Fatal编程技术网
  • single-sign-on/
  • Single sign on 如何将SP连接到本地域上的IdP?

Single sign on 如何将SP连接到本地域上的IdP?

single-sign-on

Single sign on 如何将SP连接到本地域上的IdP?,single-sign-on,adfs,simplesamlphp,Single Sign On,Adfs,Simplesamlphp,我正在尝试使用AD FS 2.0服务器生成的FederationMetadata.xml文件配置SimpleSAMLphp(您可以在下面看到其中一些文件,我已将域的中间部分替换为单词“domain”) 由于我们的web应用程序不在其网络上,因此它无法看到.local域上的计算机。我不太了解ADFS和SAML,但我认为IdP端点必须由SP访问。然而,IdP的技术联系人一直说,我们只需要这个文件,SP在网络外部并不重要 这里有我遗漏的东西吗?IdP和SP能否使用此元数据进行通信 <Entity

我正在尝试使用AD FS 2.0服务器生成的FederationMetadata.xml文件配置SimpleSAMLphp(您可以在下面看到其中一些文件,我已将域的中间部分替换为单词“domain”)

由于我们的web应用程序不在其网络上,因此它无法看到.local域上的计算机。我不太了解ADFS和SAML,但我认为IdP端点必须由SP访问。然而,IdP的技术联系人一直说,我们只需要这个文件,SP在网络外部并不重要

这里有我遗漏的东西吗?IdP和SP能否使用此元数据进行通信

<EntityDescriptor ID="**ID**" entityID="http://adfs2.domain.local/adfs/services/trust" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
        <ds:Reference URI="**URI**">
            <ds:Transforms>
                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
            <ds:DigestValue>**digest**</ds:DigestValue>
        </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>**signature**</ds:SignatureValue>
    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <X509Data>
            <X509Certificate>**cert**</X509Certificate>
        </X509Data>
    </KeyInfo>
</ds:Signature>
<RoleDescriptor xsi:type="fed:ApplicationServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/ws-sx/ws-trust/200512 http://schemas.xmlsoap.org/ws/2005/02/trust http://docs.oasis-open.org/wsfed/federation/200706" ServiceDisplayName="adfs2.domain.local" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706">
    <KeyDescriptor use="encryption">
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <X509Data>
                <X509Certificate>**cert**</X509Certificate>
            </X509Data>
        </KeyInfo>
    </KeyDescriptor>
    <fed:ClaimTypesRequested>
        <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
            <auth:DisplayName>E-Mail Address</auth:DisplayName>
            <auth:Description>The e-mail address of the user</auth:Description>
        </auth:ClaimType>
        <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
            <auth:DisplayName>Given Name</auth:DisplayName>
            <auth:Description>The given name of the user</auth:Description>
        </auth:ClaimType>

        ...

    </fed:ClaimTypesRequested>
    <fed:TargetScopes>
        <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
            <Address>https://adfs2.domain.local/adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256</Address>
        </EndpointReference>
        <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
            <Address>https://adfs2.domain.local/adfs/services/trust/2005/issuedtokenmixedsymmetricbasic256</Address>
        </EndpointReference>
        <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
            <Address>https://adfs2.domain.local/adfs/services/trust/13/issuedtokenmixedasymmetricbasic256</Address>
        </EndpointReference>
        <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
            <Address>https://adfs2.domain.local/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256</Address>
        </EndpointReference>
        <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
            <Address>https://adfs2.domain.local/adfs/ls/</Address>
        </EndpointReference>
        <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
            <Address>http://adfs2.domain.local/adfs/services/trust</Address>
        </EndpointReference>
    </fed:TargetScopes>
    <fed:ApplicationServiceEndpoint>
        <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
            <Address>https://adfs2.domain.local/adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256</Address>
        </EndpointReference>
    </fed:ApplicationServiceEndpoint>
    <fed:PassiveRequestorEndpoint>
        <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
            <Address>https://adfs2.domain.local/adfs/ls/</Address>
        </EndpointReference>
    </fed:PassiveRequestorEndpoint>
</RoleDescriptor>
</EntityDescriptor>


**消化**
**签名**
**证书**
**证书**
电子邮件地址
用户的电子邮件地址
姓名
用户的给定名称
...
https://adfs2.domain.local/adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256
https://adfs2.domain.local/adfs/services/trust/2005/issuedtokenmixedsymmetricbasic256
https://adfs2.domain.local/adfs/services/trust/13/issuedtokenmixedasymmetricbasic256
https://adfs2.domain.local/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256
https://adfs2.domain.local/adfs/ls/
http://adfs2.domain.local/adfs/services/trust
https://adfs2.domain.local/adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256
https://adfs2.domain.local/adfs/ls/
您的SP及其IdP根本不需要通信。交换元数据后,SP与其IdP之间将建立信任。SAML对元数据的交换方式没有要求。有些人通过电子邮件完成,有些人将其发布到Web服务器,其他人在其IdP或SP上动态生成,有些人只向您提供数据值(证书、端点等),并让您自己构建元数据

重要的是,登录的用户可以访问SP和IdP。最常见的SAML配置文件是SP将用户浏览器重定向到IdP,然后在登录后,IdP使浏览器发回SP

SAML还有其他不经常使用的配置文件,需要SP到IdP的通信。在您的情况下,IdP不支持该配置文件。

提供的元数据根本不是SAMLv2元数据,而是WS-Federation元数据。这是一种完全不同的技术。