问题描述
我正在尝试在我的项目中使用passport-saml进行身份验证。到目前为止,我已经能够使用passport.generateServiceProviderMetadata(decryptionCert)生成以下Metadata.xml:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:Metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="passport-saml" ID="passport_saml">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICizCCAfQCCQCY8tKaMc0BMjANBgkqh...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
</KeyDescriptor>
<SinglelogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="www.mywebsite.com/logout/callback"/>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="www.mywebsite.com/login/callback"/>
</SPSSODescriptor>
</EntityDescriptor>
SamlStrategy配置:
{
callbackUrl: 'www.mywebsite.com/login/callback',entryPoint: 'https://openidp.feide.no/simplesaml/saml2/idp/SSOService.PHP',decryptionPvk: 'MIICizCCAfQCCQCY8tKaMc0BMjANBgkqh...',issuer: 'passport-saml',logoutCallbackUrl: 'www.mywebsite.com/logout/callback'
}
为了满足IDP的要求,我需要进行一些更改:
- 将AuthnRequestsSigned =“ false”和WantAssertionsSigned =“ true”添加到SPSSODescriptor标记
- 将KeyDescriptor更改为使用“签名”而不是“ encryption”,并删除EncryptionMethod标签
- 为SinglelogoutService而不是HTTP-POST使用SOAP绑定
这是我要实现的Metadata.xml:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:Metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="passport-saml" ID="passport_saml">
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICizCCAfQCCQCY8tKaMc0BMjANBgkqh...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<SinglelogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="www.mywebsite.com/logout/callback"/>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="www.mywebsite.com/login/callback"/>
</SPSSODescriptor>
</EntityDescriptor>
是否可以配置护照以生成上述元数据?还是我应该手动创建它?任何帮助或建议,将不胜感激!
解决方法
这只是部分答案。
我只知道如何解决第 1 点(将 AuthnRequestsSigned="false" 和 WantAssertionsSigned="true" 添加到 SPSSODescriptor 标记)。
AuthnRequestsSigned 和 WantAssertionsSigned 告诉 IdP 如何表现并且不需要在 SP 中进行任何其他更改。
您可以手动将 AuthnRequestsSigned 和 WantAssertionsSigned 添加到元数据中。
或者像这样以编程方式添加它们:
function generateMetadata() {
const decryptionCrt = fs.readFileSync(config.crt_file,'utf8');
const metadata = samlStrategy.generateServiceProviderMetadata(
decryptionCrt,// should match with samlStrategy:decryptionPvk
decryptionCrt // should match with samlStrategy:privateCert
);
let xml = '';
// Convert XML to JSON
xml2js.parseString(metadata,(err,result) => {
if (err) {
throw err;
}
// Add AuthnRequestsSigned to the metadata (as requested by ITS)
result.EntityDescriptor.SPSSODescriptor[0].$.AuthnRequestsSigned = 'true';
result.EntityDescriptor.SPSSODescriptor[0].$.WantAssertionsSigned = 'true';
// Convert JSON back to XML
const builder = new xml2js.Builder();
xml = builder.buildObject(result);
});
return xml;
}
如果您使用的是 WantAssertionsSigned,请确保您在 privateKey 中设置了 passportSaml.Strategy,以便passport-saml 能够读取签名。