问题
We're in the process of looking into implementing SAML based SSO authentication in our applications and I'm wondering if it's possible to specify custom redirect URLs via SAML. In other words can we have a single Service Provider configured in the Identity Provider and have the Service Provider via the SAML request specify where the Identity Provider should redirect the user to after logging in?
The reason why we're looking for something like this is because our applications run on different servers depending on which stage of development they are in (dev, test, staging, prod). It would be great if we didn't have to configure four separate Service Provider entries in the Identity Provider for every single application we'll be migrating over to SAML SSO.
回答1:
Each SP has its own Assertion Consumer Service endpoint where the SAMLResponse is validated.
One of the checks that the SP does is verify that the SAMLResponse was sent to the right ACS endpoint, so you cant process a SAMLResponse built for the prod server at the test server.
If you decide to process all the SAMLResponses in 1 unique SP endpoints and your idea is to use the "RelayState" parameter to indicate from the SP to the IdP where to redirect the user after process the SAMLResponse at the ACS you may set a global session readable by all the environments because there is no secure/standard method to send the processed data from the to the final endpoint.
If you are not able to set a global session readable by all environments then you must register all the SPs in the IdP.
来源:https://stackoverflow.com/questions/37358254/saml-authentication-and-custom-redirect-url