1. 首頁
  2. 問答
  3. SimpleSamlPHP(SP)和1563(IDP)

SimpleSamlPHP(SP)和1563(IDP)

2015-04-07 98 views
1

我有我的本地計算機上的Web應用程序:https://test.staging.meSimpleSamlPHP(SP)和1563(IDP)

這是PHP(CakePHP的)應用程序。

我安裝了SimpleSamlPHP並將其配置爲服務提供程序(SP)。 我從指令創建了一些測試:https://simplesamlphp.org/docs/stable/simplesamlphp-sp 而我的測試與openidp.feide.no成功。

但我有OKTA的問題。我創建了「Test App Cakephp」併爲其分配了人員併爲其配置了SimpleSamlPHP。

但登錄後我得到這個SAML(無需用戶屬性):

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://test.staging.me/simplesamlphp/module.php/saml/sp/saml2-acs.php/okta-sp" ID="id12087736095048056708868080" IssueInstant="2015-04-07T15:49:27.571Z" Version="2.0" > 
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >http://www.okta.com/exk3ov34irLCZc7Ti0h7</saml2:Issuer> 
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
    <ds:SignedInfo> 
     <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
     <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> 
     <ds:Reference URI="#id12087736095048056708868080"> 
      <ds:Transforms> 
       <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> 
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
      </ds:Transforms> 
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
      <ds:DigestValue>pU2jLhg9A4w97r8NVnBKl3IQZLE=</ds:DigestValue> 
     </ds:Reference> 
    </ds:SignedInfo> 
    <ds:SignatureValue>VPDveGXR0s0aL87FHcwlgox2jpF8Ka68+35u5sAwtNPu6YGLeHBZXMM0VJBGubXaP43p7U/bOCEDN28Unvdu+r7nsPayg7KRJtEBG5IPS0aHAsAVvFWCNKwbj/F3V+mNfjj6tyCYxfUv0VzGYFx74sR4jyatwMWM0C8Tn5/ 
    </ds:SignatureValue> 
    <ds:KeyInfo> 

     <ds:X509Data> 
      <ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAUx+YiPyMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU 
      </ds:X509Certificate> 
     </ds:X509Data> 
    </ds:KeyInfo> 
</ds:Signature> 

<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> 
    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> 
</saml2p:Status> 
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="id120877360951785121155512781" IssueInstant="2015-04-07T15:49:27.571Z" Version="2.0" > 
    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >http://www.okta.com/exk3ov34irLCZc7Ti0h7</saml2:Issuer> 
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
     <ds:SignedInfo> 
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> 
      <ds:Reference URI="#id120877360951785121155512781"> 
       <ds:Transforms> 
        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> 
        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
       </ds:Transforms> 

       <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
       <ds:DigestValue>lob8Do3NlCm0YApUEdGks7Lvj5g=</ds:DigestValue> 
      </ds:Reference> 
     </ds:SignedInfo> 
     <ds:SignatureValue>cxCVxow1zv7/C9fyG3n8FqXLNUCx6J3WMzZSB7oOQhBCWt1x+EmkB/Hh3l1AajeCRe50uCZlSfy5eN1kpLQPy1oqyTH/i08cdnzeb94eMh06JRpljSrGFBRyNz7RfoHSs13v8R3PEweDsM0XIUhfX3oL2JpGm7yxwcm/+UZpI2eq 
     </ds:SignatureValue> 
     <ds:KeyInfo> 
      <ds:X509Data> 
       <ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAUx+YiPyMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU MBIGA1UECwwLU1NPUHJv 
       </ds:X509Certificate> 
      </ds:X509Data> 

     </ds:KeyInfo> 
    </ds:Signature> 
    <saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> 
     <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">[email protected]_domain.com</saml2:NameID> 
     <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> 
      <saml2:SubjectConfirmationData NotOnOrAfter="2015-04-07T15:54:27.571Z" Recipient="https://test.staging.me/simplesamlphp/module.php/saml/sp/saml2-acs.php/okta-sp" /> 
     </saml2:SubjectConfirmation> 
    </saml2:Subject> 
    <saml2:Conditions NotBefore="2015-04-07T15:44:27.571Z" NotOnOrAfter="2015-04-07T15:54:27.571Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" > 
     <saml2:AudienceRestriction> 
      <saml2:Audience>https://test.staging.me/simplesamlphp/module.php/saml/sp/metadata.php/okta-sp</saml2:Audience> 
     </saml2:AudienceRestriction> 
    </saml2:Conditions> 
    <saml2:AuthnStatement AuthnInstant="2015-04-07T15:49:27.571Z" SessionIndex="id1428421767571.740119289" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" > 
     <saml2:AuthnContext> 
      <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> 
     </saml2:AuthnContext> 
    </saml2:AuthnStatement> 
</saml2:Assertion>

我斷絕 「DS:SignatureValue所」 和 「DS:X509證書」 爲了方便領域。

我的問題:爲什麼我沒有收到用戶的屬性? 謝謝)

來源

2015-04-07 Feniksss

回答

1

Okta默認情況下不會在<saml2:AttributeStatement>中發送任何屬性。要配置可選的屬性語句,請看Configuring the Okta Template SAML 2.0 App。您可以發送的五個標準Okta配置文件屬性是名字,姓氏,電子郵件和Okta用戶名。

對於第一個用戶名和姓,從1563被列入SAMLResponse:

<saml2:AttributeStatement> 
    <saml2:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> 
     <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Thomas</saml2:AttributeValue> 
    </saml2:Attribute> 
    <saml2:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> 
     <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Kirk</saml2:AttributeValue> 
    </saml2:Attribute> 
</saml2:AttributeStatement>

您必須配置1563 SAML 2.0的應用程序包括以下屬性聲明:

FirstName|${user.firstName},LastName|${user.lastName}

在除了標準的Okta個人資料屬性(名字,姓氏,電子郵件和Okta用戶名),您可以use additional attributes that have been pulled into Okta from Workday, Active Directory, and other LDAP directories

來源

2015-04-09 16:56:27

+0

謝謝!我也發現這個文件https://community.okta.com/docs/DOC-1222 – Feniksss

相關問題

 相關問題