Java <saml:AuthnRequest> 中 AssertionConsumerServiceURL 、 Destination 、 Consent 的区别
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/21544844/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Difference between AssertionConsumerServiceURL , Destination , Consent in <saml:AuthnRequest>
提问by mavis
I have been trying to generate SAML object using opensaml-java.
我一直在尝试使用 opensaml-java 生成 SAML 对象。
Ref:slide #30 in https://www.oasis-open.org/committees/download.php/12958/SAMLV2.0-basics.pdf
参考:https://www.oasis-open.org/committees/download.php/12958/SAMLV2.0-basics.pdf 中的幻灯片 #30
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ForceAuthn="true"
AssertionConsumerServiceURL="http://www.example.com/"
AttributeConsumingServiceIndex="0" ProviderName="string"
ID="abe567de6"
Version="2.0"
IssueInstant="2005-01-31T12:00:00Z"
Destination="http://www.example.com/"
Consent="http://www.example.com/" >
In this Destination , Consent , AssertionConsumerServiceURL all the three represent the same address. What are they actually representing?
在这个 Destination 、 Consent 、 AssertionConsumerServiceURL 中,这三个都代表同一个地址。 他们实际上代表什么?
[Q.1]Is there any difference between them?Surely There must be some difference otherwise they wouldnt have all the three things .
[Q.1]它们之间有什么区别吗?肯定有一些不同,否则他们不会拥有所有三样东西。
OR If there is no difference , what are they representing?
或者如果没有区别,它们代表什么?
EDIT 1 : AssertionConsumerServiceURL is the landing page of IdP where the assertion response message from IdP is expected.
编辑 1:AssertionConsumerServiceURL 是 IdP 的登录页面,其中需要来自 IdP 的断言响应消息。
回答by Vladimír Sch?fer
Destination(defined in saml 2 corelines 1477-1482)
目的地(在saml 2 核心行 1477-1482 中定义)
Destination is URL of the endpoint you are sending the message to. Typically SAML peers have different endpoints for different bindings and the value is used at IDP to verify that the received message was actually intended for the place where it was received. It helps mitigate certain attack scenarios.
目的地是您将消息发送到的端点的 URL。通常,SAML 对等方针对不同的绑定具有不同的端点,并且在 IDP 处使用该值来验证接收到的消息实际上是用于接收它的地方。它有助于缓解某些攻击场景。
Consent(defined in saml 2 corelines 1483-1488)
同意(在saml 2 核心行 1483-1488 中定义)
Value is just an advice to IDP telling about the way sender received permission from the principal (typically user) to issue this SAML message on her behalf. It's optional and typically unused.
值只是给 IDP 的建议,说明发件人从委托人(通常是用户)那里获得许可以代表她发出此 SAML 消息的方式。它是可选的,通常未使用。
AssertionConsumerServiceURL(defined in saml 2 corelines 2061-2067)
AssertionConsumerServiceURL(在saml 2 核心行 2061-2067 中定义)
Identifies URL at your side, where peer IDP must send the response to. When you use this attribute you should also specify ProtocolBinding. The value is mutually exclusive with assertionConsumerServiceIndex, so you shouldn't use both at the same time.
标识您身边的 URL,对等 IDP 必须将响应发送到该 URL。使用此属性时,还应指定 ProtocolBinding。该值与 assertionConsumerServiceIndex 互斥,因此不应同时使用两者。
回答by gazgas
The SAML specification defines three roles: the principal (typically a user), the Identity provider (IdP), and the service provider (SP). wiki
SAML 规范定义了三个角色:主体(通常是用户)、身份提供者 (IdP) 和服务提供者 (SP)。 维基
The service provider requests (SAML Request) and obtains an identity assertion from the identity provider (SAML Response)
服务提供者请求(SAML Request)并从身份提供者处获得身份断言(SAML Response)
So AssertionConsumerServiceURLis at the Service Provider (SP) side. At this URL the Identity provider (IdP) will send the SAML Response containing the assertions and the Service provider (SP) should have the facilities to read it.
所以AssertionConsumerServiceURL位于服务提供商 (SP) 端。在此 URL 上,身份提供者 (IdP) 将发送包含断言的 SAML 响应,服务提供者 (SP) 应具有读取它的设施。
According to my understanding the binding represents the way the SAML XML protocol messages will be transported (onto standard messaging formats) between SP and IdP. There are more than 1 way. For example
根据我的理解,绑定表示 SAML XML 协议消息将在 SP 和 IdP 之间传输(到标准消息格式)的方式。有不止一种方式。例如
- HTTP POST,
- HTTP Redirect
- SAML SOAP Binding (based on SOAP 1.1)
- HTTP POST,
- HTTP 重定向
- SAML SOAP 绑定(基于 SOAP 1.1)
and thus the SP might have more than one binding URL address i.e
因此 SP 可能有多个绑定 URL 地址,即
- Assertion Consumer Service POST Binding URL
- Assertion Consumer Service Redirect Binding URL
- 断言消费者服务 POST 绑定 URL
- 断言消费者服务重定向绑定 URL
