saml

问题 I've seen a bunch of flow chart on how it is passed around between Identity Provider (IdP), Service Provider (SP), and Browser via Redirects. However it seems unnecessary to me right now, so i know i'm missing something. Can someone provide me a use case where a SAML Artifact is required (or very useful) compared to not using one? Thank you. 回答1: Typically, the intent of the artifact binding is to reduce the flow of SAML messages through the browser itself. This could be due to browser

问题 Hopefully this isn't a duplicate or too broad. I just have a feeling I need a bit more information than anything else I've been able to find. I have a program/server that already has a functioning SAML SP built in to it. I'm trying to get it connected to a test Shibboleth IdP (V3.3.3) on an internal server running Windows Server. I have it installed and connected to our Active Directory users. The documentation was great for getting to that point. Now I have no earthly clue how to proceed. I

问题 I can use OpenAM to query a list of users and a list of groups by using its REST API: /openam/json/users?_queryID=* /openam/json/groups?_queryID=* Is there an equivalent (or similar) API of the above in PingFederate? 回答1: This is not something that is currently available in the product. The reason being that it can use any of a number of user stores (adapters in the product's terminology) at the same time, and it doesn't have a specific set of users. If you are a current customer, you could

问题 How to validate SAML assertion signatures? for (Assertion assertion : samlResponse.getAssertions()) { try { if (assertion.getSignature() != null) { Optional<X509Certificate> x509Certificate = assertion.getSignature().getKeyInfo().getX509Datas() .stream() .findFirst() .map(x509Data -> x509Data.getX509Certificates() .stream() .findFirst() .orElse(null) ); if (x509Certificate.isPresent()) { BasicX509Credential credential = new BasicX509Credential(); credential.setEntityCertificate(KeyInfoHelper

问题 I am completely new to SAML, I just build the saml but per requirement I also need to add KeyInfo and x509 certificate nodes including client’s public cert, I have used below code to generate the signature element, but dont know how to add KeyInfo & X509Data inside signature. needing help on this? BasicX509Credential signingCredential = new BasicX509Credential(); //Namespace nameSpaceSAML = new Namespace("http://www.w3.org/2000/09/xmldsig#","ds"); KeyStore keyStore = getKeyStore(

问题 I have looked at many questions including https://stackoverflow.com/a/25384924/1317559. I have the IdP metadata and certificate, but can't seem to get Spring so see it. Added the certificate to the keystore: keytool -importcert -alias adfssigning -keystore samlKeystore.jks -file certificate.crt In the metadata there are multiple certificates (2 different ones) and a SignatureValue. I tried to add the signature value with the same keytool command, but it is not a certificate. I tried to add

问题 I have a web application and web api services that authenticate through ADFS. They are contained in the same IIS application, and the web app makes calls back to the web api services without a problem. I'm now trying to call the same services from a different application, but am having trouble passing the token. I am able to authenticate and retrieve a SAML token with the following code: var stsEndpoint = "https://MyAdfsServer/adfs/services/trust/13/UsernameMixed"; var reliantPartyUri =

问题 I am having quite a time setting up SAML integration with a client using our platform. We're using OneLogin's php sdk on our end to act as a service provider. Not sure what they're using as an identity provider or if it is something custom. It seems no matter what we do, the AuthN Response we receive from them has the status: urn:oasis:names:tc:SAML:2.0:status:Responder As I read it here, all that means is that there was an issue (we don't know what) on their side. Sort of the equivalent of a

问题 I have a Restful Java Web application which is to be deployed to a number of different environments (outside of my control) which will be using a SAML 2.0 SSO solution. My application (which I believe is the "service provider") needs to store state generated by the user, and uses internal business logic to work out which users are allowed to view or update other user's data. In order for this to work we need to know who the user is, and what groups the user is part of. But how do I get this

问题 As per SP initiated SSO flow, User tries to access SP. Since the user is unauthenticated, he is redirected to IDP where he enters his credentials, post successful login, IDP sets cookies in user's browser(under IDP's domain) and redirects the user back to SP with SAML response. Once SP verifies SAML response it creates it's own cookie/token and sets in user's browser under sp's domain. What should ideally happen in subsequent requests : Should SP rely only on it's own cookie to fetch user