統一認證中心(Indentity Provider) 此處指客戶的統一認證中心
服務提供者(Service Provider) 此處指阿裡雲
此圖檔說明了以下步驟。
1.使用者嘗試通路WebApp1。
2.WebApp1 生成一個 SAML 身份驗證請求。SAML 請求将進行編碼并嵌入到SSO 服務的網址中。包含使用者嘗試通路的 WebApp1 應用程式的編碼網址的 RelayState 參數也會嵌入到 SSO 網址中。該 RelayState 參數作為不透明辨別符,将直接傳回該辨別符而不進行任何修改或檢查。
3.WebApp1将重定向發送到使用者的浏覽器。重定向網址包含應向SSO 服務送出的編碼 SAML 身份驗證請求。
4.SSO(統一認證中心或叫Identity Provider)解碼 SAML 請求,并提取 WebApp1的 ACS(聲明客戶服務)網址以及使用者的目标網址(RelayState 參數)。然後,統一認證中心對使用者進行身份驗證。統一認證中心可能會要求提供有效登入憑據或檢查有效會話 Cookie 以驗證使用者身份。
5.統一認證中心生成一個 SAML 響應,其中包含經過驗證的使用者的使用者名。按照 SAML 2.0 規範,此響應将使用統一認證中心的 DSA/RSA 公鑰和私鑰進行數字簽名。
6.統一認證中心對 SAML 響應和 RelayState 參數進行編碼,并将該資訊傳回到使用者的浏覽器。統一認證中心提供了一種機制,以便浏覽器可以将該資訊轉發到 WebApp1 ACS。
WebApp1使用統一認證中心的公鑰驗證 SAML 響應。如果成功驗證該響應,ACS 則會将使用者重定向到目标網址。
7.使用者将重定向到目标網址并登入到 WebApp1。
擷取AliyunMetadata
擷取onalipay.xyz metadata.xml
這個xml裡内容很多阿裡雲隻需要裡面的一些内容:
證書公鑰,signInUrl,signOutUrl以及entityId
阿裡雲解析到的資訊如下
我們将onalpay.xyz的metadata.xml在enterprise.console.aliyun.com企業控制台的人員管理的目錄設定->SSO設定中上傳并開啟sso.并且在域名管理中綁定了一個onalipay.xyz的域名
登入signin.aliyun.com輸入賬号名 [email protected]會跳轉到位址
<a href="https://mycomputer.onalipay.xyz/adfs/ls/?SAMLRequest=hZFPb4IwGMbv%2BxSkdygwFWwE42bMTFxGBHfYrasVaqBlfYuRffqhaOYu7vgmz583v2cyPValdeAahJIR8hwXWVwytRUyj9AmW9ghmsYPE6BV6ddk1phCrvlXw8FYMwCuTed7VhKaiuuU64NgfLNeRagwpgaCMYhcCunQUrSNdJiq8CkKp%2BkbsuZdipDUnKuvhqrtRHVjuHaU7Gw1bZ1j%2B43pdge4BIyshdKMnz%2BJ0I6WwJG1nEeI7oJ9MMrH%2BwELgiL0huO8oNzfe4yGXthpIKEA4sB%2FXQANX0owVJoI%2Ba4X2J5vP7qZOyDekPgjZ%2BB6H8hKtDKKqfJJyJ5LoyVRFAQQSSsOxDCSzl5XxHdc8tmLgLxkWWInb2mGrPcrX%2F%2FEtyMugfRE72fVl2IU9wOQ88f6NuF%2BAL1OhOL%2FB5ng25L4cv4dPf4B&RelayState=https%3A%2F%2Fhome.console.aliyun.com%2F">https://mycomputer.onalipay.xyz/adfs/ls/?SAMLRequest=hZFPb4IwGMbv%2BxSkdygwFWwE42bMTFxGBHfYrasVaqBlfYuRffqhaOYu7vgmz583v2cyPValdeAahJIR8hwXWVwytRUyj9AmW9ghmsYPE6BV6ddk1phCrvlXw8FYMwCuTed7VhKaiuuU64NgfLNeRagwpgaCMYhcCunQUrSNdJiq8CkKp%2BkbsuZdipDUnKuvhqrtRHVjuHaU7Gw1bZ1j%2B43pdge4BIyshdKMnz%2BJ0I6WwJG1nEeI7oJ9MMrH%2BwELgiL0huO8oNzfe4yGXthpIKEA4sB%2FXQANX0owVJoI%2Ba4X2J5vP7qZOyDekPgjZ%2BB6H8hKtDKKqfJJyJ5LoyVRFAQQSSsOxDCSzl5XxHdc8tmLgLxkWWInb2mGrPcrX%2F%2FEtyMugfRE72fVl2IU9wOQ88f6NuF%2BAL1OhOL%2FB5ng25L4cv4dPf4B&RelayState=https%3A%2F%2Fhome.console.aliyun.com%2F</a>
SamlRequest是經過了deflated壓縮和urlencode的xml資料,解析後的内容如下
SamlRequest标記了ID,Issuer,IssueInstant,Destination等資訊
RelayState說明了認證結束後跳轉到的位址:RelayState=home.console.aliyun.com
<a href="https://signin.aliyun.com/saml/SSO">https://signin.aliyun.com/saml/SSO</a>
Post:
SAMLResponse:
PHNhbWxwOlJlc3BvbnNlIElEPSJfM2I4MTQ2YjAtZWFhOC00NjdjLThmYzctM2RhYjE4YmIwYzI3IiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNy0xMi0zMFQwNDoxNTo0MC44NjJaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9zaWduaW4uYWxpeXVuLmNvbS9zYW1sL1NTTyIgQ29uc2VudD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNvbnNlbnQ6dW5zcGVjaWZpZWQiIEluUmVzcG9uc2VUbz0iYWY3ajc2ZzlqNGM3N2g4MTU5Z2hhZTJqMWNhODE4IiB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj48SXNzdWVyIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwOi8vbXlDb21wdXRlci5vbmFsaXBheS54eXovYWRmcy9zZXJ2aWNlcy90cnVzdDwvSXNzdWVyPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIgLz48L3NhbWxwOlN0YXR1cz48QXNzZXJ0aW9uIElEPSJfNmE5NTRhYjUtOGU0Ni00NzgzLWEyNzAtZjBkZmIxNTI4M2Y4IiBJc3N1ZUluc3RhbnQ9IjIwMTctMTItMzBUMDQ6MTU6NDAuODYyWiIgVmVyc2lvbj0iMi4wIiB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+PElzc3Vlcj5odHRwOi8vbXlDb21wdXRlci5vbmFsaXBheS54eXovYWRmcy9zZXJ2aWNlcy90cnVzdDwvSXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiAvPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNyc2Etc2hhMjU2IiAvPjxkczpSZWZlcmVuY2UgVVJJPSIjXzZhOTU0YWI1LThlNDYtNDc4My1hMjcwLWYwZGZiMTUyODNmOCI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIiAvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiIC8+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiIC8+PGRzOkRpZ2VzdFZhbHVlPjVsUnp2ZndrZ3BjRjlndVpUV2kxeGkzS25rTUVJRytESjFOOUw5TnBVOFE9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+PGRzOlNpZ25hdHVyZVZhbHVlPldGM2pkOE1LNm5iL3RtVTJGcUFlZ0QrT2lNUldKbWNoMGJ6MlVGSTlNZVdJYzIyQTQyNmFvYlM3YXpTOS9qK3Q0ODFUS3pkNzFiNHBpTXM1U25jTmM1dy9SZDhNL3lJNUdPQ0psMklXQVVlSlpUb1FycUlkQS9UV0h3Wi85bkVrUU1rYXkrRWt6M293SmhWZ3RZVlJLc2V3SHdDQWpXSWRPdEQ5a041RGxRZmExQTlSenhISVlxMWYxVzlXVTkyRnpWaDN3aEl4MzFpZ3R5K1hid1BtQjZQQnNNS1pFZnB3ckR2ZEcwdE91R1RKOWdtdUVwYVo4QWJxV0RhMENLYkx4a2xwZzV6enVDTTV0ejRRWEJMcEUxWWplb0tkR3BKdVZycS9kaEtENHJzOERXZlFtUG5KL2ZGNlNqV0Z1WVBYUUp1NWFDZU5xMlY4T1dkZTFnUDZPdz09PC9kczpTaWduYXR1cmVWYWx1ZT48S2V5SW5mbyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQzZqQ0NBZEtnQXdJQkFnSVFRanhXRGh1YURKQktqdGxrY3ZIYVp6QU5CZ2txaGtpRzl3MEJBUXNGQURBeE1TOHdMUVlEVlFRREV5WkJSRVpUSUZOcFoyNXBibWNnTFNCdGVVTnZiWEIxZEdWeUxtOXVZV3hwY0dGNUxuaDVlakFlRncweE56RXhNREV3TnpFNE16WmFGdzB4T0RFeE1ERXdOekU0TXpaYU1ERXhMekF0QmdOVkJBTVRKa0ZFUmxNZ1UybG5ibWx1WnlBdElHMTVRMjl0Y0hWMFpYSXViMjVoYkdsd1lYa3VlSGw2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE1SkJKL1hsTTJtb045Q0VMZ0xuUzJPQ3ZZZlVlUm9hdWhyN2pGUy9CalRrTXhFNVlYQ3E1ZnU4RFlIcmt4eGFmODFuSERiVlRvdEdqdnBVUzR3L0s4UG4zQVhUb1RBVkZsVTdNOUVjd3FWNVE4R3UzVjQ4NHB5bjhkTUdxWjYwYkZoODRQSHlCeHBCWlNWM0tVNlY2bVZFMTB2cWtoZFFQL3RjVTUwWnNOV05MZDNBUjA2cmE5T2ZuTkdQTmRrWmtZS3dtUnFvcmt6OXNzVkdDRWVyWjUzVFRXZldDam5PajVYMnNwek5OZFJPcXROZ1NFRVVZRmtTRlQzb1V0Sk1vb2FkWCtlM1daWkJuYi8xekthVCtyWndCaG9NSVcvL2VVbnRPSFVLb2JaVE1Ya0xUcktQWVhaeVhnc1o2Nk9NU2hsQlZ3Q1hyRG9QUFhVd01KYUtsdXdJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFGNWV4NFd6emZQRitZOW1qRUdCaGNSNVFKU2dubjIrMkMySi8wTkozQnVIUC9GUG5IaXl6RUMxK3VqVEI2eDFzVHVnK0lXL2tGVXVJQU1VbmhQckp3bSt1VFhUSVVMbGhmRWdmNWQzZG56dk0zbEFML0FRZkpDOXYyUHhyZ0hoVkV0Z01kMFdDbkhMVFVvWERLQ0RXY0dBN09YeDFmMjNzcnJaTGM5UCsvNFNoWFBrd0x5dWRvNmgxeWZ1SnBGWjBnNHR4dTQrMi9YbG4zYzIrUjAraGNYVi9DSnVNcU43aTNmYVpLcFkrb01pcTRndnZXQWpuNmQ3TnBjWS9vWXQ2bGhiTHNucFhUS1FncTd6RGU3aWtMZUhpUDNJU29udjRyUFI2VVprRFdaaVo0RnBDMWxOMDRsWEUzdGZleHJiOThUbUxrU2RuckFCSER3YmJobW10WDwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9LZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxTdWJqZWN0PjxOYW1lSUQ+QWRtaW5pc3RyYXRvckBvbmFsaXBheS54eXo8L05hbWVJRD48U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBJblJlc3BvbnNlVG89ImFmN2o3Nmc5ajRjNzdoODE1OWdoYWUyajFjYTgxOCIgTm90T25PckFmdGVyPSIyMDE3LTEyLTMwVDA0OjIwOjQwLjg2MloiIFJlY2lwaWVudD0iaHR0cHM6Ly9zaWduaW4uYWxpeXVuLmNvbS9zYW1sL1NTTyIgLz48L1N1YmplY3RDb25maXJtYXRpb24+PC9TdWJqZWN0PjxDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNy0xMi0zMFQwNDoxNTo0MC44NTVaIiBOb3RPbk9yQWZ0ZXI9IjIwMTctMTItMzBUMDU6MTU6NDAuODU1WiI+PEF1ZGllbmNlUmVzdHJpY3Rpb24+PEF1ZGllbmNlPmh0dHBzOi8vc2lnbmluLmFsaXl1bi5jb20vc2FtbC9TU088L0F1ZGllbmNlPjwvQXVkaWVuY2VSZXN0cmljdGlvbj48L0NvbmRpdGlvbnM+PEF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNy0xMi0zMFQwNDoxNTo0MC43NTdaIiBTZXNzaW9uSW5kZXg9Il82YTk1NGFiNS04ZTQ2LTQ3ODMtYTI3MC1mMGRmYjE1MjgzZjgiPjxBdXRobkNvbnRleHQ+PEF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpmZWRlcmF0aW9uOmF1dGhlbnRpY2F0aW9uOndpbmRvd3M8L0F1dGhuQ29udGV4dENsYXNzUmVmPjwvQXV0aG5Db250ZXh0PjwvQXV0aG5TdGF0ZW1lbnQ+PC9Bc3NlcnRpb24+PC9zYW1scDpSZXNwb25zZT4=
RelayState:
<a href="https://home.console.aliyun.com/">https://home.console.aliyun.com/</a>
SamlResponse base64解碼後:
最重要的就是Subject裡的NameID屬性,阿裡雲會根據這個資訊擷取登入成功的賬号是誰。
阿裡雲會以NameID中指定的賬号登入成功。
RelayState告訴阿裡雲方登入成功後跳轉到的頁面,本例子為home.console.aliyun.com
至此我們完成了阿裡雲Saml SSO登入的流程的分析,後續我們還會介紹阿裡雲SAML和Shibboleth IDP+LDAP如何打通。
![Windows辦公技能——在目前檔案夾中打開指令行視窗[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)