SAML协议单点登录开发文档
# SAML协议单点登录开发文档
# 一、认证接口
# 1 获取idp metadata
# 1 接口描述
获取idp metadata
# 2 请求路径
/api/sso/protocol/saml2/idp/metadata
# 3 HTTP请求方法
GET
# 4 请求参数
| 参数 | 参数类型 | 参数值 | 参数描述 |
|---|---|---|---|
# 5 返回字段
xml
# 6 接口示例
调用参数:/api/sso/protocol/saml2/idp/metadata
成功返回:
<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="https://cas.example.org/idp">
<IDPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
<Extensions>
<shibmd:Scope regexp="false">example.org</shibmd:Scope>
</Extensions>
<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDAzCCAeugAwIBAgIVAJ3AAZJ6Q/yssp1GEYn99GZwUcBNMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAMMEDY5NDI4NjgxOTEyNjg4NzMwHhcNMjIwNjIyMDgxMzI4WhcNNDIwNjIyMDgxMzI4WjAbMRkwFwYDVQQDDBA2OTQyODY4MTkxMjY4ODczMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwVsN30qQZAOs/gl04fEVzP5PtMPl5/kFIx4NjorNfbh7K0z2If3wXsIX3WCN3bK1TwqDvbeSzyiH/joVTvhCxU/sT0i3/AD5BVFVh4G85Ho7q9UNPIq3oyFekA708Hy0rfRhsaO6SghEjXIlkVdojn3Bk1KTKQvifas57SCOa2eyKbtKg1usLz96U5Q2QXbM8CZuKFCOO7N/m8D4SYpUvUgDI558QsJ41rqRSA0kuGC860eRNJQWCsJw7ua79SUL5WXv1EvjgAhGOvZXuj0u1nOZsfeeJ+wmyNVTpaSzq5LXnVytKUdjWechb69r3fVLGARwDwxmMzBM1pj/0pQTnQIDAQABoz4wPDAdBgNVHQ4EFgQUNTtw8UaTz/AEKOf1PY05grKReCUwGwYDVR0RBBQwEoIQNjk0Mjg2ODE5MTI2ODg3MzANBgkqhkiG9w0BAQsFAAOCAQEAfzWOS1/wULzle67d3qF7ypoS8PZFGftE02A30ZgbO6s3Jbgcc7tkzWUDAA2/6D8glBqfpQKDAM/Y8d8mTTUxAWTBa25ouMmjf4LKreN3qMxjVTB5q5o6QuYfHewD6ZBfddUFQ+aFug6rXqT90vVvoNT0B2QIcrCLfrZgvYq0uydG8K4r3tgk6zVKn08W/FqtPYWc4XoOlY3hwE2L4aKsMi10dp2v5T+d/cBSYo1tmqzoqX7PbUHyoRFVPXstq1LFKiI9FB7FtAkg/2ljYrFR9e8jI2YXURDCiN3YNEcNoF4EDlqK8jGcObvIT5Jqce8gQQ+BfyQO+gcStuibruDQrw==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDAzCCAeugAwIBAgIVAMKNxx+J8sQQcqdtm9NersWKlw7OMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAMMEDY5NDI4NjgxOTEyNjg4NzMwHhcNMjIwNjIyMDgxMzI3WhcNNDIwNjIyMDgxMzI3WjAbMRkwFwYDVQQDDBA2OTQyODY4MTkxMjY4ODczMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0rYiahLmWeEOlC/bXzOXadzMG79MLNWvkoLqjIew2IIYquLOTAud0/4X4Q9+Uhxg1NOyUIL8H752b5iL98xYTpgCL+TyLFuU+MOCvUHf4crOv0Gy7pHVQy8e+XL8yKQb4Jv8PK7Z6+FqB3ey4+p3I4KNIlvfNIfOmgj7pgtYBr9qoaBXsLGq2GbzZ3rCuGoVokMT6Qzrl+g03V1ekMj/WGBtKrPlIse3Ax2zFW4JFkuYDqyPKqrTmoaJD3WzV29iRcym92e2WDd+bn45xv/mtapA5T/ffdgXsiDmgNQPf8xUf3rtLDyjvxs7vuXb7JGJFFbVt+MBeOaQAVVZ03f2oQIDAQABoz4wPDAdBgNVHQ4EFgQUNCye8aHVNlZKc0UzT2D/dwof7u4wGwYDVR0RBBQwEoIQNjk0Mjg2ODE5MTI2ODg3MzANBgkqhkiG9w0BAQsFAAOCAQEAlVRvFCW1O0Xi48HuUjcMpUd2iJ+EPLevc6aoU4zo+XDl/Z6k2KW0EXx1i0EKggkzplRq6BTehl76mBBC9AfCa2DNmQ8OA/K+uQ+Yy+QE5g2+O4MKCwKjFX16RWuvmmnRDw7U9b8RC++ouXLnvLgJpBpumLTlQpCWmKGZBUwJW3BoIsMQha6KwgwCruT9RoPrTOAq4RrL+PBFLYSRz+veGqiqSFq1MAO8Gzt/OQgBwRweuwx4ycJZcBGeYYbj31bhfHTHh9JCaRrnoEUXbmSTbjOrzIS0iN5/POGHUCHU1h9ta1f+eVXlJAsrbGMwsLVMI1QnWfcd+BykaD7O8MdYhA==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://para.sso360.cn/api/sso/protocol/saml2/idp/post/logout"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://para.sso360.cn/api/sso/protocol/saml2/idp/post/profile"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://para.sso360.cn/api/sso/protocol/saml2/idp/redirect/profile"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://para.sso360.cn/api/sso/protocol/saml2/idp/ecp/profile"/>
</IDPSSODescriptor>
</EntityDescriptor>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
失败返回:无
# 2 Idp发起sso请求
# 1 接口描述
idp发起sso请求
# 2 请求路径
/api/sso/protocol/saml2/idp/unsolicited/profile
# 3 HTTP请求方法
GET
# 4 请求参数
| 参数 | 参数类型 | 参数值 | 参数描述 |
|---|---|---|---|
| providerId | String |
# 5 返回字段
| 参数 | 参数类型 | 参数值 | 参数描述 |
|---|---|---|---|
# 6 接口示例
调用参数:/api/sso/protocol/saml2/idp/unsolicited/profile
成功返回:
//SAML Response
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"xmlns:xsd="http://www.w3.org/2001/XMLSchema"Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"Destination="https://rdc.sso360.cn:18080/SamlResponseServlet"ID="_8633710638701723454"IssueInstant="2022-09-13T04:03:09.136Z"Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
>https://cas.example.org/idp</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_8633710638701723454">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"PrefixList="xsd"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>wFFNjwVqnlrMr3lxHJY4HSL9k324hZKOj+etouTeWTk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
PQpnHTrZ4jDH5e4TxxJlYO7se7U0VgSe/guNs4haggkBex1UEc66GsE4IumwSiDAzzYP7hS/H416
tRgevWYdr8iZ4+nNZl4ENWicy/dcY5Q67Vf2F/eKxd1Q0swTinvOQySMQCq3njdiHTLDqfFNS8G8
1wD3nJiV2/l7dqqYlN+heeKEEtxGABxQjXk33txxPuZRW4Lk6OyNPsLfZPTtsxJ6CJz3N+iYeTpM
nqvNrQ0kJbx5ZvWH8xP6EnGU/LiB2JuxuZliWkGQGDQJoTfP4hyn75za29573+XxfUF7HZUdrCts
70e+Lla850Spb+TAVoZibaS1REdnnpAYQCTxhg==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDAzCCAeugAwIBAgIVAJ3AAZJ6Q/yssp1GEYn99GZwUcBNMA0GCSqGSIb3DQEBCwUAMBsxGTAX
BgNVBAMMEDY5NDI4NjgxOTEyNjg4NzMwHhcNMjIwNjIyMDgxMzI4WhcNNDIwNjIyMDgxMzI4WjAb
MRkwFwYDVQQDDBA2OTQyODY4MTkxMjY4ODczMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAwVsN30qQZAOs/gl04fEVzP5PtMPl5/kFIx4NjorNfbh7K0z2If3wXsIX3WCN3bK1TwqDvbeS
zyiH/joVTvhCxU/sT0i3/AD5BVFVh4G85Ho7q9UNPIq3oyFekA708Hy0rfRhsaO6SghEjXIlkVdo
jn3Bk1KTKQvifas57SCOa2eyKbtKg1usLz96U5Q2QXbM8CZuKFCOO7N/m8D4SYpUvUgDI558QsJ4
1rqRSA0kuGC860eRNJQWCsJw7ua79SUL5WXv1EvjgAhGOvZXuj0u1nOZsfeeJ+wmyNVTpaSzq5LX
nVytKUdjWechb69r3fVLGARwDwxmMzBM1pj/0pQTnQIDAQABoz4wPDAdBgNVHQ4EFgQUNTtw8UaT
z/AEKOf1PY05grKReCUwGwYDVR0RBBQwEoIQNjk0Mjg2ODE5MTI2ODg3MzANBgkqhkiG9w0BAQsF
AAOCAQEAfzWOS1/wULzle67d3qF7ypoS8PZFGftE02A30ZgbO6s3Jbgcc7tkzWUDAA2/6D8glBqf
pQKDAM/Y8d8mTTUxAWTBa25ouMmjf4LKreN3qMxjVTB5q5o6QuYfHewD6ZBfddUFQ+aFug6rXqT9
0vVvoNT0B2QIcrCLfrZgvYq0uydG8K4r3tgk6zVKn08W/FqtPYWc4XoOlY3hwE2L4aKsMi10dp2v
5T+d/cBSYo1tmqzoqX7PbUHyoRFVPXstq1LFKiI9FB7FtAkg/2ljYrFR9e8jI2YXURDCiN3YNEcN
oF4EDlqK8jGcObvIT5Jqce8gQQ+BfyQO+gcStuibruDQrw==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
<saml2p:StatusMessage>urn:oasis:names:tc:SAML:2.0:status:Success</saml2p:StatusMessage>
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"ID="_6340891718834666098"IssueInstant="2022-09-13T04:03:09.136Z"Version="2.0"
>
<saml2:Issuer>https://cas.example.org/idp</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">zhangsan@paraview.cn</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2022-09-13T04:04:09.119Z"Recipient="https://rdc.sso360.cn:18080/SamlResponseServlet"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2022-09-13T04:03:09.136Z"NotOnOrAfter="2022-09-13T04:04:09.136Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>ME_3acef03c-e6ad-4aa3-92c9-e635532d1d42</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2022-09-13T04:03:09.119Z"SessionIndex="_6923110966125561704"
>
<saml2:SubjectLocality Address="ME_3acef03c-e6ad-4aa3-92c9-e635532d1d42" />
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="userId"Name="userId"
>
<saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:type="xsd:string"
>6942868455296156</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="email"Name="email"
>
<saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:type="xsd:string"
>zhangsan@paraview.cn</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
失败返回:无
# 3 sp发起sso请求
# 1 接口描述
sp发起sso请求
# 2 请求路径
/api/sso/protocol/saml2/idp/redirect/profile
# 3 HTTP请求方法
GET
# 4 请求参数
| 参数 | 参数类型 | 参数值 | 参数描述 |
|---|---|---|---|
| SAMLRequest | String | ||
| RelayState | |||
| SigAlg | |||
| Signature |
# 5 返回字段
| 参数 | 参数类型 | 参数值 | 参数描述 |
|---|---|---|---|
# 6 接口示例
调用参数:/api/sso/protocol/saml2/idp/redirect/profile
成功返回:
//SAML Response
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"xmlns:xsd="http://www.w3.org/2001/XMLSchema"Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"Destination="https://rdc.sso360.cn:18080/SamlResponseServlet"ID="_8633710638701723454"IssueInstant="2022-09-13T04:03:09.136Z"Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
>https://cas.example.org/idp</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_8633710638701723454">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"PrefixList="xsd"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>wFFNjwVqnlrMr3lxHJY4HSL9k324hZKOj+etouTeWTk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
PQpnHTrZ4jDH5e4TxxJlYO7se7U0VgSe/guNs4haggkBex1UEc66GsE4IumwSiDAzzYP7hS/H416
tRgevWYdr8iZ4+nNZl4ENWicy/dcY5Q67Vf2F/eKxd1Q0swTinvOQySMQCq3njdiHTLDqfFNS8G8
1wD3nJiV2/l7dqqYlN+heeKEEtxGABxQjXk33txxPuZRW4Lk6OyNPsLfZPTtsxJ6CJz3N+iYeTpM
nqvNrQ0kJbx5ZvWH8xP6EnGU/LiB2JuxuZliWkGQGDQJoTfP4hyn75za29573+XxfUF7HZUdrCts
70e+Lla850Spb+TAVoZibaS1REdnnpAYQCTxhg==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDAzCCAeugAwIBAgIVAJ3AAZJ6Q/yssp1GEYn99GZwUcBNMA0GCSqGSIb3DQEBCwUAMBsxGTAX
BgNVBAMMEDY5NDI4NjgxOTEyNjg4NzMwHhcNMjIwNjIyMDgxMzI4WhcNNDIwNjIyMDgxMzI4WjAb
MRkwFwYDVQQDDBA2OTQyODY4MTkxMjY4ODczMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAwVsN30qQZAOs/gl04fEVzP5PtMPl5/kFIx4NjorNfbh7K0z2If3wXsIX3WCN3bK1TwqDvbeS
zyiH/joVTvhCxU/sT0i3/AD5BVFVh4G85Ho7q9UNPIq3oyFekA708Hy0rfRhsaO6SghEjXIlkVdo
jn3Bk1KTKQvifas57SCOa2eyKbtKg1usLz96U5Q2QXbM8CZuKFCOO7N/m8D4SYpUvUgDI558QsJ4
1rqRSA0kuGC860eRNJQWCsJw7ua79SUL5WXv1EvjgAhGOvZXuj0u1nOZsfeeJ+wmyNVTpaSzq5LX
nVytKUdjWechb69r3fVLGARwDwxmMzBM1pj/0pQTnQIDAQABoz4wPDAdBgNVHQ4EFgQUNTtw8UaT
z/AEKOf1PY05grKReCUwGwYDVR0RBBQwEoIQNjk0Mjg2ODE5MTI2ODg3MzANBgkqhkiG9w0BAQsF
AAOCAQEAfzWOS1/wULzle67d3qF7ypoS8PZFGftE02A30ZgbO6s3Jbgcc7tkzWUDAA2/6D8glBqf
pQKDAM/Y8d8mTTUxAWTBa25ouMmjf4LKreN3qMxjVTB5q5o6QuYfHewD6ZBfddUFQ+aFug6rXqT9
0vVvoNT0B2QIcrCLfrZgvYq0uydG8K4r3tgk6zVKn08W/FqtPYWc4XoOlY3hwE2L4aKsMi10dp2v
5T+d/cBSYo1tmqzoqX7PbUHyoRFVPXstq1LFKiI9FB7FtAkg/2ljYrFR9e8jI2YXURDCiN3YNEcN
oF4EDlqK8jGcObvIT5Jqce8gQQ+BfyQO+gcStuibruDQrw==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
<saml2p:StatusMessage>urn:oasis:names:tc:SAML:2.0:status:Success</saml2p:StatusMessage>
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"ID="_6340891718834666098"IssueInstant="2022-09-13T04:03:09.136Z"Version="2.0"
>
<saml2:Issuer>https://cas.example.org/idp</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">zhangsan@paraview.cn</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2022-09-13T04:04:09.119Z"Recipient="https://rdc.sso360.cn:18080/SamlResponseServlet"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2022-09-13T04:03:09.136Z"NotOnOrAfter="2022-09-13T04:04:09.136Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>ME_3acef03c-e6ad-4aa3-92c9-e635532d1d42</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2022-09-13T04:03:09.119Z"SessionIndex="_6923110966125561704"
>
<saml2:SubjectLocality Address="ME_3acef03c-e6ad-4aa3-92c9-e635532d1d42" />
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="userId"Name="userId"
>
<saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:type="xsd:string"
>6942868455296156</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="email"Name="email"
>
<saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:type="xsd:string"
>zhangsan@paraview.cn</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
失败返回:无
# 4 sp发起sso请求
# 1 接口描述
sp发起sso请求
# 2 请求路径
/api/sso/protocol/saml2/idp/post/profile
# 3 HTTP请求方法
POST
# 4 请求体
| 参数 | 参数类型 | 参数值 | 参数描述 |
|---|---|---|---|
| SAMLRequest | String | ||
| RelayState | String |
# 5 返回字段
| 参数 | 参数类型 | 参数值 | 参数描述 |
|---|---|---|---|
# 6 接口示例
调用参数:/api/sso/protocol/saml2/idp/post/profile
成功返回:
//SAML Response
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"xmlns:xsd="http://www.w3.org/2001/XMLSchema"Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"Destination="https://rdc.sso360.cn:18080/SamlResponseServlet"ID="_8633710638701723454"IssueInstant="2022-09-13T04:03:09.136Z"Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
>https://cas.example.org/idp</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_8633710638701723454">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"PrefixList="xsd"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>wFFNjwVqnlrMr3lxHJY4HSL9k324hZKOj+etouTeWTk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
PQpnHTrZ4jDH5e4TxxJlYO7se7U0VgSe/guNs4haggkBex1UEc66GsE4IumwSiDAzzYP7hS/H416
tRgevWYdr8iZ4+nNZl4ENWicy/dcY5Q67Vf2F/eKxd1Q0swTinvOQySMQCq3njdiHTLDqfFNS8G8
1wD3nJiV2/l7dqqYlN+heeKEEtxGABxQjXk33txxPuZRW4Lk6OyNPsLfZPTtsxJ6CJz3N+iYeTpM
nqvNrQ0kJbx5ZvWH8xP6EnGU/LiB2JuxuZliWkGQGDQJoTfP4hyn75za29573+XxfUF7HZUdrCts
70e+Lla850Spb+TAVoZibaS1REdnnpAYQCTxhg==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDAzCCAeugAwIBAgIVAJ3AAZJ6Q/yssp1GEYn99GZwUcBNMA0GCSqGSIb3DQEBCwUAMBsxGTAX
BgNVBAMMEDY5NDI4NjgxOTEyNjg4NzMwHhcNMjIwNjIyMDgxMzI4WhcNNDIwNjIyMDgxMzI4WjAb
MRkwFwYDVQQDDBA2OTQyODY4MTkxMjY4ODczMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAwVsN30qQZAOs/gl04fEVzP5PtMPl5/kFIx4NjorNfbh7K0z2If3wXsIX3WCN3bK1TwqDvbeS
zyiH/joVTvhCxU/sT0i3/AD5BVFVh4G85Ho7q9UNPIq3oyFekA708Hy0rfRhsaO6SghEjXIlkVdo
jn3Bk1KTKQvifas57SCOa2eyKbtKg1usLz96U5Q2QXbM8CZuKFCOO7N/m8D4SYpUvUgDI558QsJ4
1rqRSA0kuGC860eRNJQWCsJw7ua79SUL5WXv1EvjgAhGOvZXuj0u1nOZsfeeJ+wmyNVTpaSzq5LX
nVytKUdjWechb69r3fVLGARwDwxmMzBM1pj/0pQTnQIDAQABoz4wPDAdBgNVHQ4EFgQUNTtw8UaT
z/AEKOf1PY05grKReCUwGwYDVR0RBBQwEoIQNjk0Mjg2ODE5MTI2ODg3MzANBgkqhkiG9w0BAQsF
AAOCAQEAfzWOS1/wULzle67d3qF7ypoS8PZFGftE02A30ZgbO6s3Jbgcc7tkzWUDAA2/6D8glBqf
pQKDAM/Y8d8mTTUxAWTBa25ouMmjf4LKreN3qMxjVTB5q5o6QuYfHewD6ZBfddUFQ+aFug6rXqT9
0vVvoNT0B2QIcrCLfrZgvYq0uydG8K4r3tgk6zVKn08W/FqtPYWc4XoOlY3hwE2L4aKsMi10dp2v
5T+d/cBSYo1tmqzoqX7PbUHyoRFVPXstq1LFKiI9FB7FtAkg/2ljYrFR9e8jI2YXURDCiN3YNEcN
oF4EDlqK8jGcObvIT5Jqce8gQQ+BfyQO+gcStuibruDQrw==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
<saml2p:StatusMessage>urn:oasis:names:tc:SAML:2.0:status:Success</saml2p:StatusMessage>
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"ID="_6340891718834666098"IssueInstant="2022-09-13T04:03:09.136Z"Version="2.0"
>
<saml2:Issuer>https://cas.example.org/idp</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">zhangsan@paraview.cn</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2022-09-13T04:04:09.119Z"Recipient="https://rdc.sso360.cn:18080/SamlResponseServlet"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2022-09-13T04:03:09.136Z"NotOnOrAfter="2022-09-13T04:04:09.136Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>ME_3acef03c-e6ad-4aa3-92c9-e635532d1d42</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2022-09-13T04:03:09.119Z"SessionIndex="_6923110966125561704"
>
<saml2:SubjectLocality Address="ME_3acef03c-e6ad-4aa3-92c9-e635532d1d42" />
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="userId"Name="userId"
>
<saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:type="xsd:string"
>6942868455296156</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="email"Name="email"
>
<saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:type="xsd:string"
>zhangsan@paraview.cn</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
失败返回:无
# 5 登出
# 1 接口描述
登出请求
# 2 请求路径
/api/sso/protocol/saml2/idp/post/logout
# 3 HTTP请求方法
POST
# 4 请求体
| 参数 | 参数类型 | 参数值 | 参数描述 |
|---|---|---|---|
# 5 返回字段
302重定向
# 6 接口示例
调用参数:/api/sso/protocol/saml2/idp/post/logout
成功返回:
//302重定向
http://app/demo/index.html
1
2
2
失败返回:无
# 6 登出
# 1 接口描述
登出请求
# 2 请求路径
/api/sso/protocol/saml2/idp/redirect/logout
# 3 HTTP请求方法
GET
# 4 请求体
| 参数 | 参数类型 | 参数值 | 参数描述 |
|---|---|---|---|
# 5 返回字段
302重定向
# 6 接口示例
调用参数:/api/sso/protocol/saml2/idp/redirect/logout
成功返回:
//302重定向
http://app/demo/index.html
1
2
2
失败返回:无
# 三、应用配置演示
# 1 元数据准备
下载IDP的metadata:打开/api/sso/protocol/saml2/idp/metadata,复制内容保存为metatdataDocument.xml
下载SP的metadata
# 2 IDaaS平台应用配置
管理员账号登录IDaaS,进入【后台管理】-->【应用管理】-->【新增应用】-->【创建并添加应用】
【应用属性】标签的【应用地址】填写应用的地址,打开【启用】的开关,如果该应用需要二次认证,可以勾选【登陆应用二次认证】,点击【确认】,保存配置
【协议配置】标签,【认证模式】选择【SAML】,此时会自动生成基本信息,可以根据需求做出调整
【选择上传文件】上传SP的metadata文件
【认证属性】需要根据应用平台的要求做出选择,常用属性为【用户名】、【邮箱】、【手机号】,勾选需要的属性。属性名可以做映射,即应用属性名可以修改为应用平台的属性名,例如用户名在IDaaS的属性名为username,在应用平台为userName,那么可以在用户名对应的应用属性名一栏填入userName,完成映射。点击【确定】,保存配置。
# 3 应用平台配置
配置方法相似,主要步骤是上传IDP的metadata。
# 4 分配应用权限
【用户服务管理】-->【用户管理】,找到需要分配应用的用户,【查看详情】
【应用信息】标签,【添加应用】
勾选刚刚配置的应用,【确定】
# 5 单点登录
登录分配了应用权限的账号,点击应用
跳转成功
上次更新: 2022/09/28, 11:00:16
