SAML2.0介绍
https://www.cnblogs.com/shuidao/p/3463947.html
https://www.jianshu.com/p/636c1ee16eba
php-saml
https://github.com/onelogin/php-saml
①使用composer直接引入
composer require onelogin/php-saml
遇到问题:提示未找到方法 XMLSecurityKey
少了xmlseclibs
composer require robrichards/xmlseclibs
引入xmlseclibs后发现 还是找不到 定位原因 不识别命名空间 写全路径也无果(优先项目。。。放弃此方式)
②直接SSH 克隆 [email protected]:onelogin/php-saml.git
目录 /php-saml/extlib/ 下有xmlseclibs 无需引入 使用master时输出xml文件时提示有错误,排查无果可能和文件格式有关(优先项目。。。放弃此方式)
③ 切换到composer分支 git checkout composer
可以正确使用
④正式使用
1.进入目录php-saml
2.复制settings-example.php 改名为 settings.php
3.进入settings.php,做下面配置
4.settings.php会在new OneLogin_Saml2_Auth() 被解析成xml 发起请求时base_64加密后传给IDP
SP 的配置 entityId和 assertionConsumerService(ACS)回调地址 我对接的时候是给到IDP方他们也需要配置。
IDP 的配置 entityId、 singleSignOnService和x509cert 请求地址 由IDP方提供,x509cert 由IDP提供crt格式的文件。
⑤sp发起请求
此处写自己的逻辑 用法就是这样
session_start();
require_once dirname(__DIR__) . '/repair/php-saml/_toolkit_loader.php';
$auth = new OneLogin_Saml2_Auth();
$auth->login();
⑥sp acs 回调
IDP方会POST请求回调地址(SP ACS)带回加密的SAMLResponse
此处写自己的逻辑 用法就是这样 方法 $auth->getAttributes(); 获取数据
session_start();
require_once dirname(__DIR__) . '/repair/php-saml/_toolkit_loader.php';
$auth = new OneLogin_Saml2_Auth();
// 解析$_POST['SAMLResponse'];
$auth->processResponse();
$errors = $auth->getErrors();
// 验证是否出错
if (!empty($errors)) {
print_r('<p>' . implode(', ', $errors) . '</p>');
exit();
}
// 验证用户是否登录成功
if (!$auth->isAuthenticated()) {
echo "<p>Not authenticated</p>";
exit();
}
// 获取信息
$auth->getAttributes();
$auth->processResponse(); 此处报的问题 (我是尝试了这几个问题)基本上要是配置好了没啥问题
1.settings.php配置中idp 的 entityId 和 SAMLResponse中返回的不一致,GG。
2.ACS地址和idp返回的不一致,GG。
3.settings.php配置中idp 的 x509cert 和 idp给到的crt文件中的密钥不一致,GG。
⑦分析
用户通过浏览器请求SP,SP收到消息判断用户是否已登录,已登录则直接进入SP端的应用页面。未登录则发起请求跳转到IDP端
在IDP端做登录操作,登录成功后回调回来(未成功IDP的程序过不了回不来)回到SP的ACS地址 ACS取到登录用户的信息判断权限给予相应的页面。
SP MetaData XML
<?xml version="1.0"?>
<md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
validUntil="2017-03-22T03:38:44Z"
cacheDuration="PT604800S"
entityID="SPID"
ID="pfx4db3d6e9-bef2-9b2b-961e-a85a811c95cd">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#pfx4db3d6e9-bef2-9b2b-961e-a85a811c95cd">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>5tn7T+Huj5/oATHzs1AprexGP9c=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>xgCIo5ZlGdLhDKOMvVMNco3bVdrtkb4qlPmg9VoA4TnuzIlHhHh5l3gFWTDdysOdXUQdRd9lzV69BgAMeXZsmrB1D41zM/84aegE0+YPFuDmqWQGHlebR8yg6/U4AxFqbwysuEsShZlmcfOXsW7rprea8yRYV00noVMnkpLGb30=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICczCCAdwCCQCV7Ygh7CZGAzANBgkqhkiG9w0BAQUFADB+MQswCQYDVQQGEwJCSjEQMA4GA1UECAwHQmVpSmluZzEQMA4GA1UEBwwHYmVpamluZzEPMA0GA1UECgwGdG9wc2VjMRIwEAYDVQQLDAl0b3BzZWN2cG4xDDAKBgNVBAMMA3d4ZzEYMBYGCSqGSIb3DQEJARYJd0AxNjMuY29tMB4XDTE2MTEyODAxNTQ1MloXDTI2MTEyNjAxNTQ1MlowfjELMAkGA1UEBhMCQkoxEDAOBgNVBAgMB0JlaUppbmcxEDAOBgNVBAcMB2JlaWppbmcxDzANBgNVBAoMBnRvcHNlYzESMBAGA1UECwwJdG9wc2VjdnBuMQwwCgYDVQQDDAN3eGcxGDAWBgkqhkiG9w0BCQEWCXdAMTYzLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0vL2a5imTmJWywWb2rVg+4pULY2A1l8jv/w5T20him9z+qIQd+vhrzsIHTEp7cQb45GAkDsux0UQEB68QLKUWO5YVxH2bS94DFfUIwi2CKfXF1tcygr8fhpf7bNzbQsr0/ec0IZd4BoTlhQkoUR8pkPZ/viYOlIxq3fEpMgI1skCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAH4ecASOZOA60xqvMaqidlwRdFwG/l/iM6TUW1cpiNSiwNKD9X5hOBeNsL7PSKhxpJp/bXVCaawZSyl4uFy0rJ+LhGnEtxIbuOj3nAfmEiggtYxpAcUOJeKHqAxjD21ItsWkAikELrmClU06hnqhl6eLA1iqVfY1CpJ4zqm4b5/g==</ds:X509Certificate>
</ds:X509Data></ds:KeyInfo>
</ds:Signature>
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data> <ds:X509Certificate>MIICczCCAdwCCQCV7Ygh7CZGAzANBgkqhkiG9w0BAQUFADB+MQswCQYDVQQGEwJCSjEQMA4GA1UECAwHQmVpSmluZzEQMA4GA1UEBwwHYmVpamluZzEPMA0GA1UECgwGdG9wc2VjMRIwEAYDVQQLDAl0b3BzZWN2cG4xDDAKBgNVBAMMA3d4ZzEYMBYGCSqGSIb3DQEJARYJd0AxNjMuY29tMB4XDTE2MTEyODAxNTQ1MloXDTI2MTEyNjAxNTQ1MlowfjELMAkGA1UEBhMCQkoxEDAOBgNVBAgMB0JlaUppbmcxEDAOBgNVBAcMB2JlaWppbmcxDzANBgNVBAoMBnRvcHNlYzESMBAGA1UECwwJdG9wc2VjdnBuMQwwCgYDVQQDDAN3eGcxGDAWBgkqhkiG9w0BCQEWCXdAMTYzLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0vL2a5imTmJWywWb2rVg+4pULY2A1l8jv/w5T20him9z+qIQd+vhrzsIHTEp7cQb45GAkDsux0UQEB68QLKUWO5YVxH2bS94DFfUIwi2CKfXF1tcygr8fhpf7bNzbQsr0/ec0IZd4BoTlhQkoUR8pkPZ/viYOlIxq3fEpMgI1skCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAH4ecASOZOA60xqvMaqidlwRdFwG/l/iM6TUW1cpiNSiwNKD9X5hOBeNsL7PSKhxpJp/bXVCaawZSyl4uFy0rJ+LhGnEtxIbuOj3nAfmEiggtYxpAcUOJeKHqAxjD21ItsWkAikELrmClU06hnqhl6eLA1iqVfY1CpJ4zqm4b5/g==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIICczCCAdwCCQCV7Ygh7CZGAzANBgkqhkiG9w0BAQUFADB+MQswCQYDVQQGEwJCSjEQMA4GA1UECAwHQmVpSmluZzEQMA4GA1UEBwwHYmVpamluZzEPMA0GA1UECgwGdG9wc2VjMRIwEAYDVQQLDAl0b3BzZWN2cG4xDDAKBgNVBAMMA3d4ZzEYMBYGCSqGSIb3DQEJARYJd0AxNjMuY29tMB4XDTE2MTEyODAxNTQ1MloXDTI2MTEyNjAxNTQ1MlowfjELMAkGA1UEBhMCQkoxEDAOBgNVBAgMB0JlaUppbmcxEDAOBgNVBAcMB2JlaWppbmcxDzANBgNVBAoMBnRvcHNlYzESMBAGA1UECwwJdG9wc2VjdnBuMQwwCgYDVQQDDAN3eGcxGDAWBgkqhkiG9w0BCQEWCXdAMTYzLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0vL2a5imTmJWywWb2rVg+4pULY2A1l8jv/w5T20him9z+qIQd+vhrzsIHTEp7cQb45GAkDsux0UQEB68QLKUWO5YVxH2bS94DFfUIwi2CKfXF1tcygr8fhpf7bNzbQsr0/ec0IZd4BoTlhQkoUR8pkPZ/viYOlIxq3fEpMgI1skCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAH4ecASOZOA60xqvMaqidlwRdFwG/l/iM6TUW1cpiNSiwNKD9X5hOBeNsL7PSKhxpJp/bXVCaawZSyl4uFy0rJ+LhGnEtxIbuOj3nAfmEiggtYxpAcUOJeKHqAxjD21ItsWkAikELrmClU06hnqhl6eLA1iqVfY1CpJ4zqm4b5/g==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://www.samltool.com/logout"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.samltool.com/consume" index="1"/>
</md:SPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en-US">topsecsp</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en-US">gatewaysp</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en-US">https://www.samltool.com/topsecgates</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="technical">
<md:GivenName>spgivenname</md:GivenName>
<md:EmailAddress>[email protected]</md:EmailAddress>
</md:ContactPerson>
<md:ContactPerson contactType="support">
<md:GivenName>spgivenname2</md:GivenName>
<md:EmailAddress>[email protected]</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
IDP MetaData XML举例
<?xml version="1.0"?>
<md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
validUntil="2017-03-22T03:34:04Z"
cacheDuration="PT1490585644S"
entityID="IDP"
ID="pfx86cbd802-0592-6a71-85e5-a41c784d83fe">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#pfx86cbd802-0592-6a71-85e5-a41c784d83fe">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>J+LkZwC6iL9SJnto7T6vc3YjgH8=</ds:DigestValue></ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>Krol/IicGEToYJCFTOvMii5XYspdlVDUB7oUETrrR33BcbFEHiskFMJilPo86Awkw5GpaK4XiLdVH2W/LCDPdAX9mVGTJfUdjwF3+LW1kEF+Woiwerxw60oL8WPF+g38N/2Jnhy8wXmHWhUWeSae2v7HICy94SnwDdsT/3dlk+E=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICczCCAdwCCQCV7Ygh7CZGAzANBgkqhkiG9w0BAQUFADB+MQswCQYDVQQGEwJCSjEQMA4GA1UECAwHQmVpSmluZzEQMA4GA1UEBwwHYmVpamluZzEPMA0GA1UECgwGdG9wc2VjMRIwEAYDVQQLDAl0b3BzZWN2cG4xDDAKBgNVBAMMA3d4ZzEYMBYGCSqGSIb3DQEJARYJd0AxNjMuY29tMB4XDTE2MTEyODAxNTQ1MloXDTI2MTEyNjAxNTQ1MlowfjELMAkGA1UEBhMCQkoxEDAOBgNVBAgMB0JlaUppbmcxEDAOBgNVBAcMB2JlaWppbmcxDzANBgNVBAoMBnRvcHNlYzESMBAGA1UECwwJdG9wc2VjdnBuMQwwCgYDVQQDDAN3eGcxGDAWBgkqhkiG9w0BCQEWCXdAMTYzLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0vL2a5imTmJWywWb2rVg+4pULY2A1l8jv/w5T20him9z+qIQd+vhrzsIHTEp7cQb45GAkDsux0UQEB68QLKUWO5YVxH2bS94DFfUIwi2CKfXF1tcygr8fhpf7bNzbQsr0/ec0IZd4BoTlhQkoUR8pkPZ/viYOlIxq3fEpMgI1skCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAH4ecASOZOA60xqvMaqidlwRdFwG/l/iM6TUW1cpiNSiwNKD9X5hOBeNsL7PSKhxpJp/bXVCaawZSyl4uFy0rJ+LhGnEtxIbuOj3nAfmEiggtYxpAcUOJeKHqAxjD21ItsWkAikELrmClU06hnqhl6eLA1iqVfY1CpJ4zqm4b5/g==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<md:IDPSSODescriptor
WantAuthnRequestsSigned="false"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://www.samltool.com/logout"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://www.samltool.com/login"/>
</md:IDPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en-US">topsec</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en-US">gateway</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en-US">https://www.samltool.com/gateway</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="technical">
<md:GivenName>testIDP</md:GivenName>
<md:EmailAddress>[email protected]</md:EmailAddress>
</md:ContactPerson>
<md:ContactPerson contactType="support">
<md:GivenName>testID</md:GivenName>
<md:EmailAddress>[email protected]</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>