saml

问题 SAML 2.0 with the "POST" Binding: Is there any way for Service Provider to ask IdP for user re-authentication for the specific request? I mean first time web user enters login/password, than it stores some sort of cookie in a browser memory so that it remembers the user and does not ask him for password again next time inside the session. I want SP be able to enforce re-authentication which means a command to ask user for password again The only similar thing I found ( ForceAuthn ) and it

问题 When doing authn against a SAML 2 IdP, what does the Subject Name Identifier supposed to be for? Does it track each user login? I'm wondering if my SAML 2 service provider application should track these for different users. Since they are transient, they can be different for different logins (so I would need to track using a collection hanging off the user account). 回答1: The <NameIdentifier> element is a SAML 1.1 concept. It has been superseded by the <NameID> element which identifies the

问题 I am loading SAML Token from XML file. string certificatePath = @"D:\Projects\SAMLDemo\Server.pfx"; X509Certificate2 cert = new X509Certificate2(certificatePath, "shani"); string samlFilePath = @"D:\Projects\SAMLDemo\saml.xml"; XmlReader reader = XmlReader.Create(samlFilePath); List<SecurityToken> tokens = new List<SecurityToken>(); tokens.Add(new X509SecurityToken(cert)); SecurityTokenResolver outOfBandTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new

问题 I implement a SAML SP in Java. I send an AuthnRequest to SAML 2.0 IDP and gets an encrypted response. My question is: How do I make sure that the response indeed comes from the IDP and not from a hacker? It is not enough to validate the signature, since this only tells me that the sender has a matching pair of private/public keys, but it could be anyone. So, I need the IDP to supply me in advance a certificate which I upload to a jks file, and compare it each time to the certificate I extract

问题 Story is that I need to make my website act as Identity Provider (read: IDP). Website itself is on Zend platform. Idea is making a IDP controller by which Service Providers (read: SP) contacts IDP. As it must be part of the website, I would need to include some extension, which could be easily used for responding SAML requests from SP. I have found list of PHP extensions from: https://wiki.surfnetlabs.nl/display/OSP/RFC+-+OpenSAMLphp,+a+new+PHP+library+for+SAML+2.0+support All of these

问题 I need to create a some SAML 2.0 assertions, and I'm having trouble finding what the XML should really look like. Most of the documentation seems to be about using particular tools, not about the messages. I've got the schemas, with a plethora of possibilities, but I can't find an example of what the relevant messages actually look like in practice. The business rule says: in order to create a shared identity, the user tells system A their username and password on system B. System A needs to

问题 Is it possible to send attributes in a SAML authentication request? <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="aaf23196-1773-2113-474a-fe114412ab72" Version="2.0" IssueInstant="2004-12-05T09:21:59Z" AssertionConsumerServiceIndex="0" AttributeConsumingServiceIndex="0"> <saml:Issuer>https://sp.example.com/SAML2</saml:Issuer> <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format

问题 I am implementing a SAML 2.0 Service Provider which uses Okta as the Identity Provider. I would like to configure the Assertion Consumer Service (ACS) URL so that the SAML 2.0 from my Service Provider app is reflected back in the assertion. However, I am noticing that the Okta Identity Provider instead sends the SSO Endpoint configured in the Okta configuration and ignores the ACS that was actually sent. Also, I get an error perhaps the ACS from SP doesn't match the meta-data there. If ACS

问题 I am developing an application which is authenticating via IDP which ins ADFS server. So it has some functionality to import IDP metadata from the program level by accessing metadata URL (given below) and update according to the service provider side. I am experiencing request processing exception when trying to process SAML metadata from the ADFS server URL. some solutions that I found says it is problem in wildfly8 , and fine with Wildfly 7+ and JBoss 7+ , but still I am having the same

问题 I have an application workflow like this (A) User-Agent (browser) <-----> (B) App Server <------> (C) REST service Suppose the app server (B) is a SAML service provider and user@domain authenticates from the browser (A) to the app server (B) using the Web Browser SSO profile. How can an application running on (B) authenticate to a REST service (C) as user@domain.com ? (Assuming B and C are both SAML SP's on the same IdP.) If the browser were just making AJAX calls to both B and C, it would be