SAML 2.0 SSO 登录配置

SAML 2.0工作流程

提供SP Metadata给IDP

SP指的是程序方，IDP是指SAML server方
The SP Metadata build on sp_metadata
一般情况下只需要输入EntityId 和ACS url就行了

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                     validUntil="2023-09-13T09:33:35Z"
                     cacheDuration="PT604800S"
                     entityID="UAT">
    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                     Location="http://uat:8088/api/v1/SSO/AuthBack"
                                     index="1" />
        
    </md:SPSSODescriptor>
</md:EntityDescriptor>

需要客户提供SAML 2.0的登录URL ： https://client.com/openam/saml2/jsp/idpSSOInit.jsp?metaAlias=/qa/username&spEntityID=UAT

SAMLResponse

ACS url（一个sso回调URL）接收到samlresponse，需要对response进行解析

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s27d01aa107fdb40dfa34dabbf5f000a7fc9d10236" Version="2.0" IssueInstant="2022-07-13T15:49:34Z" Destination="http://uat:8088/api/v1/SSO/AuthBack">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">qa_elc_am</saml:Issuer>
<samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="s2b83995a1e81173dc8241e00a13cccb6b5752b143" IssueInstant="2022-07-13T15:49:34Z" Version="2.0">
<saml:Issuer>username</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod>
<ds:Reference URI="#s2b83995a1e81173dc8241e00a13cccb6b5752b143">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod>
<ds:DigestValue>KgQ9OoB3a+meUL0BUHCLk7fbnHA56LDLVAeW3jQcgdI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>bEyN7IAzChrcZys7p2M7UEuw000BIrxESpIezAtRwmo4I9AeW3Xg67rmUlKpfUm5b9VAuvpHhAXmQ+/htbKu78TTSZS+9vsRcY9nLMWpZV/2wRPIdhOQRwPXGETAfsLa6onXse8tUKJAodORojah4iCutMqR9MX3c891v8Oy5aNeIl3p0Vobk8Z3jQyByK++d271nTEYik6tUEygflzrU8ePpi6gp6bsvDAt7AA2apqlnxc4TpRMoqTygnOrXjHct1HwBY/lZSqpfw+LK6Cp0TDReE1rUdfACjbTpntnkOABFWPTWrtcMu5zs3gG9BSeSqLE98E40yGKbXmId6pWLQ==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIHvTCCBaWgAwIBAgITWgADj/nUWNXtKxLBugAAAAOP+TANBgkqhkiG9w0BAQsFADBtMRMwEQYKCZImiZPyLGQBGRYDbmV0MRswGQYKCZImiZPyLGQBGRYLZWxjb21wYW5pZXMxEjAQBgoJkiaJk/IsZAEZFgJhbTElMCMGA1UEAxMcRVNURUUtRU5URVJQUklTRS1JU1NVSU5HLUNBMTAeFw0yMjA2MDExNjU4NTdaFw0yNDA1MzExNjU4NTdaMIGlMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHTmV3WW9yazEQMA4GA1UEBxMHTmV3WW9yazEUMBIGA1UEChMLRUxDb21wYW5pZXMxLjAsBgNVBAMTJWlhbS1xYS1lbGNzYW1sanVuMjRxYS5lbGNvbXBhbmllcy5jb20xLDAqBgkqhkiG9w0BCQEWHUVMQy1XaXByby1Gb3JnZVJvY2tAZXN0ZWUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoYZpprH4zBWpHEd6a5bSc38Cb91k//808aHFMTQiVGFQMH67hlYXN2x1HfsUnCpjkqNZ6U0DeGqT7IQLm/Gez+3xAokuTrIbGV9y0/Sg9sR0/U7m5ja+yvDIXRLa0e2Xgf75EjrISFF7ZINJkJVdqi9NZCwxSLBnldbwuzQmMO+/Zvm/PvOcPl/ENuaPmu2sNGivSOCGhm5/qC5dlHlsSnXwl5xlzvN090f+fb703kUAX0cXDgjHwf4TnFNr8M0K1JznwrfpxxnW+u/4AwfBODjQIbdIStRo41RyrqX0Fq5eNSExXksSdXVGwF/WyNoRU6wVqt3Gd3/k8jlee4fqQwIDAQABo4IDGzCCAxcwHQYDVR0OBBYEFHpx/eSkJSc7l99tXxHyU5igjRAWMB8GA1UdIwQYMBaAFCgarzgLy4xxcVi5WwvjXdMfcPlvMIIBZwYDVR0fBIIBXjCCAVowggFWoIIBUqCCAU6Ggc9sZGFwOi8vL0NOPUVTVEVFLUVOVEVSUFJJU0UtSVNTVUlORy1DQTEsQ049RUxDLUlTU1VJTkctQ0ExLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWVsY29tcGFuaWVzLERDPW5ldD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnSGPGh0dHA6Ly9DcmwxLmVsY29tcGFuaWVzLmNvbS9FU1RFRS1FTlRFUlBSSVNFLUlTU1VJTkctQ0ExLmNybIY8aHR0cDovL0NybDIuZWxjb21wYW5pZXMuY29tL0VTVEVFLUVOVEVSUFJJU0UtSVNTVUlORy1DQTEuY3JsMIHTBggrBgEFBQcBAQSBxjCBwzBIBggrBgEFBQcwAoY8aHR0cDovL0NybDEuZWxjb21wYW5pZXMuY29tL0VTVEVFLUVOVEVSUFJJU0UtSVNTVUlORy1DQTEuY3J0MEgGCCsGAQUFBzAChjxodHRwOi8vQ3JsMi5lbGNvbXBhbmllcy5jb20vRVNURUUtRU5URVJQUklTRS1JU1NVSU5HLUNBMS5jcnQwLQYIKwYBBQUHMAGGIWh0dHA6Ly9PY3NwMS5lbGNvbXBhbmllcy5jb20vb2NzcDAOBgNVHQ8BAf8EBAMCBeAwPAYJKwYBBAGCNxUHBC8wLQYlKwYBBAGCNxUIhrKAK4WO2HmCjZ0+hq71F4bv5jiBUrKyR6iRKwIBZAIBMzAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwJwYJKwYBBAGCNxUKBBowGDAKBggrBgEFBQcDAjAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAgEAEqHFCBlChl0fdLBJ/z9r1XAkKRjNvWoyIlaw2DNaPIgxMbrl0wDWDhZ+9wUDRDn+RyM46AFjrKJ0hScTWApL+8Br5cZLM3uVl9FMxoO1c7S2Aj1qc311i6J0c+/b4mLILkvz9pQqZUfe+mBHzybAsfQz/9JzKzzxbIGz3XrYZp8ByrldRPUV3ieJuaLQSAnwOOAyny/kFvGFGB2XOtGqw/6BHP9Bcuh4piy8fFoKSp7iiukayMJQlwR+vI5vKmAVoUW8dPhcQaA3crpClPzQxJjw461IPpCUi6gA5e7GU/gAjaoTSoWD476Bwi8YplEUC5LOvGsjXemdGEFtZJBq22U6NibVuFEaVn1NRzVIi7Vb64/BDPk+R9K7CZz0hMrg5B9nazkoQMEpIv9VqwyiBAz88Ro99xBy93Ypv2wlFfzhkbbQb3LCyzDvtF/Lf/N+SELtl+uy+bdOi7uJSh/C6Xcnw2xdQfVQY3cbx3k3ef/8Cfx+HLgfBIlrGt5QYdsJV4VUIGoElpMfC5gCxDmqCu201n0XSuxVFFXCke/D15wxxKuX1/wzW37obBvab0kwzW1cyBPmpL5osYVG1yronvrgZAp3KsHhbd1ZI6GUZpDdVqEzWPq5tIj8cY4nB6n1MSHNPn3Zd2w29JA/unH+JgsCuZ6L+rWBJBFfg3G5yWM=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="qa_elc_am" SPNameQualifier="HBS_UAT">akolanup@estee.com</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2022-07-13T15:59:34Z" Recipient="http://uat:8088/api/v1/SSO/AuthBack"></saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2022-07-13T15:39:34Z" NotOnOrAfter="2022-07-13T15:59:34Z">
<saml:AudienceRestriction>
<saml:Audience>UAT</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2023-09-13T09:33:35Z" SessionIndex="s2175cf5b9655927157d33b5ad127fda80cbc9f501">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>

samlp:StatusCode ：只有是status:Success才表示sso登录成功
saml:Audience：这个要和你SP metadata里面的EntityId对应才可以，避免环境错乱
saml:NameID：这个就是登录的用户ID，需要和HBS系统管理里面的user对应起来

以上三点都验证通过才能进入系统，然后去组织token等信息返回给前端

SSO登录成功之后回传验证页面
/sso/result?code=0&token=xxx&userId=xxxx&tenantCode=xxx&userCode=xxxx&userName=xxx&tenantDescription=xxx&msg=xxx

code=0 sso登录成功，将token和user、tenant等信息存到localstrorage，并且进入首页
code=-1 sso登录不成功，需要在页面上显示错误信息（不是弹框）并且还要显示两个按钮
【重新登录】再次重定向到ssourl
【密码方式登录】返回到登录首页

本栏目推荐文章
• VMware中安装CNA8.2.0版本步骤
• 智能分析网关V4算法配置步骤2.0——睡岗检测
• 实现单点登录（SSO）
• Vite+Vue3+vite-plugin-style-import 2.0按需引入vant 4组件
• MD-NEXT 2.0 (Windows) - 移动取证软件
• 【2.0】ATM功能实现
• 饭卡(容器)2.0
• ubuntu 20.04.6 LTS (Focal Fossa) 升级openssh9.6p1,zlib1.3,openssl3.2.0
• udesk sso
• Go语言微服务框架重磅升级：dubbo-go v3.2.0 -alpha 版本预览

SAML 2.0 SSOsaml 2.0 sso saml2 saml java sso saml2 saml saml-based authentication delegated saml2 saml saml-based based saml flow microsoft程序azure saml sso sso2