我正在尝试为 Jupyterhub 和 Keycloak 实现 SAML 身份验证。我将 Jupyterhub 配置为使用 SAMLAuthenticator,它工作正常。用户使用 SAMLRequest 重定向到 Keycloak 登录屏幕,进行登录,然后使用 SAMLResponse 重定向回来。
我使用 Keycloak SAML 元数据添加了一个 IAM 身份提供者,还创建了一个信任该身份提供者的角色。
当我使用此工具对其进行测试时,SAMLResponse 看起来还不错。
当我尝试打电话时,assume_role_with_saml我不断收到此错误:
An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithSAML operation: Invalid base64 SAMLResponse (Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlInvalidSamlResponseException
SAML 请求:
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="b16f49bca24e490986d6616459bc102d"
Version="2.0"
IssueInstant="2021-05-27T05:42:25.000000Z"
Destination="https://keyaloak-docker-ohio.worker.io/auth/realms/master/protocol/saml"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="https://elasticsearch-ohio-proxy.worker.io/hub/oauth_callback"
>
<saml:Issuer>urn:amazon:webservices</saml:Issuer>
</samlp:AuthnRequest>
SAML 响应:
PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIERlc3RpbmF0aW9uPSJodHRwczovL2VsYXN0aWNzZWFyY2gtb2hpby1wcm94eS53b3JrZXIuaW8vaHViL29hdXRoX2NhbGxiYWNrIiBJRD0iSURfYzczMDQ5NTEtNzBhNS00ODQ4LWI4NTgtMzhhMGIwZjI5MTRiIiBJblJlc3BvbnNlVG89ImIxNmY0OWJjYTI0ZTQ5MDk4NmQ2NjE2NDU5YmMxMDJkIiBJc3N1ZUluc3RhbnQ9IjIwMjEtMDUtMjVUMDU6NTg6MDIuODAyWiIgVmVyc2lvbj0iMi4wIj48c2FtbDpJc3N1ZXI+aHR0cHM6Ly9rZXlhbG9hay1kb2NrZXItb2hpby53b3JrZXIuaW8vYXV0aC9yZWFsbXMvbWFzdGVyPC9zYW1sOklzc3Vlcj48ZHNpZzpTaWduYXR1cmUgeG1sbnM6ZHNpZz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzaWc6U2lnbmVkSW5mbz48ZHNpZzpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PGRzaWc6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIvPjxkc2lnOlJlZmVyZW5jZSBVUkk9IiNJRF9jNzMwNDk1MS03MGE1LTQ4NDgtYjg1OC0zOGEwYjBmMjkxNGIiPjxkc2lnOlRyYW5zZm9ybXM+PGRzaWc6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHNpZzpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzaWc6VHJhbnNmb3Jtcz48ZHNpZzpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiLz48ZHNpZzpEaWdlc3RWYWx1ZT56bUpZYW1iN0VlbVpjL2pOVFhtM2dwSzUxbEtHMm5VRGZyWW5SNURZdDM4PTwvZHNpZzpEaWdlc3RWYWx1ZT48L2RzaWc6UmVmZXJlbmNlPjwvZHNpZzpTaWduZWRJbmZvPjxkc2lnOlNpZ25hdHVyZVZhbHVlPkE5cXFGcHdtSlBjM1E1WjE3d0p2bTluMTA5WHJnWUJ0YldFVVU3aEgrczQ1eEdBcy9UU2UvdDBacEFvK2ZibVVTTzNNTytXRXkyVzFHVElHcDhwMHkzYjV3L2NsVjNqMDJqMnBPL3RrTFkwQ1prVUIwMTV1Nk16MEFhN0p2dGJ4SWVaaEpTU1Z6TFhzSXJDQ1JTQUpIN0dxb3dMRlRSN3lTcDJRdzh6RGoxVkdSMC95dnRMSTB3N2lJbzl5cnVnRnllK0JYbEp3SUN4b3BLSUVMbXovenA3M0g3WVpPUk1XOEc5T3FkYUdRZTRGbnQ2dlduNkRwdEU2eXVId3d4REZRTFdoWVBNWjRjZWNDMDFlbi9UbS9PZmVCWEhDNGt4T2JsVlRaZmZ2ekc5ai9XSUw3OEtGSERidDA3d3lSK21Ub2puVUNNWWUrRFcya3RXMmJUbjJJZz09PC9kc2lnOlNpZ25hdHVyZVZhbHVlPjxkc2lnOktleUluZm8+PGRzaWc6S2V5TmFtZT5PcERJdWNlOUhWbXAweVBuTWVCd1Q5SFBnellZcEl4d3lUd2xmZG1WYVljPC9kc2lnOktleU5hbWU+PGRzaWc6WDUwOURhdGE+PGRzaWc6WDUwOUNlcnRpZmljYXRlPk1JSUNtekNDQVlNQ0JnRjFidHVJUWpBTkJna3Foa2lHOXcwQkFRc0ZBREFSTVE4d0RRWURWUVFEREFadFlYTjBaWEl3SGhjTk1qQXhNREk0TVRBMU5qSXlXaGNOTXpBeE1ESTRNVEExT0RBeVdqQVJNUTh3RFFZRFZRUUREQVp0WVhOMFpYSXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEYlRaUjZxWmk3VXFWdUFhNFBvTkMrbkQ5TWk2NzdBcEJmME5XYU5oRmh5VVNHQTF4cTFUQXg5YnJ3Y0QrOVlMY2dXOVJzdHFTVGYwVk0zTk1yM1JpaFZCNldCOWFiOGRyekNUcFZPS3ZPVlJpVnczeEcwVnFWMTJvNGZKY1loQlNxcHpIdkdTL21HZWF0Wjl0TmN0UmFCTXltOUl4V1ZlMXhGa1laNW0vR3JocTBJbldsS0c1K3Y5Z05tNEpUSjRwTkk2NTF1bVVLWTJVNEFiYTBSaXRaTldwaHQ0eThneExJYVU2NVc5VVNjRTBDdytVZTlvak5lTHRxN201WXZVbTM3TDY4TTN4V3FaSlJzWTlwWWFUUnhnMnM3Sjdtd291T1dERGJUNUNiRjlpdzBqK1JrSDIvRUpFMFZiNWVVay81U0t6UUM4a3lkc0l1b2ZFc0RiUWRBZ01CQUFFd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFBdlZMbE1rRmpKWEI1N1ExS0Z4QStCWkxGWStrSGMxWlRuTVB1ZUlJamhSNHQveEYxeDlrM2xCcGtsV1YwaWJ2UC90bXpDLytaV3pReTl6djl0MG83dFRGcVlFcTVKMUNvcjZKVExpNEhUa0hzMGNGRGN3Y21RV1NkbGNIQjNTNkxFUXkrTWNHMVMwc2lWaUpneDM4bWxtbHhaaVl4RS9aZGpaa2Ywd0FHQS9aR244NUxxcTVnMG5kdmNxcEd5REY4WnFlUitERzYrdEowS3NaUWRyS3p5Mk5VTlVTRkt5L2RQK1liUWNMdHhHVDZxTE1zTFdRSllaekxxbDRtSEhZbWdWZXFWY0EyTkd1QmRWWVVoeWJsQ1FCSzRtc2ZnSC9Wa1BSbGZWc0pVc2QxT1RDQW5VZWFyT2w2MDdlM1JSQnlWcUtEZGxKTHJGUlJYbzQ3R2ZsOG89PC9kc2lnOlg1MDlDZXJ0aWZpY2F0ZT48L2RzaWc6WDUwOURhdGE+PGRzaWc6S2V5VmFsdWU+PGRzaWc6UlNBS2V5VmFsdWU+PGRzaWc6TW9kdWx1cz4yMDJVZXFtWXUxS2xiZ0d1RDZEUXZwdy9USXV1K3dLUVg5RFZtallSWWNsRWhnTmNhdFV3TWZXNjhIQS92V0MzSUZ2VWJMYWtrMzlGVE56VEs5MFlvVlFlbGdmV20vSGE4d2s2VlRpcnpsVVlsY044UnRGYWxkZHFPSHlYR0lRVXFxY3g3eGt2NWhubXJXZmJUWExVV2dUTXB2U01WbFh0Y1JaR0dlWnZ4cTRhdENKMXBTaHVmci9ZRFp1Q1V5ZUtUU091ZGJwbENtTmxPQUcydEVZcldUVnFZYmVNdklNU3lHbE91VnZWRW5CTkFzUGxIdmFJelhpN2F1NXVXTDFKdCt5K3ZETjhWcW1TVWJHUGFXR2swY1lOck95ZTVzS0xqbGd3MjArUW14ZllzTkkva1pCOXZ4Q1JORlcrWGxKUCtVaXMwQXZKTW5iQ0xxSHhMQTIwSFE9PTwvZHNpZzpNb2R1bHVzPjxkc2lnOkV4cG9uZW50PkFRQUI8L2RzaWc6RXhwb25lbnQ+PC9kc2lnOlJTQUtleVZhbHVlPjwvZHNpZzpLZXlWYWx1ZT48L2RzaWc6S2V5SW5mbz48L2RzaWc6U2lnbmF0dXJlPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbHA6U3RhdHVzPjxzYW1sOkFzc2VydGlvbiB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9IklEX2Q5MDhmOGUyLTY3NmQtNDBjNy1iMTNiLTkyMTAxNWMwMjg0YiIgSXNzdWVJbnN0YW50PSIyMDIxLTA1LTI1VDA1OjU4OjAyLjgwMVoiIFZlcnNpb249IjIuMCI+PHNhbWw6SXNzdWVyPmh0dHBzOi8va2V5YWxvYWstZG9ja2VyLW9oaW8ud29ya2VyLmlvL2F1dGgvcmVhbG1zL21hc3Rlcjwvc2FtbDpJc3N1ZXI+PGRzaWc6U2lnbmF0dXJlIHhtbG5zOmRzaWc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkc2lnOlNpZ25lZEluZm8+PGRzaWc6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxkc2lnOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiLz48ZHNpZzpSZWZlcmVuY2UgVVJJPSIjSURfZDkwOGY4ZTItNjc2ZC00MGM3LWIxM2ItOTIxMDE1YzAyODRiIj48ZHNpZzpUcmFuc2Zvcm1zPjxkc2lnOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzaWc6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PC9kc2lnOlRyYW5zZm9ybXM+PGRzaWc6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2Ii8+PGRzaWc6RGlnZXN0VmFsdWU+aUlrQnpBRFVpYVAwSGcrdStsRDB1YkNOSkxuYXczSjhjTnl6a0taUjNRUT08L2RzaWc6RGlnZXN0VmFsdWU+PC9kc2lnOlJlZmVyZW5jZT48L2RzaWc6U2lnbmVkSW5mbz48ZHNpZzpTaWduYXR1cmVWYWx1ZT53QjJXUk1KRUdkbjQ1Y2ppYzZ6UjZwcjJGbzlzWk9Ka0ZKMmtGWXQzbVVQSElqMjV0ZjA1TXQrbDhlSHJtdDBIK1oyVE9IVFQyZWhHSDlKay9kbjdCTmlMTDVrM1BZVEtQUFlCOXA4TXVnQ0V1aVJEOGdud0hZUno3dW5hQU5vK2o4anhXOUIxUnprRndDbHhWSGtsQ2dNaElmSVBrVTJxYzJzZ2w0ZGVRZzNEUWVnY1c3M0dsS1o4d3BkQjdTdm1CTytKQUVldXo5RWxNamliYWcrWUJTcHQ1YUlrRGVVYmt6S25hVFVrQkNiUG0wN2xJL1dZM0I4RUZScTRyb1I4d2tqeHowNEZXM1dwNnkySmxxYklJSjFHc0ZRaFozbitJQzlrWVB1VXBXMDVXSEtvcEt5eFIxQUFRUDBJbnZBT2o3cFBuTjlNc1diNE1xd1hrMFFzY3c9PTwvZHNpZzpTaWduYXR1cmVWYWx1ZT48ZHNpZzpLZXlJbmZvPjxkc2lnOktleU5hbWU+T3BESXVjZTlIVm1wMHlQbk1lQndUOUhQZ3pZWXBJeHd5VHdsZmRtVmFZYzwvZHNpZzpLZXlOYW1lPjxkc2lnOlg1MDlEYXRhPjxkc2lnOlg1MDlDZXJ0aWZpY2F0ZT5NSUlDbXpDQ0FZTUNCZ0YxYnR1SVFqQU5CZ2txaGtpRzl3MEJBUXNGQURBUk1ROHdEUVlEVlFRRERBWnRZWE4wWlhJd0hoY05NakF4TURJNE1UQTFOakl5V2hjTk16QXhNREk0TVRBMU9EQXlXakFSTVE4d0RRWURWUVFEREFadFlYTjBaWEl3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRGJUWlI2cVppN1VxVnVBYTRQb05DK25EOU1pNjc3QXBCZjBOV2FOaEZoeVVTR0ExeHExVEF4OWJyd2NEKzlZTGNnVzlSc3RxU1RmMFZNM05NcjNSaWhWQjZXQjlhYjhkcnpDVHBWT0t2T1ZSaVZ3M3hHMFZxVjEybzRmSmNZaEJTcXB6SHZHUy9tR2VhdFo5dE5jdFJhQk15bTlJeFdWZTF4RmtZWjVtL0dyaHEwSW5XbEtHNSt2OWdObTRKVEo0cE5JNjUxdW1VS1kyVTRBYmEwUml0Wk5XcGh0NHk4Z3hMSWFVNjVXOVVTY0UwQ3crVWU5b2pOZUx0cTdtNVl2VW0zN0w2OE0zeFdxWkpSc1k5cFlhVFJ4ZzJzN0o3bXdvdU9XRERiVDVDYkY5aXcwaitSa0gyL0VKRTBWYjVlVWsvNVNLelFDOGt5ZHNJdW9mRXNEYlFkQWdNQkFBRXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQXZWTGxNa0ZqSlhCNTdRMUtGeEErQlpMRlkra0hjMVpUbk1QdWVJSWpoUjR0L3hGMXg5azNsQnBrbFdWMGlidlAvdG16Qy8rWld6UXk5enY5dDBvN3RURnFZRXE1SjFDb3I2SlRMaTRIVGtIczBjRkRjd2NtUVdTZGxjSEIzUzZMRVF5K01jRzFTMHNpVmlKZ3gzOG1sbWx4WmlZeEUvWmRqWmtmMHdBR0EvWkduODVMcXE1ZzBuZHZjcXBHeURGOFpxZVIrREc2K3RKMEtzWlFkckt6eTJOVU5VU0ZLeS9kUCtZYlFjTHR4R1Q2cUxNc0xXUUpZWnpMcWw0bUhIWW1nVmVxVmNBMk5HdUJkVllVaHlibENRQks0bXNmZ0gvVmtQUmxmVnNKVXNkMU9UQ0FuVWVhck9sNjA3ZTNSUkJ5VnFLRGRsSkxyRlJSWG80N0dmbDhvPTwvZHNpZzpYNTA5Q2VydGlmaWNhdGU+PC9kc2lnOlg1MDlEYXRhPjxkc2lnOktleVZhbHVlPjxkc2lnOlJTQUtleVZhbHVlPjxkc2lnOk1vZHVsdXM+MjAyVWVxbVl1MUtsYmdHdUQ2RFF2cHcvVEl1dSt3S1FYOURWbWpZUlljbEVoZ05jYXRVd01mVzY4SEEvdldDM0lGdlViTGFrazM5RlROelRLOTBZb1ZRZWxnZldtL0hhOHdrNlZUaXJ6bFVZbGNOOFJ0RmFsZGRxT0h5WEdJUVVxcWN4N3hrdjVobm1yV2ZiVFhMVVdnVE1wdlNNVmxYdGNSWkdHZVp2eHE0YXRDSjFwU2h1ZnIvWURadUNVeWVLVFNPdWRicGxDbU5sT0FHMnRFWXJXVFZxWWJlTXZJTVN5R2xPdVZ2VkVuQk5Bc1BsSHZhSXpYaTdhdTV1V0wxSnQreSt2RE44VnFtU1ViR1BhV0drMGNZTnJPeWU1c0tMamxndzIwK1FteGZZc05JL2taQjl2eENSTkZXK1hsSlArVWlzMEF2Sk1uYkNMcUh4TEEyMEhRPT08L2RzaWc6TW9kdWx1cz48ZHNpZzpFeHBvbmVudD5BUUFCPC9kc2lnOkV4cG9uZW50PjwvZHNpZzpSU0FLZXlWYWx1ZT48L2RzaWc6S2V5VmFsdWU+PC9kc2lnOktleUluZm8+PC9kc2lnOlNpZ25hdHVyZT48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OnVuc3BlY2lmaWVkIj52dzwvc2FtbDpOYW1lSUQ+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iYjE2ZjQ5YmNhMjRlNDkwOTg2ZDY2MTY0NTliYzEwMmQiIE5vdE9uT3JBZnRlcj0iMjAyMS0wNS0yNVQwNjo1ODowMC44MDFaIiBSZWNpcGllbnQ9Imh0dHBzOi8vZWxhc3RpY3NlYXJjaC1vaGlvLXByb3h5Lndvcmtlci5pby9odWIvb2F1dGhfY2FsbGJhY2siLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAyMS0wNS0yNVQwNTo1ODowMC44MDFaIiBOb3RPbk9yQWZ0ZXI9IjIwMjEtMDUtMjVUMDU6NTk6MDAuODAxWiI+PHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDpBdWRpZW5jZT5odHRwczovL2tleWFsb2FrLWRvY2tlci1vaGlvLndvcmtlci5pby9hdXRoL3JlYWxtcy9tYXN0ZXI8L3NhbWw6QXVkaWVuY2U+PC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sOkNvbmRpdGlvbnM+PHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDIxLTA1LTI1VDA1OjU4OjAyLjgwMloiIFNlc3Npb25JbmRleD0iOTBiZjljMWYtNzFjMy00NWVmLWJmYjAtNTNhMTRhZDU5ZGM1OjpmMzBjY2QwMy1iNWU2LTQ4MmUtYWZjYi1jMjZmYmVmOTNjMDAiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMjEtMDUtMjVUMTU6NTg6MDIuODAyWiI+PHNhbWw6QXV0aG5Db250ZXh0PjxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOnVuc3BlY2lmaWVkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDpBdXRobkNvbnRleHQ+PC9zYW1sOkF1dGhuU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJSb2xlIFNlc3Npb24gTmFtZSIgTmFtZT0iaHR0cHM6Ly9hd3MuYW1hem9uLmNvbS9TQU1ML0F0dHJpYnV0ZXMvUm9sZVNlc3Npb25OYW1lIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPnZ3PC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iU2Vzc2lvbiBEdXJhdGlvbiIgTmFtZT0iaHR0cHM6Ly9hd3MuYW1hem9uLmNvbS9TQU1ML0F0dHJpYnV0ZXMvU2Vzc2lvbkR1cmF0aW9uIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPjI4ODAwPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iUm9sZSBMaXN0IiBOYW1lPSJodHRwczovL2F3cy5hbWF6b24uY29tL1NBTUwvQXR0cmlidXRlcy9Sb2xlIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPlZXX0pVUFlURVJIVUI8L3NhbWw6QXR0cmlidXRlVmFsdWU+PHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5WV19KVVBZVEVSSFVCX01BU1RFUjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg==
相信:
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::1234567890:saml-provider/keyaloak-docker-ohio.worker.io"
},
"Action": "sts:AssumeRoleWithSAML",
"Condition": {
"StringEquals": {
"SAML:iss": "https://keyaloak-docker-ohio.worker.io/auth/realms/master"
}
}
}
元数据:
<md:EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
Name="urn:keycloak">
<md:EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
entityID="https://keyaloak-docker-ohio.worker.io/auth/realms/master">
<md:IDPSSODescriptor WantAuthnRequestsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:KeyName>OpDIuce9HVmp0yPnMeBwT9HPgzYYpIxwyTwlfdmVaYc</ds:KeyName>
<ds:X509Data>
<ds:X509Certificate>
MIICmzCCAYMCBgF1btuIQjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjAxMDI4MTA1NjIyWhcNMzAxMDI4MTA1ODAyWjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbTZR6qZi7UqVuAa4PoNC+nD9Mi677ApBf0NWaNhFhyUSGA1xq1TAx9brwcD+9YLcgW9RstqSTf0VM3NMr3RihVB6WB9ab8drzCTpVOKvOVRiVw3xG0VqV12o4fJcYhBSqpzHvGS/mGeatZ9tNctRaBMym9IxWVe1xFkYZ5m/Grhq0InWlKG5+v9gNm4JTJ4pNI651umUKY2U4Aba0RitZNWpht4y8gxLIaU65W9UScE0Cw+Ue9ojNeLtq7m5YvUm37L68M3xWqZJRsY9pYaTRxg2s7J7mwouOWDDbT5CbF9iw0j+RkH2/EJE0Vb5eUk/5SKzQC8kydsIuofEsDbQdAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAAvVLlMkFjJXB57Q1KFxA+BZLFY+kHc1ZTnMPueIIjhR4t/xF1x9k3lBpklWV0ibvP/tmzC/+ZWzQy9zv9t0o7tTFqYEq5J1Cor6JTLi4HTkHs0cFDcwcmQWSdlcHB3S6LEQy+McG1S0siViJgx38mlmlxZiYxE/ZdjZkf0wAGA/ZGn85Lqq5g0ndvcqpGyDF8ZqeR+DG6+tJ0KsZQdrKzy2NUNUSFKy/dP+YbQcLtxGT6qLMsLWQJYZzLql4mHHYmgVeqVcA2NGuBdVYUhyblCQBK4msfgH/VkPRlfVsJUsd1OTCAnUearOl607e3RRByVqKDdlJLrFRRXo47Gfl8o=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://keyaloak-docker-ohio.worker.io/auth/realms/master/protocol/saml"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://keyaloak-docker-ohio.worker.io/auth/realms/master/protocol/saml"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://keyaloak-docker-ohio.worker.io/auth/realms/master/protocol/saml"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://keyaloak-docker-ohio.worker.io/auth/realms/master/protocol/saml"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://keyaloak-docker-ohio.worker.io/auth/realms/master/protocol/saml"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>
</md:EntitiesDescriptor>