- 浏览: 371425 次
- 来自: www.pgp.org.cn
-
文章分类
最新评论
-
I_am_a_System:
尼玛的。严重鄙视!!!!!!!!!!!!!!!!!!!!!!! ...
java处理PNG图像(转载WikiMedia) -
iamaj2eeprogrammer:
你好,有问题要请教你。
发现GDCA USBKey(电子钥匙)的CSP数字签名实现存在缺陷 -
yingjinsheng:
标题和内容严重不符,麻烦你拷贝人家的东西,把标题也拷贝过来好 ...
java处理PNG图像(转载WikiMedia) -
510372845:
我还是不大明白,请问一下:我用的是tomcat,怎么样Impo ...
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found -
chris_zcl:
你在做日记吗?不能写的详细点啊
PHP与CAS做SSO
<!----> 1 <!----> SAML<o:p></o:p>
<!----> 2 <!----> From Wikipedia, the free encyclopedia<o:p></o:p>
Jump to: navigation, search<o:p></o:p>
Security Assertion Markup Language (SAML) is an XML standard for exchanging authentication and authorization data between security domains, that is, between an identity provider and a service provider. SAML is a product of the OASIS Security Services Technical Committee.<o:p></o:p>
The single most important problem that SAML is trying to solve is the web single sign-on (SSO) problem. SSO solutions at the intranet level abound (using cookies, e.g.) but extending these solutions beyond the intranet has been problematic and has led to the proliferation of proprietary technologies that do not interoperate. SAML has become the definitive standard underlying many web SSO solutions in the identity management problem space.<o:p></o:p>
SAML assumes the principal (often a user) has enrolled with at least one identity provider. This identity provider is expected to provide local authentication services to the principal. However, SAML does not specify the implementation of these local services; indeed, SAML does not care how local authentication services are implemented (although individual service providers most certainly will).<o:p></o:p>
|
<!----> 3 <!----> Contents<o:p></o:p>
|
<o:p>
</o:p>
<!----> 4 <!----> SAML 1.0<o:p></o:p>
SAML 1.0 was adopted as an OASIS standard in Nov 2002. SAML has undergone one minor and one major revision since V1.0, which itself is a relatively simple protocol. SAML 1.0 is not just historical interest since the US Federal E-Authentication Initiative has adopted SAML 1.0 as its core technology.<o:p></o:p>
Fortunately, versions 1.0 and 1.1 of SAML are similar. See #SAMLDiff for specific differences between the two standards. This article concentrates on SAML 1.1 since it is the definitive standard on which most other standards and implementations depend.<o:p></o:p>
SAML 2.0 was approved in March 2005. SAM2.0 conformance SAML 1.1 and <st1:city w:st="on"><st1:place w:st="on">Liberty</st1:place></st1:city> alliance.<o:p></o:p>
<!----> 5 <!----> SAML 1.1<o:p></o:p>
SAML 1.1 was ratified as an OASIS standard in Sep 2003. The critical aspects of SAML 1.1 are covered in detail in the official documents #SAMLConform, #SAMLCore, and #SAMLBind. If you are new to SAML, you should probably read #SAMLOverview first.<o:p></o:p>
<!----> 6 <!----> SAML 1.1 Assertions<o:p></o:p>
SAML assertions are usually transferred from identity providers to service providers. Assertions contain statements that service providers use to make access control decisions. Three types of statements are provided by SAML:<o:p></o:p>
- Authentication statements <o:p> </o:p>
- Attribute statements <o:p> </o:p>
- Authorization decision statements <o:p> </o:p>
Authentication statements assert to the service provider that the principal did indeed authenticate with the identity provider at a particular time using a particular method of authentication. Other information about the principal may be disclosed in an authentication statement. For example, in the authentication statement below, the e-mail address of the principal is disclosed to the service provider:<o:p></o:p>
<saml:Assertion<o:p></o:p>
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"<o:p></o:p>
MajorVersion="1" MinorVersion="1"<o:p></o:p>
AssertionID="..."<o:p></o:p>
Issuer="https://idp.org/saml/"<o:p></o:p>
IssueInstant="<st1:chsdate year="2002" month="6" day="19" islunardate="False" isrocdate="False" w:st="on">2002-06-19</st1:chsdate>T17:05:37.795Z"><o:p></o:p>
<saml:Conditions <o:p></o:p>
NotBefore="<st1:chsdate year="2002" month="6" day="19" islunardate="False" isrocdate="False" w:st="on">2002-06-19</st1:chsdate>T17:00:37.795Z"<o:p></o:p>
NotOnOrAfter="<st1:chsdate year="2002" month="6" day="19" islunardate="False" isrocdate="False" w:st="on">2002-06-19</st1:chsdate>T17:10:37.795Z"/><o:p></o:p>
<saml:AuthenticationStatement<o:p></o:p>
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"<o:p></o:p>
AuthenticationInstant="<st1:chsdate year="2002" month="6" day="19" islunardate="False" isrocdate="False" w:st="on">2002-06-19</st1:chsdate>T17:05:17.706Z"><o:p></o:p>
<saml:Subject><o:p></o:p>
<saml:NameIdentifier<o:p></o:p>
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"><o:p></o:p>
user@mail.idp.org <o:p> </o:p>
</saml:NameIdentifier><o:p></o:p>
<saml:SubjectConfirmation><o:p></o:p>
<saml:ConfirmationMethod><o:p></o:p>
urn:oasis:names:tc:SAML:1.0:cm:artifact<o:p></o:p>
</saml:ConfirmationMethod><o:p></o:p>
</saml:SubjectConfirmation><o:p></o:p>
</saml:Subject><o:p></o:p>
</saml:AuthenticationStatement><o:p></o:p>
</saml:Assertion><o:p></o:p>
An e-mail address (as in the above example) will suffice in a large number of situations. In some cases, however, additional information is needed before a service provider can make an access control decision. As an example, suppose that students are allowed to access scholarships data. An attribute statement can indicate whether or not the principal has an affiliation of "student", which the service provider uses to allow or deny access (resp.) to the scholarships application:<o:p></o:p>
<saml:Assertion <o:p></o:p>
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"<o:p></o:p>
MajorVersion="1" MinorVersion="1"<o:p></o:p>
Issuer="https://idp.edu/saml/" ...><o:p></o:p>
<saml:Conditions NotBefore="..." NotAfter="..."/><o:p></o:p>
<saml:AuthenticationStatement<o:p></o:p>
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI"<o:p></o:p>
AuthenticationInstant="..."><o:p></o:p>
<saml:Subject>...</saml:Subject><o:p></o:p>
</saml:AuthenticationStatement><o:p></o:p>
<saml:AttributeStatement><o:p></o:p>
<saml:Subject>...</saml:Subject><o:p></o:p>
<saml:Attribute <o:p></o:p>
AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"<o:p></o:p>
AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><o:p></o:p>
<saml:AttributeValue Scope="idp.edu"><o:p></o:p>
member<o:p></o:p>
</saml:AttributeValue><o:p></o:p>
<saml:AttributeValue Scope="idp.edu"><o:p></o:p>
student<o:p></o:p>
</saml:AttributeValue><o:p></o:p>
</saml:Attribute><o:p></o:p>
</saml:AttributeStatement><o:p></o:p>
</saml:Assertion><o:p></o:p>
Attributes are often obtained from an LDAP directory, so consistent representations of attributes across security domains is crucial.<o:p></o:p>
In the above example showing how a student might obtain access to a scholarships application, the service provider is functioning as both a policy enforcement point and a policy decision point. In some situations, it may be preferable to associate the policy decision point with the identity provider. In this case, the service provider passes a URI to the identity provider who asserts an authorization decision statement that dictates whether or not the principal should be allowed access to the secured resource at the given URI.<o:p></o:p>
<saml:Assertion <o:p></o:p>
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"<o:p></o:p>
MajorVersion="1" MinorVersion="1"<o:p></o:p>
Issuer="https://idp.org/saml/" ...><o:p></o:p>
<saml:Conditions .../><o:p></o:p>
<saml:AuthorizationDecisionStatement<o:p></o:p>
Decision="Permit"<o:p></o:p>
Resource="https://sp.org/confidential_report.html"><o:p></o:p>
<saml:Action>read</saml:Action><o:p></o:p>
<saml:Subject>...</saml:Subject><o:p></o:p>
</saml:AuthorizationDecisionStatement><o:p></o:p>
</saml:Assertion><o:p></o:p>
The three statement types are not mutually exclusive. For example, both authentication statements and attribute statements may be included in a single assertion (as shown above). This precludes the need to make subsequent round trips between the service provider and identity provider.<o:p></o:p>
<!----> 7 <!----> SAML 1.1 Protocol<o:p></o:p>
The SAML protocol is a simple request-response protocol. A SAML requester sends a SAML Request element to a responder:<o:p></o:p>
<samlp:Request <o:p></o:p>
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" <o:p></o:p>
MajorVersion="1" MinorVersion="1" <o:p></o:p>
RequestID="..." <o:p></o:p>
IssueInstant="..."><o:p></o:p>
<!-- insert other SAML elements here --><o:p></o:p>
</samlp:Request><o:p></o:p>
Similarly, a SAML responder returns a SAML Response element to the requester:<o:p></o:p>
<samlp:Response<o:p></o:p>
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"<o:p></o:p>
MajorVersion="1" MinorVersion="1"<o:p></o:p>
ResponseID="..."<o:p></o:p>
InResponseTo="..."<o:p></o:p>
IssueInstant="..."><o:p></o:p>
<!-- insert other SAML elements here, including assertions --><o:p></o:p>
</samlp:Response><o:p></o:p>
The bindings and profiles needed to affect this message exchange are detailed in the following sections.<o:p></o:p>
<!----> 8 <!----> SAML 1.1 Bindings<o:p></o:p>
SAML 1.1 defines just one binding, the SAML SOAP binding. A compatible SAML 1.1 implementation must implement SAML over SOAP over HTTP (asynchronous protocol). Other transport mechanisms are permitted provided the protocol-independent aspects of the SAML SOAP binding are observed (see section <st1:chsdate year="1899" month="12" day="30" islunardate="False" isrocdate="False" w:st="on">3.1.2</st1:chsdate> of #SAMLBind).<o:p></o:p>
The SAML 1.1 SOAP binding is built on top of version 1.1 of SOAP (the numbering is purely coincidental). A SAML requester wraps a SAML Request element within the body of a SOAP message. Similarly, a SAML responder returns a SAML Response element within the body of a returned SOAP message. If there is an error, the responder returns a SOAP fault code instead.<o:p></o:p>
Any SAML markup must be included in the SOAP body. SAML 1.1 does not define any SAML-specific SOAP headers. A requester is free to insert any SOAP headers it wishes (although none are required).<o:p></o:p>
Recall that in SOAP 1.1, a SOAPAction HTTP header must be included with each HTTP request (although its value may be empty). A SAML requester may give the following value to the SOAPAction header:<o:p></o:p>
SOAPAction: http://www.oasis-open.org/committees/security<o:p></o:p>
A SAML responder must not depend on this value, however.<o:p></o:p>
A secure connection is not required for SAML requests and responses, but in those situations where message integrity and confidentiality are required, HTTP over SSL 3.0 or TLS 1.0 with a server-side certificate is required.<o:p></o:p>
A SAML responder may return a "403 Forbidden" response when it refuses to respond to a SAML requester. A responder must return a "500 Internal Server Error" response in the event of a SOAP error (a SOAP fault element must be included as well). Otherwise, a "200 OK" response is returned, even in the presence of a SAML processing error. Such a response will include a SAML Status element in the SOAP body.<o:p></o:p>
<!----> 9 <!----> SAML 1.1 Profiles<o:p></o:p>
In general, profiles describe the HTTP exchanges required to ultimately transfer assertions from an identity provider to a service provider. SAML 1.1 specifies two browser-based, single sign-on profiles:<o:p></o:p>
- Browser/Artifact Profile<o:p></o:p>
- Browser/POST Profile<o:p></o:p>
These profiles support cross-domain single sign-on (SSO). The specification does not define any additional profiles. In particular, SAML 1.1 does not support a profile to secure a web service message nor does it support a single logout profile.<o:p></o:p>
Both SAML 1.1 profiles begin at the inter-site transfer service, which is managed by the identity provider. How the principal arrives at the transfer service in the first place is not dictated by the specification. See sections 4.1 and 4.2 of #SAMLOverview for possible scenarios. In practice, a client accessing a secured resource at a service provider will be redirected to the inter-site transfer service at the identity provider. Note, however, that the precise sequence of steps needed to accomplish this is not outlined by SAML 1.1. (See section 4.3 of #SAMLOverview for some rough ideas along these lines.) This issue is thoroughly addressed in SAML 2.0.<o:p></o:p>
After visiting the inter-site transfer service, the principal is transferred to the assertion consumer service at the service provider. Exactly how the principal is transferred from the inter-site transfer service to the assertion consumer service depends on the profile used. In the case of the Browser/Artifact Profile, a redirect is used; in the case of the Browser/POST Profile, the client issues a POST request (with or without user intervention).<o:p></o:p>
To expedite processing by the assertion consumer service, two separate URLs are specified:<o:p></o:p>
- Artifact Receiver URL (Browser/Artifact Profile)<o:p></o:p>
- Assertion Consumer URL (Browser/POST Profile)<o:p></o:p>
These and other URLs may be recorded in a SAML metadata archive.<o:p></o:p>
Note that a conforming SAML 1.1 identity provider must provide an inter-site transfer service. Similarly, a SAML 1.1 service provider must provide an assertion consumer service.<o:p></o:p>
SAML 1.1 Browser/Artifact Profile<o:p></o:p>
The Browser/Artifact Profile employs a "pull" mechanism. The profile essentially passes an SSO assertion from the identity provider to the service provider by reference, which is subsequently dereferenced via a back-channel exchange (i.e., the service provider "pulls" the assertion from the identity provider).<o:p></o:p>
The SAML 1.1 Browser/Artifact Profile specifies the following six (6) steps:<o:p></o:p>
1) Request the Inter-site Transfer Service<o:p></o:p>
The principal (user) requests the inter-site transfer service at the identity provider:<o:p></o:p>
https://idp.org/saml/TransferService?TARGET=target<o:p></o:p>
where target is the location of the desired resource at the service provider, say, https://www.sp.org/home. In other words, the following GET request is issued by the client:<o:p></o:p>
GET /saml/TransferService?TARGET=target HTTP/1.1<o:p></o:p>
Host: idp.org<o:p></o:p>
The profile does not specify how the URL to the transfer service (with target parameter) is obtained by the client.<o:p></o:p>
2) Redirect to the Assertion Consumer Service<o:p></o:p>
The principal is redirected to the assertion consumer service at the service provider; that is, the following response is returned to the client:<o:p></o:p>
HTTP/1.1 302 Found<o:p></o:p>
Location: https://sp.org/saml/ACS/Artifact?TARGET=target&SAMLart=artifact<o:p></o:p>
where artifact is a reference to an assertion the identity provider is willing to provide upon request. Important: It is assumed that the principal has already established a security context at the identity provider, otherwise the identity provider would not be able to subsequently assert the authenticity of the principal.<o:p></o:p>
3) Request the Assertion Consumer Service<o:p></o:p>
The client requests the assertion consumer service at the service provider:<o:p></o:p>
https://sp.org/saml/ACS/Artifact?TARGET=target&SAMLart=artifact<o:p></o:p>
where target and artifact are as before. In other words, the following GET request is issued by the client:<o:p></o:p>
GET /saml/ACS/Artifact?TARGET=target&SAMLart=artifact HTTP/1.1<o:p></o:p>
Host: sp.org<o:p></o:p>
4) Request the Artifact Resolution Service<o:p></o:p>
The assertion consumer service at the service provider begins a back-channel exchange with the artifact resolution service at the identity provider. The following SAML SOAP message is bound to an HTTP POST request:<o:p></o:p>
POST /saml/ArtifactResolutionService HTTP/1.1<o:p></o:p>
Host: idp.org<o:p></o:p>
Content-Type: text/xml<o:p></o:p>
Content-Length: nnn<o:p></o:p>
SOAPAction: http://www.oasis-open.org/committees/security
<!---->
<!----><o:p></o:p>
<?xml version="1.0"?><o:p></o:p>
<SOAP-ENV:Envelope<o:p></o:p>
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><o:p></o:p>
<SOAP-ENV:Header/><o:p></o:p>
<SOAP-ENV:Body><o:p></o:p>
<samlp:Request <o:p></o:p>
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" <o:p></o:p>
MajorVersion="1" MinorVersion="1" <o:p></o:p>
RequestID="_192.168.16.51.1024506224022" <o:p></o:p>
IssueInstant="<st1:chsdate year="2002" month="6" day="19" islunardate="False" isrocdate="False" w:st="on">2002-06-19</st1:chsdate>T17:03:44.022Z"><o:p></o:p>
<samlp:AssertionArtifact><o:p></o:p>
artifact <o:p> </o:p>
</samlp:AssertionArtifact><o:p></o:p>
</samlp:Request><o:p></o:p>
</SOAP-ENV:Body><o:p></o:p>
</SOAP-ENV:Envelope><o:p></o:p>
where artifact was previously sent from the identity provider to the service provider in steps 2 and 3.<o:p></o:p>
5) Respond with a SAML Assertion<o:p></o:p>
The artifact resolution service at the identity provider completes the back-channel exchange by responding with a SAML assertion:<o:p></o:p>
HTTP/1.1 200 OK<o:p></o:p>
Content-Type: text/xml<o:p></o:p>
Content-Length: nnnn
<!---->
<!----><o:p></o:p>
<?xml version="1.0"?><o:p></o:p>
<SOAP-ENV:Envelope<o:p></o:p>
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><o:p></o:p>
<SOAP-ENV:Header/><o:p></o:p>
<SOAP-ENV:Body><o:p></o:p>
<samlp:Response<o:p></o:p>
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"<o:p></o:p>
MajorVersion="1" MinorVersion="1"<o:p></o:p>
ResponseID="_P1YaA+Q/wSM/t/8E3R8rNhcpPTM="<o:p></o:p>
InResponseTo="_192.168.16.51.1024506224022"<o:p></o:p>
IssueInstant="<st1:chsdate year="2002" month="6" day="19" islunardate="False" isrocdate="False" w:st="on">2002-06-19</st1:chsdate>T17:05:37.795Z"><o:p></o:p>
<samlp:Status><o:p></o:p>
<samlp:StatusCode Value="samlp:Success"/><o:p></o:p>
</samlp:Status><o:p></o:p>
<!-- insert Assertion element here --> <o:p> </o:p>
</samlp:Response><o:p></o:p>
</SOAP-ENV:Body><o:p></o:p>
</SOAP-ENV:Envelope><o:p></o:p>
where the Assertion element was discussed earlier.<o:p></o:p>
6) Respond to the Principal's Original Request<o:p></o:p>
The assertion consumer service inspects the SAML Response element returned by the artifact resolution service, creates a security context at the service provider and redirects the client to the target resource.<o:p></o:p>
SAML 1.1 Browser/POST Profile<o:p></o:p>
发表评论
相关推荐
wikipedia SAML2.0
1、什么是SAML 2、SAML标准&协议 3、SAML2.0特性分析 4、SAML:集中身份管理的秘诀 5、SAML:企业级的IdP 6、SAML:IdP和SP用户存储库 7、XML安全:使用SAML确保可移植的信任 8、揭开SAML的神秘面纱 9、安全地共享...
SAML profile
OpenSAML-ref-project-demo-v3 这一个使用...项目启动之后,访问如下网址: http://localhost:8080/webprofile-ref-project/app/appservlet 这是一个SP的模拟,第一次访问该网址时将会跳转到IDP,进行认证流程。
SAML是OASIS制定的一种安全性断言标记语言,它用于在复杂的环境下交换用户的身份识别信息。在SAML诞生之前,如果想在Websphere、Weblogic和SunONE等之间实现SSO,我们必须分别实现一个适配层,来达成一种相互理解的...
里边是saml所需要的jar包,包括sp和idp端均可使用,核心jar包为open-saml
你能提供一个断言, 别人能不能假冒你提供一个断言从而骗取服务端的信任呢? 另外服务端为什么会信任你给的断言呢? 这就涉及到安全的问题了。为了防止断言被假冒,篡改。saml中加入了安全措施。 当然现今能抵御...
基于SAML 2.0 SSO单点登录,包括VS2005,VS2008,VS2010。...client发送saml请求---sso响应验证client是否可信任---可信响应saml----加密saml---发送到client---client解密成功--验证信息是否有效----有效----登录成功
Jboss 平台中的SAML和XACML集成说明。
php-saml, PHP简单的SAML工具包 onelogin工具包的SAML 使用这个库向你的PHP软件添加SAML支持。 忘记那些复杂的库并使用OneLogin公司提供和支持的开源库。警告警告更新php到 2.10.4,这个版本包含一个与 logoutreque
Example code for a saml client in Java using org.opensaml.
SAML2.0资料,轻松实现SSO
SAML2.0协议翻译 其实就是把维基百科英文版搞成了中文
简介 安全是所有Web项目在设计时都要考虑的一个重要因素。...SSO不仅仅用于Web应用程序,它可用于任何类型的应用程序,只要有安全地传送身份信息的协议。这种通信方式的开放标准就是安全性断言标记语言(SAML)。
spring-boot-security-saml, Spring Security saml与 Spring Boot的集成 spring-boot-security-saml这个项目在处理 spring-security-saml 和 Spring Boot 之间的平滑集成的同时,在处理内部的配置的gritty和锅炉板的...
Laravel开发-laravel-saml 基于OneLogin工具包的用于作为SP(服务提供商)的SAML2集成的Laravel包
SAML2.0核心协议规范 saml-core-2.0-os
WordPress简单SAML 易于使用的WordPress单点登录(SSO)SAML集成插件,具有多站点/多网络...设定将插件文件复制到wp-content/plugins目录激活插件转到。 将服务提供者元数据URL(或内容)发送给您的身份提供者授权(I
SAML文档详细介绍.pdf 比较系统的中文介绍文档。
saml第三方资料.rar