How do I embed a signature within an AuthNRequest for SAML 2.0 SSO in php

浪子不回头ぞ 提交于 2020-01-07 03:24:10

问题


my IDP requires an AuthNRequest with an embedded, signed and encrypted, where the request url looks like this:

http://idp.example.com/SSOService.php?SAMLRequest={val1}

AuthNRequest with embedded signature (HTTP-POST binding)

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfx41d8ef22-e612-8c50-9960-1b16f15741b3" Version="2.0" ProviderName="SP test" IssueInstant="2014-07-16T23:52:45Z" Destination="http://idp.example.com/SSOService.php" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://sp.example.com/demo1/index.php?acs">
  <saml:Issuer>http://sp.example.com/demo1/metadata.php</saml:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <ds:Reference URI="#pfx41d8ef22-e612-8c50-9960-1b16f15741b3">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:DigestValue>yJN6cXUwQxTmMEsPesBP2NkqYFI=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>...</ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data>
        <ds:X509Certificate>...</ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
  </ds:Signature>
  <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/>
  <samlp:RequestedAuthnContext Comparison="exact">
    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
  </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

However my requests look like

http://idp.example.com/SSOService.php?SAMLRequest={val1}&Signature={val2}&SigAlg={val3}

In OneLogin's [php-saml] my settings require the message to be signed and encrypted

'nameIdEncrypted' => true,
'authnRequestsSigned' => true,
'logoutRequestSigned' => true,
'logoutResponseSigned' => true,
'signMetadata' => true,
'wantMessagesSigned' => true,
'wantAssertionsSigned' => true,'wantAssertionsEncrypted' => true,
'wantNameIdEncrypted' => true,
'requestedAuthnContext' => true,
'wantXMLValidation' => true,
'signatureAlgorithm' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',

and in SimpleSAMLphp my idp-remote config

$metadata['https:/my.idp.com/idplogin'] = array(
        'name' => array(
                'en' => 'my.idp.com',
                'no' => 'my.idp.com',
        ),
        'description'          => 'IDP SSO',
        'sign.authnrequest' => TRUE,
        'sign.logout' => TRUE,
        'signature.algorithm' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
        'assertion.encryption' => TRUE,
        'sharedkey' => 'SHAREDKEY.crt',
          'SingleLogoutService' =>
          array (
            0 =>
            array (
              'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
              'Location' => 'http://iam.sp.com/module.php/saml/sp/saml2-logout.php/default-sp',
            ),
          ),
          'AssertionConsumerService' =>
          array (
            0 =>
            array (
              'index' => 0,
              'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
              'Location' => 'http://iam.sp.com/module.php/saml/sp/saml2-acs.php/default-sp',
            ),
            1 =>
            array (
              'index' => 1,
              'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post',
              'Location' => 'http://iam.sp.com/module.php/saml/sp/saml1-acs.php/default-sp',
            ),
            2 =>
            array (
              'index' => 2,
              'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
              'Location' => 'http://iam.sp.com/module.php/saml/sp/saml2-acs.php/default-sp',
            ),
            3 =>
            array (
              'index' => 3,
              'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01',
              'Location' => 'http://iam.sp.com/module.php/saml/sp/saml1-acs.php/default-sp/artifact',
            ),
          ),
        'SingleSignOnService' => 'https:/my.idp.com/samljct',
        'redirect.sign' => TRUE,
        'redirect.validate' => TRUE,
        'acs.Bindings' => array(
                'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
                'urn:oasis:names:tc:SAML:1.0:profiles:browser-post',
        ),
        'certFingerprint'      => 'FINGERPRINTED',
        'certificate'          => 'SPCERTYA.crt'
);

and my sp config

$config = array(
    'admin' => array(
        'core:AdminPassword',
    ),
    'default-sp' => array(
        'saml:SP',
        'entityID' => null,
        'idp' => null,
        'discoURL' => null,
        'privatekey' => 'MYSTUFF.pem',
        'certificate' => 'MYSTUFF.crt',
        'metadata.sign.authnrequest' => TRUE,
        'metadata.sign.enable' => TRUE,
        'redirect.sign' => TRUE,
        'redirect.validate' => TRUE,
        'assertion.encryption' => TRUE,
        'IsPassive' => FALSE,
        'signature.algorithm' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
    ),

In both of these services i'm unsure on how to embed signature within AuthNRequest?


回答1:


Changing the following line in the IDP remote config:

'SingleSignOnService' => 'https:/my.idp.com/samljct',

to:

'SingleSignOnService' => array(
   array(
        'Location' => 'https:/my.idp.com/samljct',
        'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
    ),
),

should work.



来源:https://stackoverflow.com/questions/32406699/how-do-i-embed-a-signature-within-an-authnrequest-for-saml-2-0-sso-in-php

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!