0YWthbW9sLmNvbS5zYTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALLSHO71t9ewIWjIIQcrGlzMlDTwQ0DwQEUkYiw9 wgqRRaBrvEthraYkCB8OPho9fUORB46UxFQeYMq7r0Njdc8Zv/MRmu1uQFWwk0DT Qr39coL5528OhktEotTO0LHbSoxpATiAGfmTA/UeQ+eSYPUKKdo4Dd/UEmzz19Dq pqK2I38v6hnb41XyR71zE+W/IalvJR3p2JODAmsiN3nIP2kbdviKZiy0bXkrzODe dZmc4v4p86v3X9SH/zJ2upcA3s9dGqcBok15shzVAqJnd3uNZzRwn8ZxW36Vv6xy LBxJv/viLFH9xX8beR4h8KWrGK2rgM7KuJHo1tGrEzJmA+0CAwEAAaNTMFEwHQYD VR0OBBYEFA6pioh/oBZg8ANNThtWfGxx2mWxMB8GA1UdIwQYMBaAFA6pioh/oBZg 8ANNThtWfGxx2mWxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB AHt4m2hdFZp/ZxxcAsUD1Acweiibq+NqmSU6LJURK7Qw/CJUQFL845RXkzbbVnhq /HEvesd0qnmLgd8qH7voHCn6tFTWLk6kw6Axj4cv0qW4PKoz37PVKgG5mNiijgXX 3VbulniOqkuXqoijNb9pZvV63TFXtzz+BkM4uivs9cu8ndKU+sqiUgZGYe+xSIcl j8qP9DeU4D5XaSYKUSOIXbLJebklxbnpnGunM6O0ZWdVwfbV6U4FwTqnZtQWHT0m A5q+hK6L9CrBBkMP+12ACbBgENF6JrsVGyBN36FdAbA/uwTsynMdwn4zMC1xefj0 6/w0SoJP54KNrj9dG7AwXq4=
</ns2:X509Certificate>
</ns2:X509Data>
</ns2:KeyInfo>
</ns0:KeyDescriptor>
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:9000/idp/slo/post/"/>
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:9000/idp/slo/redirect/"/>
<ns0:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
</ns0:NameIDFormat>
<ns0:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</ns0:NameIDFormat>
<ns0:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</ns0:NameIDFormat>
<ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:9000/idp/sso/post/"/>
<ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:9000/idp/sso/redirect/"/>
<ns0:AttributeConsumingService index="1">
<ns0:ServiceName xml:lang="en"/>
<ns0:RequestedAttribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="username" isRequired="true"/>
<ns0:RequestedAttribute Name="urn:oid:1.2.840.113549.1.9.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="email" isRequired="true"/>
<ns0:RequestedAttribute Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="first_name" isRequired="true"/>
<ns0:RequestedAttribute Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="last_name" isRequired="true"/>
</ns0:AttributeConsumingService>
</ns0:IDPSSODescriptor>
</ns0:EntityDescriptor>
注意:djangosaml2idp - 由 Django python 框架构建的用于 IDP 的 SSO SAML
感谢您的支持
RequestedAttribute 用于服务提供商 (SP) 元数据。这是 SP 了解其需要哪些属性的一种方式,受 IdP 发布这些属性的约束。 AttributeConsumingService 也是 SP 元数据的一部分。
IdP 不会宣传其包含或愿意发布的内容。那是一份只有那些实体知道的 IdP/SP 合同。
每个here都有一个例子。
我构建了SSO集成项目,我将作为IDP身份提供者,我们的第三方将作为SP服务提供者。
我使用了这个代码https://github.com/OTA-Insight/djangosaml2idp to prepare my Idp. everything is ok and I already tested it by https://sptest.iamshowcase.com/。 但我有一个问题 我如何向这个生成的元数据添加声明,以便帮助我们的 SP 使用它?
这里是生成的元数据文件:
<ns0:EntityDescriptor entityID="http://localhost:9000/idp/metadata/" validUntil="2022-11-06T12:46:57Z">
<ns0:Extensions>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#md5"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha224"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
</ns0:Extensions>
<ns0:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="false">
<ns0:KeyDescriptor use="signing">
<ns2:KeyInfo>
<ns2:X509Data>
<ns2:X509Certificate>
MIID/TCCAuWgAwIBAgIUd3caFbHlYy3TQxRxYS4e/8ya0bYwDQYJKoZIhvcNAQEL BQAwgY0xCzAJBgNVBAYTAlNBMQ8wDQYDVQQIDAZSaXlhZGgxDzANBgNVBAcMBlJp eWFkaDELMAkGA1UECgwCSVQxCzAJBgNVBAsMAklUMRcwFQYDVQQDDA5sb2NhbGhv c3Q6OTAwMDEpMCcGCSqGSIb3DQEJARYabS5hbG51ZmFpc2kydGFrYW1vbC5jb20u c2EwHhcNMjExMDE3MDkzMTQwWhcNMzExMDE3MDkzMTQwWjCBjTELMAkGA1UEBhMC U0ExDzANBgNVBAgMBlJpeWFkaDEPMA0GA1UEBwwGUml5YWRoMQswCQYDVQQKDAJJ VDELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmxvY2FsaG9zdDo5MDAwMSkwJwYJKoZI hvcNAQkBFhptLmFsbnVmYWlzaTJ0YWthbW9sLmNvbS5zYTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALLSHO71t9ewIWjIIQcrGlzMlDTwQ0DwQEUkYiw9 wgqRRaBrvEthraYkCB8OPho9fUORB46UxFQeYMq7r0Njdc8Zv/MRmu1uQFWwk0DT Qr39coL5528OhktEotTO0LHbSoxpATiAGfmTA/UeQ+eSYPUKKdo4Dd/UEmzz19Dq pqK2I38v6hnb41XyR71zE+W/IalvJR3p2JODAmsiN3nIP2kbdviKZiy0bXkrzODe dZmc4v4p86v3X9SH/zJ2upcA3s9dGqcBok15shzVAqJnd3uNZzRwn8ZxW36Vv6xy LBxJv/viLFH9xX8beR4h8KWrGK2rgM7KuJHo1tGrEzJmA+0CAwEAAaNTMFEwHQYD VR0OBBYEFA6pioh/oBZg8ANNThtWfGxx2mWxMB8GA1UdIwQYMBaAFA6pioh/oBZg 8ANNThtWfGxx2mWxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB AHt4m2hdFZp/ZxxcAsUD1Acweiibq+NqmSU6LJURK7Qw/CJUQFL845RXkzbbVnhq /HEvesd0qnmLgd8qH7voHCn6tFTWLk6kw6Axj4cv0qW4PKoz37PVKgG5mNiijgXX 3VbulniOqkuXqoijNb9pZvV63TFXtzz+BkM4uivs9cu8ndKU+sqiUgZGYe+xSIcl j8qP9DeU4D5XaSYKUSOIXbLJebklxbnpnGunM6O0ZWdVwfbV6U4FwTqnZtQWHT0m A5q+hK6L9CrBBkMP+12ACbBgENF6JrsVGyBN36FdAbA/uwTsynMdwn4zMC1xefj0 6/w0SoJP54KNrj9dG7AwXq4=
</ns2:X509Certificate>
</ns2:X509Data>
</ns2:KeyInfo>
</ns0:KeyDescriptor>
<ns0:KeyDescriptor use="encryption">
<ns2:KeyInfo>
<ns2:X509Data>
<ns2:X509Certificate>
MIID/TCCAuWgAwIBAgIUd3caFbHlYy3TQxRxYS4e/8ya0bYwDQYJKoZIhvcNAQEL BQAwgY0xCzAJBgNVBAYTAlNBMQ8wDQYDVQQIDAZSaXlhZGgxDzANBgNVBAcMBlJp eWFkaDELMAkGA1UECgwCSVQxCzAJBgNVBAsMAklUMRcwFQYDVQQDDA5sb2NhbGhv c3Q6OTAwMDEpMCcGCSqGSIb3DQEJARYabS5hbG51ZmFpc2kydGFrYW1vbC5jb20u c2EwHhcNMjExMDE3MDkzMTQwWhcNMzExMDE3MDkzMTQwWjCBjTELMAkGA1UEBhMC U0ExDzANBgNVBAgMBlJpeWFkaDEPMA0GA1UEBwwGUml5YWRoMQswCQYDVQQKDAJJ VDELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmxvY2FsaG9zdDo5MDAwMSkwJwYJKoZI hvcNAQkBFhptLmFsbnVmYWlzaTJ0YWthbW9sLmNvbS5zYTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALLSHO71t9ewIWjIIQcrGlzMlDTwQ0DwQEUkYiw9 wgqRRaBrvEthraYkCB8OPho9fUORB46UxFQeYMq7r0Njdc8Zv/MRmu1uQFWwk0DT Qr39coL5528OhktEotTO0LHbSoxpATiAGfmTA/UeQ+eSYPUKKdo4Dd/UEmzz19Dq pqK2I38v6hnb41XyR71zE+W/IalvJR3p2JODAmsiN3nIP2kbdviKZiy0bXkrzODe dZmc4v4p86v3X9SH/zJ2upcA3s9dGqcBok15shzVAqJnd3uNZzRwn8ZxW36Vv6xy LBxJv/viLFH9xX8beR4h8KWrGK2rgM7KuJHo1tGrEzJmA+0CAwEAAaNTMFEwHQYD VR0OBBYEFA6pioh/oBZg8ANNThtWfGxx2mWxMB8GA1UdIwQYMBaAFA6pioh/oBZg 8ANNThtWfGxx2mWxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB AHt4m2hdFZp/ZxxcAsUD1Acweiibq+NqmSU6LJURK7Qw/CJUQFL845RXkzbbVnhq /HEvesd0qnmLgd8qH7voHCn6tFTWLk6kw6Axj4cv0qW4PKoz37PVKgG5mNiijgXX 3VbulniOqkuXqoijNb9pZvV63TFXtzz+BkM4uivs9cu8ndKU+sqiUgZGYe+xSIcl j8qP9DeU4D5XaSYKUSOIXbLJebklxbnpnGunM6O0ZWdVwfbV6U4FwTqnZtQWHT0m A5q+hK6L9CrBBkMP+12ACbBgENF6JrsVGyBN36FdAbA/uwTsynMdwn4zMC1xefj0 6/w0SoJP54KNrj9dG7AwXq4=
</ns2:X509Certificate>
</ns2:X509Data>
</ns2:KeyInfo>
</ns0:KeyDescriptor>
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:9000/idp/slo/post/"/>
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:9000/idp/slo/redirect/"/>
<ns0:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
</ns0:NameIDFormat>
<ns0:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</ns0:NameIDFormat>
<ns0:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</ns0:NameIDFormat>
<ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:9000/idp/sso/post/"/>
<ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:9000/idp/sso/redirect/"/>
</ns0:IDPSSODescriptor>
</ns0:EntityDescriptor>
这是我的尝试,是否正确?
第一次尝试: 添加 AttributeConsumingService?但我不确定 SPSSODescriptor 标签?
<ns0:EntityDescriptor entityID="http://localhost:9000/idp/metadata/">
<ns0:Extensions>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#md5"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha224"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
</ns0:Extensions>
<ns0:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="true">
<ns0:KeyDescriptor use="signing">
<ns2:KeyInfo>
<ns2:X509Data>
<ns2:X509Certificate>
MIID/TCCAuWgAwIBAgIUd3caFbHlYy3TQxRxYS4e/8ya0bYwDQYJKoZIhvcNAQEL BQAwgY0xCzAJBgNVBAYTAlNBMQ8wDQYDVQQIDAZSaXlhZGgxDzANBgNVBAcMBlJp eWFkaDELMAkGA1UECgwCSVQxCzAJBgNVBAsMAklUMRcwFQYDVQQDDA5sb2NhbGhv c3Q6OTAwMDEpMCcGCSqGSIb3DQEJARYabS5hbG51ZmFpc2kydGFrYW1vbC5jb20u c2EwHhcNMjExMDE3MDkzMTQwWhcNMzExMDE3MDkzMTQwWjCBjTELMAkGA1UEBhMC U0ExDzANBgNVBAgMBlJpeWFkaDEPMA0GA1UEBwwGUml5YWRoMQswCQYDVQQKDAJJ VDELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmxvY2FsaG9zdDo5MDAwMSkwJwYJKoZI hvcNAQkBFhptLmFsbnVmYWlzaTJ0YWthbW9sLmNvbS5zYTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALLSHO71t9ewIWjIIQcrGlzMlDTwQ0DwQEUkYiw9 wgqRRaBrvEthraYkCB8OPho9fUORB46UxFQeYMq7r0Njdc8Zv/MRmu1uQFWwk0DT Qr39coL5528OhktEotTO0LHbSoxpATiAGfmTA/UeQ+eSYPUKKdo4Dd/UEmzz19Dq pqK2I38v6hnb41XyR71zE+W/IalvJR3p2JODAmsiN3nIP2kbdviKZiy0bXkrzODe dZmc4v4p86v3X9SH/zJ2upcA3s9dGqcBok15shzVAqJnd3uNZzRwn8ZxW36Vv6xy LBxJv/viLFH9xX8beR4h8KWrGK2rgM7KuJHo1tGrEzJmA+0CAwEAAaNTMFEwHQYD VR0OBBYEFA6pioh/oBZg8ANNThtWfGxx2mWxMB8GA1UdIwQYMBaAFA6pioh/oBZg 8ANNThtWfGxx2mWxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB AHt4m2hdFZp/ZxxcAsUD1Acweiibq+NqmSU6LJURK7Qw/CJUQFL845RXkzbbVnhq /HEvesd0qnmLgd8qH7voHCn6tFTWLk6kw6Axj4cv0qW4PKoz37PVKgG5mNiijgXX 3VbulniOqkuXqoijNb9pZvV63TFXtzz+BkM4uivs9cu8ndKU+sqiUgZGYe+xSIcl j8qP9DeU4D5XaSYKUSOIXbLJebklxbnpnGunM6O0ZWdVwfbV6U4FwTqnZtQWHT0m A5q+hK6L9CrBBkMP+12ACbBgENF6JrsVGyBN36FdAbA/uwTsynMdwn4zMC1xefj0 6/w0SoJP54KNrj9dG7AwXq4=
</ns2:X509Certificate>
</ns2:X509Data>
</ns2:KeyInfo>
</ns0:KeyDescriptor>
<ns0:KeyDescriptor use="encryption">
<ns2:KeyInfo>
<ns2:X509Data>
<ns2:X509Certificate>
MIID/TCCAuWgAwIBAgIUd3caFbHlYy3TQxRxYS4e/8ya0bYwDQYJKoZIhvcNAQEL BQAwgY0xCzAJBgNVBAYTAlNBMQ8wDQYDVQQIDAZSaXlhZGgxDzANBgNVBAcMBlJp eWFkaDELMAkGA1UECgwCSVQxCzAJBgNVBAsMAklUMRcwFQYDVQQDDA5sb2NhbGhv c3Q6OTAwMDEpMCcGCSqGSIb3DQEJARYabS5hbG51ZmFpc2kydGFrYW1vbC5jb20u c2EwHhcNMjExMDE3MDkzMTQwWhcNMzExMDE3MDkzMTQwWjCBjTELMAkGA1UEBhMC U0ExDzANBgNVBAgMBlJpeWFkaDEPMA0GA1UEBwwGUml5YWRoMQswCQYDVQQKDAJJ VDELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmxvY2FsaG9zdDo5MDAwMSkwJwYJKoZI hvcNAQkBFhptLmFsbnVmYWlzaTJ0YWthbW9sLmNvbS5zYTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALLSHO71t9ewIWjIIQcrGlzMlDTwQ0DwQEUkYiw9 wgqRRaBrvEthraYkCB8OPho9fUORB46UxFQeYMq7r0Njdc8Zv/MRmu1uQFWwk0DT Qr39coL5528OhktEotTO0LHbSoxpATiAGfmTA/UeQ+eSYPUKKdo4Dd/UEmzz19Dq pqK2I38v6hnb41XyR71zE+W/IalvJR3p2JODAmsiN3nIP2kbdviKZiy0bXkrzODe dZmc4v4p86v3X9SH/zJ2upcA3s9dGqcBok15shzVAqJnd3uNZzRwn8ZxW36Vv6xy LBxJv/viLFH9xX8beR4h8KWrGK2rgM7KuJHo1tGrEzJmA+0CAwEAAaNTMFEwHQYD VR0OBBYEFA6pioh/oBZg8ANNThtWfGxx2mWxMB8GA1UdIwQYMBaAFA6pioh/oBZg 8ANNThtWfGxx2mWxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB AHt4m2hdFZp/ZxxcAsUD1Acweiibq+NqmSU6LJURK7Qw/CJUQFL845RXkzbbVnhq /HEvesd0qnmLgd8qH7voHCn6tFTWLk6kw6Axj4cv0qW4PKoz37PVKgG5mNiijgXX 3VbulniOqkuXqoijNb9pZvV63TFXtzz+BkM4uivs9cu8ndKU+sqiUgZGYe+xSIcl j8qP9DeU4D5XaSYKUSOIXbLJebklxbnpnGunM6O0ZWdVwfbV6U4FwTqnZtQWHT0m A5q+hK6L9CrBBkMP+12ACbBgENF6JrsVGyBN36FdAbA/uwTsynMdwn4zMC1xefj0 6/w0SoJP54KNrj9dG7AwXq4=
</ns2:X509Certificate>
</ns2:X509Data>
</ns2:KeyInfo>
</ns0:KeyDescriptor>
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:9000/idp/slo/post/"/>
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:9000/idp/slo/redirect/"/>
<ns0:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
</ns0:NameIDFormat>
<ns0:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</ns0:NameIDFormat>
<ns0:AttributeConsumingService index="1">
<ns0:ServiceName xml:lang="en"/>
<ns0:RequestedAttribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="username" isRequired="true"/>
<ns0:RequestedAttribute Name="urn:oid:1.2.840.113549.1.9.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="email" isRequired="true"/>
<ns0:RequestedAttribute Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="first_name" isRequired="true"/>
<ns0:RequestedAttribute Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="last_name" isRequired="true"/>
</ns0:AttributeConsumingService>
</ns0:SPSSODescriptor>
</ns0:EntityDescriptor>
第二次尝试: 或将 AttributeConsumingService 添加到 IDPSSODescriptor,如下所示?
<ns0:EntityDescriptor entityID="http://localhost:9000/idp/metadata/" validUntil="2022-11-06T12:46:57Z">
<ns0:Extensions>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#md5"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha224"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
</ns0:Extensions>
<ns0:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="false">
<ns0:KeyDescriptor use="signing">
<ns2:KeyInfo>
<ns2:X509Data>
<ns2:X509Certificate>
MIID/TCCAuWgAwIBAgIUd3caFbHlYy3TQxRxYS4e/8ya0bYwDQYJKoZIhvcNAQEL BQAwgY0xCzAJBgNVBAYTAlNBMQ8wDQYDVQQIDAZSaXlhZGgxDzANBgNVBAcMBlJp eWFkaDELMAkGA1UECgwCSVQxCzAJBgNVBAsMAklUMRcwFQYDVQQDDA5sb2NhbGhv c3Q6OTAwMDEpMCcGCSqGSIb3DQEJARYabS5hbG51ZmFpc2kydGFrYW1vbC5jb20u c2EwHhcNMjExMDE3MDkzMTQwWhcNMzExMDE3MDkzMTQwWjCBjTELMAkGA1UEBhMC U0ExDzANBgNVBAgMBlJpeWFkaDEPMA0GA1UEBwwGUml5YWRoMQswCQYDVQQKDAJJ VDELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmxvY2FsaG9zdDo5MDAwMSkwJwYJKoZI hvcNAQkBFhptLmFsbnVmYWlzaTJ0YWthbW9sLmNvbS5zYTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALLSHO71t9ewIWjIIQcrGlzMlDTwQ0DwQEUkYiw9 wgqRRaBrvEthraYkCB8OPho9fUORB46UxFQeYMq7r0Njdc8Zv/MRmu1uQFWwk0DT Qr39coL5528OhktEotTO0LHbSoxpATiAGfmTA/UeQ+eSYPUKKdo4Dd/UEmzz19Dq pqK2I38v6hnb41XyR71zE+W/IalvJR3p2JODAmsiN3nIP2kbdviKZiy0bXkrzODe dZmc4v4p86v3X9SH/zJ2upcA3s9dGqcBok15shzVAqJnd3uNZzRwn8ZxW36Vv6xy LBxJv/viLFH9xX8beR4h8KWrGK2rgM7KuJHo1tGrEzJmA+0CAwEAAaNTMFEwHQYD VR0OBBYEFA6pioh/oBZg8ANNThtWfGxx2mWxMB8GA1UdIwQYMBaAFA6pioh/oBZg 8ANNThtWfGxx2mWxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB AHt4m2hdFZp/ZxxcAsUD1Acweiibq+NqmSU6LJURK7Qw/CJUQFL845RXkzbbVnhq /HEvesd0qnmLgd8qH7voHCn6tFTWLk6kw6Axj4cv0qW4PKoz37PVKgG5mNiijgXX 3VbulniOqkuXqoijNb9pZvV63TFXtzz+BkM4uivs9cu8ndKU+sqiUgZGYe+xSIcl j8qP9DeU4D5XaSYKUSOIXbLJebklxbnpnGunM6O0ZWdVwfbV6U4FwTqnZtQWHT0m A5q+hK6L9CrBBkMP+12ACbBgENF6JrsVGyBN36FdAbA/uwTsynMdwn4zMC1xefj0 6/w0SoJP54KNrj9dG7AwXq4=
</ns2:X509Certificate>
</ns2:X509Data>
</ns2:KeyInfo>
</ns0:KeyDescriptor>
<ns0:KeyDescriptor use="encryption">
<ns2:KeyInfo>
<ns2:X509Data>
<ns2:X509Certificate>
MIID/TCCAuWgAwIBAgIUd3caFbHlYy3TQxRxYS4e/8ya0bYwDQYJKoZIhvcNAQEL BQAwgY0xCzAJBgNVBAYTAlNBMQ8wDQYDVQQIDAZSaXlhZGgxDzANBgNVBAcMBlJp eWFkaDELMAkGA1UECgwCSVQxCzAJBgNVBAsMAklUMRcwFQYDVQQDDA5sb2NhbGhv c3Q6OTAwMDEpMCcGCSqGSIb3DQEJARYabS5hbG51ZmFpc2kydGFrYW1vbC5jb20u c2EwHhcNMjExMDE3MDkzMTQwWhcNMzExMDE3MDkzMTQwWjCBjTELMAkGA1UEBhMC U0ExDzANBgNVBAgMBlJpeWFkaDEPMA0GA1UEBwwGUml5YWRoMQswCQYDVQQKDAJJ VDELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmxvY2FsaG9zdDo5MDAwMSkwJwYJKoZI hvcNAQkBFhptLmFsbnVmYWlzaTJ0YWthbW9sLmNvbS5zYTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALLSHO71t9ewIWjIIQcrGlzMlDTwQ0DwQEUkYiw9 wgqRRaBrvEthraYkCB8OPho9fUORB46UxFQeYMq7r0Njdc8Zv/MRmu1uQFWwk0DT Qr39coL5528OhktEotTO0LHbSoxpATiAGfmTA/UeQ+eSYPUKKdo4Dd/UEmzz19Dq pqK2I38v6hnb41XyR71zE+W/IalvJR3p2JODAmsiN3nIP2kbdviKZiy0bXkrzODe dZmc4v4p86v3X9SH/zJ2upcA3s9dGqcBok15shzVAqJnd3uNZzRwn8ZxW36Vv6xy LBxJv/viLFH9xX8beR4h8KWrGK2rgM7KuJHo1tGrEzJmA+0CAwEAAaNTMFEwHQYD VR0OBBYEFA6pioh/oBZg8ANNThtWfGxx2mWxMB8GA1UdIwQYMBaAFA6pioh/oBZg 8ANNThtWfGxx2mWxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB AHt4m2hdFZp/ZxxcAsUD1Acweiibq+NqmSU6LJURK7Qw/CJUQFL845RXkzbbVnhq /HEvesd0qnmLgd8qH7voHCn6tFTWLk6kw6Axj4cv0qW4PKoz37PVKgG5mNiijgXX 3VbulniOqkuXqoijNb9pZvV63TFXtzz+BkM4uivs9cu8ndKU+sqiUgZGYe+xSIcl j8qP9DeU4D5XaSYKUSOIXbLJebklxbnpnGunM6O0ZWdVwfbV6U4FwTqnZtQWHT0m A5q+hK6L9CrBBkMP+12ACbBgENF6JrsVGyBN36FdAbA/uwTsynMdwn4zMC1xefj0 6/w0SoJP54KNrj9dG7AwXq4=
</ns2:X509Certificate>
</ns2:X509Data>
</ns2:KeyInfo>
</ns0:KeyDescriptor>
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:9000/idp/slo/post/"/>
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:9000/idp/slo/redirect/"/>
<ns0:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
</ns0:NameIDFormat>
<ns0:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</ns0:NameIDFormat>
<ns0:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</ns0:NameIDFormat>
<ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:9000/idp/sso/post/"/>
<ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:9000/idp/sso/redirect/"/>
<ns0:AttributeConsumingService index="1">
<ns0:ServiceName xml:lang="en"/>
<ns0:RequestedAttribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="username" isRequired="true"/>
<ns0:RequestedAttribute Name="urn:oid:1.2.840.113549.1.9.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="email" isRequired="true"/>
<ns0:RequestedAttribute Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="first_name" isRequired="true"/>
<ns0:RequestedAttribute Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="last_name" isRequired="true"/>
</ns0:AttributeConsumingService>
</ns0:IDPSSODescriptor>
</ns0:EntityDescriptor>
注意:djangosaml2idp - 由 Django python 框架构建的用于 IDP 的 SSO SAML
感谢您的支持
RequestedAttribute 用于服务提供商 (SP) 元数据。这是 SP 了解其需要哪些属性的一种方式,受 IdP 发布这些属性的约束。 AttributeConsumingService 也是 SP 元数据的一部分。
IdP 不会宣传其包含或愿意发布的内容。那是一份只有那些实体知道的 IdP/SP 合同。
每个here都有一个例子。