我正在学习 SAML,关于 SOAP 绑定,我不确定它是如何工作的。
对于重定向绑定和后绑定,很明显 SP 可以通过浏览器与 IdP 对话,然后 IdP 可以在必要时显示登录屏幕。
但是对于 SOAP 绑定,它不需要通过浏览器,SP 可以简单地向 IdP 发送一个包含 SOAP 请求的 HTTP 请求,然后如果 IdP 发现没有有效的用户会话,他如何显示一个用户输入用户名和密码的登录屏幕?
还是我错过了什么?
Authentication is out of scope of the SAML spec. However, what SAML Profile are you looking at? Is this for Web SSO or something else? For Web SSO, SOAP is only used with the HTTP artifact binding which means you would either be resolving the AuthnRequest (IDP calling the SP) or retrieving the Response (SP calling IDP). The Artifact is sent either via POST or Redirect while resolution of the message (AuthnRequest or Response) is done via back-channel SOAP. So, the browser (http client) is always involved with Web SSO so it is simple for the IDP to authenticate the user via some browser-friendly technology (username/password HTML form, 2 factor strong auth, x509 certs, etc etc).
You can find an example in the SAML Bindings
POST /SamlService HTTP/1.1
Host: www.example.com
Content-Type: text/xml
Content-Length: nnn
SOAPAction: http://www.oasis-open.org/committees/security
<SOAP-ENV:Envelope
xmlns:SOAP-ENV=”http://schemas.xmlsoap.org/soap/envelope/”>
<SOAP-ENV:Body>
<samlp:ArtifactResolve xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="identifier_2"
Version="2.0"
IssueInstant="2004-12-05T09:22:04Z"
Destination="https://idp.example.org/SAML2/ArtifactResolution">
<saml:Issuer>https://sp.example.com/SAML2</saml:Issuer>
<samlp:Artifact>artifact</samlp:Artifact>
</samlp:ArtifactResolve>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
The syntax might not be exact. Just something to give an idea.
IdP 如何选择对用户进行身份验证超出了 SAML 的范围。如果您正在寻找一个示例,也许有一个本机应用程序向用户显示一个对话框,要求他进行身份验证。也许 IdP 通过 SMS 网关向您发送一条短信,您必须以某种方式回复短信。天空才是极限。