如何在 php 的 SAML 2.0 SSO 的 AuthNRequest 中嵌入签名
How do I embed a signature within an AuthNRequest for SAML 2.0 SSO in php
我的 IDP 需要一个嵌入、签名和加密的 AuthNRequest,请求 url 如下所示:
http://idp.example.com/SSOService.php?SAMLRequest={val1}
带有嵌入式签名的 AuthNRequest(HTTP-POST 绑定)
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfx41d8ef22-e612-8c50-9960-1b16f15741b3" Version="2.0" ProviderName="SP test" IssueInstant="2014-07-16T23:52:45Z" Destination="http://idp.example.com/SSOService.php" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://sp.example.com/demo1/index.php?acs">
<saml:Issuer>http://sp.example.com/demo1/metadata.php</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#pfx41d8ef22-e612-8c50-9960-1b16f15741b3">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>yJN6cXUwQxTmMEsPesBP2NkqYFI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
但是我的请求看起来像
http://idp.example.com/SSOService.php?SAMLRequest={val1}&Signature={val2}&SigAlg={val3}
在 OneLogin 的 [php-saml] 中,我的设置要求对消息进行签名和加密
'nameIdEncrypted' => true,
'authnRequestsSigned' => true,
'logoutRequestSigned' => true,
'logoutResponseSigned' => true,
'signMetadata' => true,
'wantMessagesSigned' => true,
'wantAssertionsSigned' => true,'wantAssertionsEncrypted' => true,
'wantNameIdEncrypted' => true,
'requestedAuthnContext' => true,
'wantXMLValidation' => true,
'signatureAlgorithm' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
并在 SimpleSAMLphp 中
我的 idp-remote 配置
$metadata['https:/my.idp.com/idplogin'] = array(
'name' => array(
'en' => 'my.idp.com',
'no' => 'my.idp.com',
),
'description' => 'IDP SSO',
'sign.authnrequest' => TRUE,
'sign.logout' => TRUE,
'signature.algorithm' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
'assertion.encryption' => TRUE,
'sharedkey' => 'SHAREDKEY.crt',
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'http://iam.sp.com/module.php/saml/sp/saml2-logout.php/default-sp',
),
),
'AssertionConsumerService' =>
array (
0 =>
array (
'index' => 0,
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'http://iam.sp.com/module.php/saml/sp/saml2-acs.php/default-sp',
),
1 =>
array (
'index' => 1,
'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post',
'Location' => 'http://iam.sp.com/module.php/saml/sp/saml1-acs.php/default-sp',
),
2 =>
array (
'index' => 2,
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
'Location' => 'http://iam.sp.com/module.php/saml/sp/saml2-acs.php/default-sp',
),
3 =>
array (
'index' => 3,
'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01',
'Location' => 'http://iam.sp.com/module.php/saml/sp/saml1-acs.php/default-sp/artifact',
),
),
'SingleSignOnService' => 'https:/my.idp.com/samljct',
'redirect.sign' => TRUE,
'redirect.validate' => TRUE,
'acs.Bindings' => array(
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'urn:oasis:names:tc:SAML:1.0:profiles:browser-post',
),
'certFingerprint' => 'FINGERPRINTED',
'certificate' => 'SPCERTYA.crt'
);
和我的 sp 配置
$config = array(
'admin' => array(
'core:AdminPassword',
),
'default-sp' => array(
'saml:SP',
'entityID' => null,
'idp' => null,
'discoURL' => null,
'privatekey' => 'MYSTUFF.pem',
'certificate' => 'MYSTUFF.crt',
'metadata.sign.authnrequest' => TRUE,
'metadata.sign.enable' => TRUE,
'redirect.sign' => TRUE,
'redirect.validate' => TRUE,
'assertion.encryption' => TRUE,
'IsPassive' => FALSE,
'signature.algorithm' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
),
在这两种服务中,我不确定如何在 AuthNRequest 中嵌入签名?
更改 IDP 远程配置中的以下行:
'SingleSignOnService' => 'https:/my.idp.com/samljct',
至:
'SingleSignOnService' => array(
array(
'Location' => 'https:/my.idp.com/samljct',
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
),
),
应该可以。
我的 IDP 需要一个嵌入、签名和加密的 AuthNRequest,请求 url 如下所示:
http://idp.example.com/SSOService.php?SAMLRequest={val1}
带有嵌入式签名的 AuthNRequest(HTTP-POST 绑定)
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfx41d8ef22-e612-8c50-9960-1b16f15741b3" Version="2.0" ProviderName="SP test" IssueInstant="2014-07-16T23:52:45Z" Destination="http://idp.example.com/SSOService.php" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://sp.example.com/demo1/index.php?acs">
<saml:Issuer>http://sp.example.com/demo1/metadata.php</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#pfx41d8ef22-e612-8c50-9960-1b16f15741b3">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>yJN6cXUwQxTmMEsPesBP2NkqYFI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
但是我的请求看起来像
http://idp.example.com/SSOService.php?SAMLRequest={val1}&Signature={val2}&SigAlg={val3}
在 OneLogin 的 [php-saml] 中,我的设置要求对消息进行签名和加密
'nameIdEncrypted' => true,
'authnRequestsSigned' => true,
'logoutRequestSigned' => true,
'logoutResponseSigned' => true,
'signMetadata' => true,
'wantMessagesSigned' => true,
'wantAssertionsSigned' => true,'wantAssertionsEncrypted' => true,
'wantNameIdEncrypted' => true,
'requestedAuthnContext' => true,
'wantXMLValidation' => true,
'signatureAlgorithm' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
并在 SimpleSAMLphp 中 我的 idp-remote 配置
$metadata['https:/my.idp.com/idplogin'] = array(
'name' => array(
'en' => 'my.idp.com',
'no' => 'my.idp.com',
),
'description' => 'IDP SSO',
'sign.authnrequest' => TRUE,
'sign.logout' => TRUE,
'signature.algorithm' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
'assertion.encryption' => TRUE,
'sharedkey' => 'SHAREDKEY.crt',
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'http://iam.sp.com/module.php/saml/sp/saml2-logout.php/default-sp',
),
),
'AssertionConsumerService' =>
array (
0 =>
array (
'index' => 0,
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'http://iam.sp.com/module.php/saml/sp/saml2-acs.php/default-sp',
),
1 =>
array (
'index' => 1,
'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post',
'Location' => 'http://iam.sp.com/module.php/saml/sp/saml1-acs.php/default-sp',
),
2 =>
array (
'index' => 2,
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
'Location' => 'http://iam.sp.com/module.php/saml/sp/saml2-acs.php/default-sp',
),
3 =>
array (
'index' => 3,
'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01',
'Location' => 'http://iam.sp.com/module.php/saml/sp/saml1-acs.php/default-sp/artifact',
),
),
'SingleSignOnService' => 'https:/my.idp.com/samljct',
'redirect.sign' => TRUE,
'redirect.validate' => TRUE,
'acs.Bindings' => array(
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'urn:oasis:names:tc:SAML:1.0:profiles:browser-post',
),
'certFingerprint' => 'FINGERPRINTED',
'certificate' => 'SPCERTYA.crt'
);
和我的 sp 配置
$config = array(
'admin' => array(
'core:AdminPassword',
),
'default-sp' => array(
'saml:SP',
'entityID' => null,
'idp' => null,
'discoURL' => null,
'privatekey' => 'MYSTUFF.pem',
'certificate' => 'MYSTUFF.crt',
'metadata.sign.authnrequest' => TRUE,
'metadata.sign.enable' => TRUE,
'redirect.sign' => TRUE,
'redirect.validate' => TRUE,
'assertion.encryption' => TRUE,
'IsPassive' => FALSE,
'signature.algorithm' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
),
在这两种服务中,我不确定如何在 AuthNRequest 中嵌入签名?
更改 IDP 远程配置中的以下行:
'SingleSignOnService' => 'https:/my.idp.com/samljct',
至:
'SingleSignOnService' => array(
array(
'Location' => 'https:/my.idp.com/samljct',
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
),
),
应该可以。