saml-2.0

问题 Hi i want my xml look like this: <samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"> </samlp:NameIDPolicy> my setup with opensaml is: // NameIDPolicy nameIdPolicyBuilder = new NameIDPolicyBuilder(); nameIdPolicy = nameIdPolicyBuilder.buildObject("urn:oasis:names:tc:SAML:2.0:protocol", "NameIDPolicy", "samlp"); nameIdPolicy.setFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");

问题 We have multitenant asp.net MVC web site which supports multiple partners. Currently we are using forms authentication to authenticate users. Now some of the partners have asked for single sign on support with SAML. I did quick POC to test it against “Thinktecture” identity provider. All I did was to install “Identity and access” extension for VS 2012 and configure the identity provider. I noticed that the extension added configuration settings like URL of the IP and realm in the web.config

问题 I am implementing Spring Security SAML with One Login. I have set all the configuration files and meta data is set. I am able to get login work and logout is working if I logoff from the same application I logged in. In this scenario from SAML IDP I get LogoutResponse and Spring Security is able to parse and process it. http://localhost:8080/web/saml/SingleLogout?SAMLResponse=.............. Problem is when I login in two applications, currently I login to One Login admin console, there is a

问题 Our web aap is authenticating with the Azure AD via SAML2.0 similar to this. In return we get SAML assertion(SAML token). But when the user who logs in have more then 150+ groups the response doesn't contain the group information(so that token size doesn’t exceed HTTP header size limits. More info on this) But what it return is a Graph Api to be hit to get the group information something like https://graph.windows.net/{tenant id}/users/{user id}/getMemberObject. By going through this I

问题 I'm trying to integrate with Okta SSO by implementing SAML 2.0 in my website as Service Provider (SP) and Okta env. as my Identity Provider (IDP) I can't understand how to configure my IDP to return for each Auth request, the groups a user is in. How can it be done? Also, Is it possible to have service account in my IDP that my backend can ask the IDP directly if a user is inside some specific group? 回答1: It is possible to add groups to the SAMLResponse by configuring the SP App in the Okta

问题 I have the following SAML request that I want to digitally sign: <samlp:AuthnRequest Version="2.0" ID="_9FE393FB-1C9C-4EDD-86A5-1AE9F2192A60" IssueInstant="2014-10-22T11:22:56.676Z" Destination="https://idp.ssocircle.com:443/sso/SSOPOST/metaAlias/ssocircle" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> <saml:Issuer>http://app.localhost</saml:Issuer> <samlp:NameIDPolicy AllowCreate="true" /> </samlp:AuthnRequest> I use the following

问题 I'm receiving a SAML request via HTTP-redirect binding the content of the SAML request look like this {"SigAlg"=>"http://www.w3.org/2000/09/xmldsig#rsa-sha1", "SAMLRequest"=>"lVLLaoQwFP0VyT5jEqPG4AiFoSDMtNApXXQzxDxaQRObRDqfX3XoolAKXd7DPQ/uuXUQ4zDxo3tzc3zSH7MOMWkPe3DpcixzVVVQl4RBqoiCncEYEmkoY7k00hCQvGgfemf3gOwQSNoQZt3aEIWNC4RwCRGGiD6jkmPMs2KHUPYKksPi0lsRN+Z7jFPgafqpvejtbtQpSK7jYAPfsu3B7C13IvSBWzHqwKPk57vTkS+WfPIuOukG0NSbub9R/yaJELRfzUGzrhmtFut15qdeeheciY926K2u05toUz8sIu0huXd+FPFv9RXpFTTbKp

问题 I want to decrypt the EncryptedAssertion. I tried with OpenSaml Decrypter but its not working for me.I am getting Failed to decrypt EncryptedData I have already ask that question - EncryptedAssertion Decryption failing While I am waiting for any solution I am trying to decrypt it manually. Its a Hybrid encryption I tried below code CipherValue cv = encryptedAssertion.getEncryptedData().getKeyInfo().getEncryptedKeys().get(0).getCipherData().getCipherValue(); String cvalue = cv.getValue();

问题 Suppose SP-init SSO is carried out, HTTP-Redirect Binding is used instead of HTTP-POST Binding and signed AuthnRequest is required. It means to include the SAMLRequest in the URL. Q1. Do I need to include the signature in the URL or just embed in the SAMLRequest ? The redirect url is http://idp.example.com/SSOService.php?SAMLRequest={val1}&Signature={val2}&SigAlg={val3} with my SAMLRequest (without signature) <samlp:AuthnRequest ID="" Version="2.0" IssueInstant="2015-05-22T02:47:38Z"

问题 Okta is an IdP for SAML logins. I have a super-admin user of Okta. I try to use Spring's saml-sample project as my SP (service-provider). When I configure it (spring-saml-sample) in the Okta system, I need to supply some data on my SP, such as "post back URL", "recipient" and "audience restriction". After sniffing in Okta's docs, I found this: Audience Restriction – This is the entity id of the Service Provider. It will be provided by the SP and must match exactly. Consult the SP