Single sign on 如何将SP连接到本地域上的IdP?
我正在尝试使用AD FS 2.0服务器生成的FederationMetadata.xml文件配置SimpleSAMLphp(您可以在下面看到其中一些文件,我已将域的中间部分替换为单词“domain”) 由于我们的web应用程序不在其网络上,因此它无法看到.local域上的计算机。我不太了解ADFS和SAML,但我认为IdP端点必须由SP访问。然而,IdP的技术联系人一直说,我们只需要这个文件,SP在网络外部并不重要 这里有我遗漏的东西吗?IdP和SP能否使用此元数据进行通信Single sign on 如何将SP连接到本地域上的IdP?,single-sign-on,adfs,simplesamlphp,Single Sign On,Adfs,Simplesamlphp,我正在尝试使用AD FS 2.0服务器生成的FederationMetadata.xml文件配置SimpleSAMLphp(您可以在下面看到其中一些文件,我已将域的中间部分替换为单词“domain”) 由于我们的web应用程序不在其网络上,因此它无法看到.local域上的计算机。我不太了解ADFS和SAML,但我认为IdP端点必须由SP访问。然而,IdP的技术联系人一直说,我们只需要这个文件,SP在网络外部并不重要 这里有我遗漏的东西吗?IdP和SP能否使用此元数据进行通信 <Entity
<EntityDescriptor ID="**ID**" entityID="http://adfs2.domain.local/adfs/services/trust" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="**URI**">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>**digest**</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>**signature**</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>**cert**</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
<RoleDescriptor xsi:type="fed:ApplicationServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/ws-sx/ws-trust/200512 http://schemas.xmlsoap.org/ws/2005/02/trust http://docs.oasis-open.org/wsfed/federation/200706" ServiceDisplayName="adfs2.domain.local" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706">
<KeyDescriptor use="encryption">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>**cert**</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>
<fed:ClaimTypesRequested>
<auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
<auth:DisplayName>E-Mail Address</auth:DisplayName>
<auth:Description>The e-mail address of the user</auth:Description>
</auth:ClaimType>
<auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
<auth:DisplayName>Given Name</auth:DisplayName>
<auth:Description>The given name of the user</auth:Description>
</auth:ClaimType>
...
</fed:ClaimTypesRequested>
<fed:TargetScopes>
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>https://adfs2.domain.local/adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256</Address>
</EndpointReference>
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>https://adfs2.domain.local/adfs/services/trust/2005/issuedtokenmixedsymmetricbasic256</Address>
</EndpointReference>
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>https://adfs2.domain.local/adfs/services/trust/13/issuedtokenmixedasymmetricbasic256</Address>
</EndpointReference>
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>https://adfs2.domain.local/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256</Address>
</EndpointReference>
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>https://adfs2.domain.local/adfs/ls/</Address>
</EndpointReference>
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>http://adfs2.domain.local/adfs/services/trust</Address>
</EndpointReference>
</fed:TargetScopes>
<fed:ApplicationServiceEndpoint>
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>https://adfs2.domain.local/adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256</Address>
</EndpointReference>
</fed:ApplicationServiceEndpoint>
<fed:PassiveRequestorEndpoint>
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>https://adfs2.domain.local/adfs/ls/</Address>
</EndpointReference>
</fed:PassiveRequestorEndpoint>
</RoleDescriptor>
</EntityDescriptor>
**消化**
**签名**
**证书**
**证书**
电子邮件地址
用户的电子邮件地址
姓名
用户的给定名称
...
https://adfs2.domain.local/adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256
https://adfs2.domain.local/adfs/services/trust/2005/issuedtokenmixedsymmetricbasic256
https://adfs2.domain.local/adfs/services/trust/13/issuedtokenmixedasymmetricbasic256
https://adfs2.domain.local/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256
https://adfs2.domain.local/adfs/ls/
http://adfs2.domain.local/adfs/services/trust
https://adfs2.domain.local/adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256
https://adfs2.domain.local/adfs/ls/
您的SP及其IdP根本不需要通信。交换元数据后,SP与其IdP之间将建立信任。SAML对元数据的交换方式没有要求。有些人通过电子邮件完成,有些人将其发布到Web服务器,其他人在其IdP或SP上动态生成,有些人只向您提供数据值(证书、端点等),并让您自己构建元数据
重要的是,登录的用户可以访问SP和IdP。最常见的SAML配置文件是SP将用户浏览器重定向到IdP,然后在登录后,IdP使浏览器发回SP
SAML还有其他不经常使用的配置文件,需要SP到IdP的通信。在您的情况下,IdP不支持该配置文件。提供的元数据根本不是SAMLv2元数据,而是WS-Federation元数据。这是一种完全不同的技术。