dtvjl64442 2014-07-03 22:35
浏览 58
已采纳

在sps-initated SSO的simplesamlphp请求中包含断言使用者服务URL

Bear with me, this is my first federated identity setup. I'm using SimpleSAMLphp to make the connections.

I'm trying to set up a new application for a client who uses PingFederate. We're not storing any credentials on our side, so I believe that makes this a SP-initiated SSO request using a remote IdP (from the client). I've set up the config/authsources.php file:

'client-sp' => array(
    'saml:SP',
    'privatekey' => 'saml.pem',
    'certificate' => 'saml.crt',
    'entityID' => NULL,
    'idp' => 'https://client.idp.url',
    'discoURL' => NULL,
    'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
),

And I got their metadatafile and set up the metadata/saml20-idp-remote.php file:

$metadata['https://client.idp.url'] = array(
    'metadata-set' => 'saml20-idp-remote',
    'entityid' => 'https://client.idp.url',
    'SingleSignOnService' => array(
        0 => array(
            'Binding' => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", 
            'Location' => "https://client.idp.url/idp/startSSO.ping?PartnerSpId=http://my.app.url",
        ),
        1 => array(
            'Binding' => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
            'Location' => "https://client.idp.url/idp/startSSO.ping?PartnerSpId=http://my.app.url",
        ),
    ),
    'certData' => 'etc'
    'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
);

We finally got it to the point where, from within the SimpleSAMLphp control panel, we could test the auth source, and it correctly redirected to their corporate login page, accepted a username and password, and redirected back...but the URL to which it redirected back was the main application URL, not SimpleSAMLphp's admin panel where it lists all the attributes returned in the SAML response. Going back over their notes from when we first set up the federation, they need us to supply the Assertion Consumer Service URL in the request for SP-initiated SSO...I think that's the only missing piece, but I'm not sure how to configure SimpleSAMLphp to do that. The expected behavior is that for any URL that requires SSO, the application would check to see if a SAML token is in the system, and if not, redirect the user to the client's login page, then back to wherever the user was trying to access before they were intercepted. I looked through the docs for SimpleSAMLphp but they seem...incomplete; for example, the only mention they seem to make for the ACS URL is in case of IdP-initiated requests. But they're also about the only name in the PHP SSO world, so I'm kinda stuck with them, for better or worse.

So my question is: whether by the ACS URL or some other means, how do I control which URL the user is redirected to once they log in through the client's SSO page?

  • 写回答

1条回答 默认 最新

  • dongpingwu8378 2015-02-24 16:52
    关注

    The URLs for the bindings are wrong: since your client uses PingFederate, the URL should be:

    'Location' => "https://client.idp.url/idp/SSO.saml2",

    for both the POST as well as the Redirect binding. You should double-check that against the metadata you got from the client: if that metadata was generated automatically by PingFederate (as it should), it would not contain links to the "internal" idp/startSSO.ping endpoint but to the public SAML 2.0 endpoint /idp/SSO.saml2.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 对于知识的学以致用的解释
  • ¥50 三种调度算法报错 有实例
  • ¥15 关于#python#的问题,请各位专家解答!
  • ¥200 询问:python实现大地主题正反算的程序设计,有偿
  • ¥15 smptlib使用465端口发送邮件失败
  • ¥200 总是报错,能帮助用python实现程序实现高斯正反算吗?有偿
  • ¥15 对于squad数据集的基于bert模型的微调
  • ¥15 为什么我运行这个网络会出现以下报错?CRNN神经网络
  • ¥20 steam下载游戏占用内存
  • ¥15 CST保存项目时失败