1

我们是服务提供商,正在尝试使用SAML2库实施 SP 发起的 SSO。我有以下问题

  1. 当最终用户尝试访问受保护的 SP 应用程序/资源时,SP 端点应如何识别应将身份验证请求重定向到哪个 IDP?

  2. 是否有任何标准格式可以接受来自 IDP 用户的首次/初始请求?

  3. 在将请求重定向到 IDP 时,向 IDP 发送响应的标准格式是什么?

我们的技术栈: asp .net(4.5) MVC、C# 和SAML2 Sustainsys 库

我们的客户(在 SSO 术语中是 IDP-Identify provider)正在使用: 在 Azure AD 上由 SP 发起的 SAML

使用SAML2库,我实现了 IDP 发起的 SSO,其中 IDP 通过 SAML 响应达到我们的终点,我们正在使用 IDP 证书验证它并提取属性等

所以对于SP发起的我得到了关注,

[Route("RequestAccess")]
[HttpPost]     
public ActionResult InitialRequest()
{
   // How to Identify user and its IDP url?
   // What should be the return type? (To redirect user to IDP)
}

// 验证后,IDP 可以访问我们现有的端点,该端点验证断言并重定向用户。我实现了这部分,并且在 IDP 启动设置的情况下运行良好。

[Route("AssertionConsumer")]
[HttpPost]
public ActionResult ValidateIdpRequest()
{
   var options = Saml2Controller.Options; //Coming from config
   CommandResult result = CommandFactory.GetCommand(CommandFactory.AcsCommandName)
                                     .Run(Request.ToHttpRequestData(),options);
string userName = result.Principal.FindFirst(ClaimTypes.NameIdentifier)?.Value;
//Set the cooking in response
//Return
}

我错过了什么?欢迎任何建议/问题。

对于 SP 发起的场景,我在网上找到的所有内容都没有示例或解释清楚。

4

1 回答 1

0

  1. That problem is called "home realm discovery". Somehow the user much choose. Sometimes that is done by presenting a list of Idps that the user can chose from. Sometimes it is done by giving different URLs to different user (e.g. customerX.myservice.com) where each customerX subdomain maps to a specific Idp. The Sustainsys.Saml2 library has support for the SAML2 discovery service standard to handle this.

  2. You're using the low-level Sustainsys.Saml2 library yourself, which gives you a lot of things to handle yourself. It is not meant to be used directly. Use the Sustainsys.Saml2.Owin or Sustainsys.Saml2.Mvc high-level library instead. It will do the redirect and handle the returned result for you.

  3. See 2.

于 2019-01-10T08:10:51.483 回答