本文介绍了如何将声明添加到SAML IDP元数据的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我构建了SSO集成项目,我将作为IdP身份提供商,我们的第三方将作为SP服务提供商。
我使用此代码https://github.com/OTA-Insight/djangosaml2idp来准备我的IdP。一切正常,我已经通过https://sptest.iamshowcase.com/进行了测试。但我有个问题如何将声明添加到此生成的元数据,以便帮助我们的SP使用它?
以下是生成的元数据文件:
<ns0:EntityDescriptor entityID="http://localhost:9000/idp/metadata/" validUntil="2022-11-06T12:46:57Z">
<ns0:Extensions>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#md5"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha224"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
</ns0:Extensions>
<ns0:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="false">
<ns0:KeyDescriptor use="signing">
<ns2:KeyInfo>
<ns2:X509Data>
<ns2:X509Certificate>
MIID/TCCAuWgAwIBAgIUd3caFbHlYy3TQxRxYS4e/8ya0bYwDQYJKoZIhvcNAQEL BQAwgY0xCzAJBgNVBAYTAlNBMQ8wDQYDVQQIDAZSaXlhZGgxDzANBgNVBAcMBlJp eWFkaDELMAkGA1UECgwCSVQxCzAJBgNVBAsMAklUMRcwFQYDVQQDDA5sb2NhbGhv c3Q6OTAwMDEpMCcGCSqGSIb3DQEJARYabS5hbG51ZmFpc2kydGFrYW1vbC5jb20u c2EwHhcNMjExMDE3MDkzMTQwWhcNMzExMDE3MDkzMTQwWjCBjTELMAkGA1UEBhMC U0ExDzANBgNVBAgMBlJpeWFkaDEPMA0GA1UEBwwGUml5YWRoMQswCQYDVQQKDAJJ VDELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmxvY2FsaG9zdDo5MDAwMSkwJwYJKoZI hvcNAQkBFhptLmFsbnVmYWlzaTJ0YWthbW9sLmNvbS5zYTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALLSHO71t9ewIWjIIQcrGlzMlDTwQ0DwQEUkYiw9 wgqRRaBrvEthraYkCB8OPho9fUORB46UxFQeYMq7r0Njdc8Zv/MRmu1uQFWwk0DT Qr39coL5528OhktEotTO0LHbSoxpATiAGfmTA/UeQ+eSYPUKKdo4Dd/UEmzz19Dq pqK2I38v6hnb41XyR71zE+W/IalvJR3p2JODAmsiN3nIP2kbdviKZiy0bXkrzODe dZmc4v4p86v3X9SH/zJ2upcA3s9dGqcBok15shzVAqJnd3uNZzRwn8ZxW36Vv6xy LBxJv/viLFH9xX8beR4h8KWrGK2rgM7KuJHo1tGrEzJmA+0CAwEAAaNTMFEwHQYD VR0OBBYEFA6pioh/oBZg8ANNThtWfGxx2mWxMB8GA1UdIwQYMBaAFA6pioh/oBZg 8ANNThtWfGxx2mWxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB AHt4m2hdFZp/ZxxcAsUD1Acweiibq+NqmSU6LJURK7Qw/CJUQFL845RXkzbbVnhq /HEvesd0qnmLgd8qH7voHCn6tFTWLk6kw6Axj4cv0qW4PKoz37PVKgG5mNiijgXX 3VbulniOqkuXqoijNb9pZvV63TFXtzz+BkM4uivs9cu8ndKU+sqiUgZGYe+xSIcl j8qP9DeU4D5XaSYKUSOIXbLJebklxbnpnGunM6O0ZWdVwfbV6U4FwTqnZtQWHT0m A5q+hK6L9CrBBkMP+12ACbBgENF6JrsVGyBN36FdAbA/uwTsynMdwn4zMC1xefj0 6/w0SoJP54KNrj9dG7AwXq4=
</ns2:X509Certificate>
</ns2:X509Data>
</ns2:KeyInfo>
</ns0:KeyDescriptor>
<ns0:KeyDescriptor use="encryption">
<ns2:KeyInfo>
<ns2:X509Data>
<ns2:X509Certificate>
MIID/TCCAuWgAwIBAgIUd3caFbHlYy3TQxRxYS4e/8ya0bYwDQYJKoZIhvcNAQEL BQAwgY0xCzAJBgNVBAYTAlNBMQ8wDQYDVQQIDAZSaXlhZGgxDzANBgNVBAcMBlJp eWFkaDELMAkGA1UECgwCSVQxCzAJBgNVBAsMAklUMRcwFQYDVQQDDA5sb2NhbGhv c3Q6OTAwMDEpMCcGCSqGSIb3DQEJARYabS5hbG51ZmFpc2kydGFrYW1vbC5jb20u c2EwHhcNMjExMDE3MDkzMTQwWhcNMzExMDE3MDkzMTQwWjCBjTELMAkGA1UEBhMC U0ExDzANBgNVBAgMBlJpeWFkaDEPMA0GA1UEBwwGUml5YWRoMQswCQYDVQQKDAJJ VDELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmxvY2FsaG9zdDo5MDAwMSkwJwYJKoZI hvcNAQkBFhptLmFsbnVmYWlzaTJ0YWthbW9sLmNvbS5zYTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALLSHO71t9ewIWjIIQcrGlzMlDTwQ0DwQEUkYiw9 wgqRRaBrvEthraYkCB8OPho9fUORB46UxFQeYMq7r0Njdc8Zv/MRmu1uQFWwk0DT Qr39coL5528OhktEotTO0LHbSoxpATiAGfmTA/UeQ+eSYPUKKdo4Dd/UEmzz19Dq pqK2I38v6hnb41XyR71zE+W/IalvJR3p2JODAmsiN3nIP2kbdviKZiy0bXkrzODe dZmc4v4p86v3X9SH/zJ2upcA3s9dGqcBok15shzVAqJnd3uNZzRwn8ZxW36Vv6xy LBxJv/viLFH9xX8beR4h8KWrGK2rgM7KuJHo1tGrEzJmA+0CAwEAAaNTMFEwHQYD VR0OBBYEFA6pioh/oBZg8ANNThtWfGxx2mWxMB8GA1UdIwQYMBaAFA6pioh/oBZg 8ANNThtWfGxx2mWxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB AHt4m2hdFZp/ZxxcAsUD1Acweiibq+NqmSU6LJURK7Qw/CJUQFL845RXkzbbVnhq /HEvesd0qnmLgd8qH7voHCn6tFTWLk6kw6Axj4cv0qW4PKoz37PVKgG5mNiijgXX 3VbulniOqkuXqoijNb9pZvV63TFXtzz+BkM4uivs9cu8ndKU+sqiUgZGYe+xSIcl j8qP9DeU4D5XaSYKUSOIXbLJebklxbnpnGunM6O0ZWdVwfbV6U4FwTqnZtQWHT0m A5q+hK6L9CrBBkMP+12ACbBgENF6JrsVGyBN36FdAbA/uwTsynMdwn4zMC1xefj0 6/w0SoJP54KNrj9dG7AwXq4=
</ns2:X509Certificate>
</ns2:X509Data>
</ns2:KeyInfo>
</ns0:KeyDescriptor>
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:9000/idp/slo/post/"/>
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:9000/idp/slo/redirect/"/>
<ns0:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
</ns0:NameIDFormat>
<ns0:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</ns0:NameIDFormat>
<ns0:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</ns0:NameIDFormat>
<ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:9000/idp/sso/post/"/>
<ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:9000/idp/sso/redirect/"/>
</ns0:IDPSSODescriptor>
</ns0:EntityDescriptor>
这是我的尝试,是否正确?
第一次尝试:是否通过添加AttributeConsumer ingService?但是我不确定SPSSODescriptor标记?
<ns0:EntityDescriptor entityID="http://localhost:9000/idp/metadata/">
<ns0:Extensions>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#md5"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha224"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
</ns0:Extensions>
<ns0:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="true">
<ns0:KeyDescriptor use="signing">
<ns2:KeyInfo>
<ns2:X509Data>
<ns2:X509Certificate>
MIID/TCCAuWgAwIBAgIUd3caFbHlYy3TQxRxYS4e/8ya0bYwDQYJKoZIhvcNAQEL BQAwgY0xCzAJBgNVBAYTAlNBMQ8wDQYDVQQIDAZSaXlhZGgxDzANBgNVBAcMBlJp eWFkaDELMAkGA1UECgwCSVQxCzAJBgNVBAsMAklUMRcwFQYDVQQDDA5sb2NhbGhv c3Q6OTAwMDEpMCcGCSqGSIb3DQEJARYabS5hbG51ZmFpc2kydGFrYW1vbC5jb20u c2EwHhcNMjExMDE3MDkzMTQwWhcNMzExMDE3MDkzMTQwWjCBjTELMAkGA1UEBhMC U0ExDzANBgNVBAgMBlJpeWFkaDEPMA0GA1UEBwwGUml5YWRoMQswCQYDVQQKDAJJ VDELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmxvY2FsaG9zdDo5MDAwMSkwJwYJKoZI hvcNAQkBFhptLmFsbnVmYWlzaTJ0YWthbW9sLmNvbS5zYTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALLSHO71t9ewIWjIIQcrGlzMlDTwQ0DwQEUkYiw9 wgqRRaBrvEthraYkCB8OPho9fUORB46UxFQeYMq7r0Njdc8Zv/MRmu1uQFWwk0DT Qr39coL5528OhktEotTO0LHbSoxpATiAGfmTA/UeQ+eSYPUKKdo4Dd/UEmzz19Dq pqK2I38v6hnb41XyR71zE+W/IalvJR3p2JODAmsiN3nIP2kbdviKZiy0bXkrzODe dZmc4v4p86v3X9SH/zJ2upcA3s9dGqcBok15shzVAqJnd3uNZzRwn8ZxW36Vv6xy LBxJv/viLFH9xX8beR4h8KWrGK2rgM7KuJHo1tGrEzJmA+0CAwEAAaNTMFEwHQYD VR0OBBYEFA6pioh/oBZg8ANNThtWfGxx2mWxMB8GA1UdIwQYMBaAFA6pioh/oBZg 8ANNThtWfGxx2mWxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB AHt4m2hdFZp/ZxxcAsUD1Acweiibq+NqmSU6LJURK7Qw/CJUQFL845RXkzbbVnhq /HEvesd0qnmLgd8qH7voHCn6tFTWLk6kw6Axj4cv0qW4PKoz37PVKgG5mNiijgXX 3VbulniOqkuXqoijNb9pZvV63TFXtzz+BkM4uivs9cu8ndKU+sqiUgZGYe+xSIcl j8qP9DeU4D5XaSYKUSOIXbLJebklxbnpnGunM6O0ZWdVwfbV6U4FwTqnZtQWHT0m A5q+hK6L9CrBBkMP+12ACbBgENF6JrsVGyBN36FdAbA/uwTsynMdwn4zMC1xefj0 6/w0SoJP54KNrj9dG7AwXq4=
</ns2:X509Certificate>
</ns2:X509Data>
</ns2:KeyInfo>
</ns0:KeyDescriptor>
<ns0:KeyDescriptor use="encryption">
<ns2:KeyInfo>
<ns2:X509Data>
<ns2:X509Certificate>
MIID/TCCAuWgAwIBAgIUd3caFbHlYy3TQxRxYS4e/8ya0bYwDQYJKoZIhvcNAQEL BQAwgY0xCzAJBgNVBAYTAlNBMQ8wDQYDVQQIDAZSaXlhZGgxDzANBgNVBAcMBlJp eWFkaDELMAkGA1UECgwCSVQxCzAJBgNVBAsMAklUMRcwFQYDVQQDDA5sb2NhbGhv c3Q6OTAwMDEpMCcGCSqGSIb3DQEJARYabS5hbG51ZmFpc2kydGFrYW1vbC5jb20u c2EwHhcNMjExMDE3MDkzMTQwWhcNMzExMDE3MDkzMTQwWjCBjTELMAkGA1UEBhMC U0ExDzANBgNVBAgMBlJpeWFkaDEPMA0GA1UEBwwGUml5YWRoMQswCQYDVQQKDAJJ VDELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmxvY2FsaG9zdDo5MDAwMSkwJwYJKoZI hvcNAQkBFhptLmFsbnVmYWlzaTJ0YWthbW9sLmNvbS5zYTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALLSHO71t9ewIWjIIQcrGlzMlDTwQ0DwQEUkYiw9 wgqRRaBrvEthraYkCB8OPho9fUORB46UxFQeYMq7r0Njdc8Zv/MRmu1uQFWwk0DT Qr39coL5528OhktEotTO0LHbSoxpATiAGfmTA/UeQ+eSYPUKKdo4Dd/UEmzz19Dq pqK2I38v6hnb41XyR71zE+W/IalvJR3p2JODAmsiN3nIP2kbdviKZiy0bXkrzODe dZmc4v4p86v3X9SH/zJ2upcA3s9dGqcBok15shzVAqJnd3uNZzRwn8ZxW36Vv6xy LBxJv/viLFH9xX8beR4h8KWrGK2rgM7KuJHo1tGrEzJmA+0CAwEAAaNTMFEwHQYD VR0OBBYEFA6pioh/oBZg8ANNThtWfGxx2mWxMB8GA1UdIwQYMBaAFA6pioh/oBZg 8ANNThtWfGxx2mWxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB AHt4m2hdFZp/ZxxcAsUD1Acweiibq+NqmSU6LJURK7Qw/CJUQFL845RXkzbbVnhq /HEvesd0qnmLgd8qH7voHCn6tFTWLk6kw6Axj4cv0qW4PKoz37PVKgG5mNiijgXX 3VbulniOqkuXqoijNb9pZvV63TFXtzz+BkM4uivs9cu8ndKU+sqiUgZGYe+xSIcl j8qP9DeU4D5XaSYKUSOIXbLJebklxbnpnGunM6O0ZWdVwfbV6U4FwTqnZtQWHT0m A5q+hK6L9CrBBkMP+12ACbBgENF6JrsVGyBN36FdAbA/uwTsynMdwn4zMC1xefj0 6/w0SoJP54KNrj9dG7AwXq4=
</ns2:X509Certificate>
</ns2:X509Data>
</ns2:KeyInfo>
</ns0:KeyDescriptor>
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:9000/idp/slo/post/"/>
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:9000/idp/slo/redirect/"/>
<ns0:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
</ns0:NameIDFormat>
<ns0:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</ns0:NameIDFormat>
<ns0:AttributeConsumingService index="1">
<ns0:ServiceName xml:lang="en"/>
<ns0:RequestedAttribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="username" isRequired="true"/>
<ns0:RequestedAttribute Name="urn:oid:1.2.840.113549.1.9.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="email" isRequired="true"/>
<ns0:RequestedAttribute Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="first_name" isRequired="true"/>
<ns0:RequestedAttribute Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="last_name" isRequired="true"/>
</ns0:AttributeConsumingService>
</ns0:SPSSODescriptor>
</ns0:EntityDescriptor>
第二次尝试:或将AttributeConsumer ingService添加到IDPSSODescriptor,如下所示?
<ns0:EntityDescriptor entityID="http://localhost:9000/idp/metadata/" validUntil="2022-11-06T12:46:57Z">
<ns0:Extensions>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#md5"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
<ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha224"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
<ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
</ns0:Extensions>
<ns0:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="false">
<ns0:KeyDescriptor use="signing">
<ns2:KeyInfo>
<ns2:X509Data>
<ns2:X509Certificate>
MIID/TCCAuWgAwIBAgIUd3caFbHlYy3TQxRxYS4e/8ya0bYwDQYJKoZIhvcNAQEL BQAwgY0xCzAJBgNVBAYTAlNBMQ8wDQYDVQQIDAZSaXlhZGgxDzANBgNVBAcMBlJp eWFkaDELMAkGA1UECgwCSVQxCzAJBgNVBAsMAklUMRcwFQYDVQQDDA5sb2NhbGhv c3Q6OTAwMDEpMCcGCSqGSIb3DQEJARYabS5hbG51ZmFpc2kydGFrYW1vbC5jb20u c2EwHhcNMjExMDE3MDkzMTQwWhcNMzExMDE3MDkzMTQwWjCBjTELMAkGA1UEBhMC U0ExDzANBgNVBAgMBlJpeWFkaDEPMA0GA1UEBwwGUml5YWRoMQswCQYDVQQKDAJJ VDELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmxvY2FsaG9zdDo5MDAwMSkwJwYJKoZI hvcNAQkBFhptLmFsbnVmYWlzaTJ0YWthbW9sLmNvbS5zYTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALLSHO71t9ewIWjIIQcrGlzMlDTwQ0DwQEUkYiw9 wgqRRaBrvEthraYkCB8OPho9fUORB46UxFQeYMq7r0Njdc8Zv/MRmu1uQFWwk0DT Qr39coL5528OhktEotTO0LHbSoxpATiAGfmTA/UeQ+eSYPUKKdo4Dd/UEmzz19Dq pqK2I38v6hnb41XyR71zE+W/IalvJR3p2JODAmsiN3nIP2kbdviKZiy0bXkrzODe dZmc4v4p86v3X9SH/zJ2upcA3s9dGqcBok15shzVAqJnd3uNZzRwn8ZxW36Vv6xy LBxJv/viLFH9xX8beR4h8KWrGK2rgM7KuJHo1tGrEzJmA+0CAwEAAaNTMFEwHQYD VR0OBBYEFA6pioh/oBZg8ANNThtWfGxx2mWxMB8GA1UdIwQYMBaAFA6pioh/oBZg 8ANNThtWfGxx2mWxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB AHt4m2hdFZp/ZxxcAsUD1Acweiibq+NqmSU6LJURK7Qw/CJUQFL845RXkzbbVnhq /HEvesd0qnmLgd8qH7voHCn6tFTWLk6kw6Axj4cv0qW4PKoz37PVKgG5mNiijgXX 3VbulniOqkuXqoijNb9pZvV63TFXtzz+BkM4uivs9cu8ndKU+sqiUgZGYe+xSIcl j8qP9DeU4D5XaSYKUSOIXbLJebklxbnpnGunM6O0ZWdVwfbV6U4FwTqnZtQWHT0m A5q+hK6L9CrBBkMP+12ACbBgENF6JrsVGyBN36FdAbA/uwTsynMdwn4zMC1xefj0 6/w0SoJP54KNrj9dG7AwXq4=
</ns2:X509Certificate>
</ns2:X509Data>
</ns2:KeyInfo>
</ns0:KeyDescriptor>
<ns0:KeyDescriptor use="encryption">
<ns2:KeyInfo>
<ns2:X509Data>
<ns2:X509Certificate>
MIID/TCCAuWgAwIBAgIUd3caFbHlYy3TQxRxYS4e/8ya0bYwDQYJKoZIhvcNAQEL BQAwgY0xCzAJBgNVBAYTAlNBMQ8wDQYDVQQIDAZSaXlhZGgxDzANBgNVBAcMBlJp eWFkaDELMAkGA1UECgwCSVQxCzAJBgNVBAsMAklUMRcwFQYDVQQDDA5sb2NhbGhv c3Q6OTAwMDEpMCcGCSqGSIb3DQEJARYabS5hbG51ZmFpc2kydGFrYW1vbC5jb20u c2EwHhcNMjExMDE3MDkzMTQwWhcNMzExMDE3MDkzMTQwWjCBjTELMAkGA1UEBhMC U0ExDzANBgNVBAgMBlJpeWFkaDEPMA0GA1UEBwwGUml5YWRoMQswCQYDVQQKDAJJ VDELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmxvY2FsaG9zdDo5MDAwMSkwJwYJKoZI hvcNAQkBFhptLmFsbnVmYWlzaTJ0YWthbW9sLmNvbS5zYTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALLSHO71t9ewIWjIIQcrGlzMlDTwQ0DwQEUkYiw9 wgqRRaBrvEthraYkCB8OPho9fUORB46UxFQeYMq7r0Njdc8Zv/MRmu1uQFWwk0DT Qr39coL5528OhktEotTO0LHbSoxpATiAGfmTA/UeQ+eSYPUKKdo4Dd/UEmzz19Dq pqK2I38v6hnb41XyR71zE+W/IalvJR3p2JODAmsiN3nIP2kbdviKZiy0bXkrzODe dZmc4v4p86v3X9SH/zJ2upcA3s9dGqcBok15shzVAqJnd3uNZzRwn8ZxW36Vv6xy LBxJv/viLFH9xX8beR4h8KWrGK2rgM7KuJHo1tGrEzJmA+0CAwEAAaNTMFEwHQYD VR0OBBYEFA6pioh/oBZg8ANNThtWfGxx2mWxMB8GA1UdIwQYMBaAFA6pioh/oBZg 8ANNThtWfGxx2mWxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB AHt4m2hdFZp/ZxxcAsUD1Acweiibq+NqmSU6LJURK7Qw/CJUQFL845RXkzbbVnhq /HEvesd0qnmLgd8qH7voHCn6tFTWLk6kw6Axj4cv0qW4PKoz37PVKgG5mNiijgXX 3VbulniOqkuXqoijNb9pZvV63TFXtzz+BkM4uivs9cu8ndKU+sqiUgZGYe+xSIcl j8qP9DeU4D5XaSYKUSOIXbLJebklxbnpnGunM6O0ZWdVwfbV6U4FwTqnZtQWHT0m A5q+hK6L9CrBBkMP+12ACbBgENF6JrsVGyBN36FdAbA/uwTsynMdwn4zMC1xefj0 6/w0SoJP54KNrj9dG7AwXq4=
</ns2:X509Certificate>
</ns2:X509Data>
</ns2:KeyInfo>
</ns0:KeyDescriptor>
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:9000/idp/slo/post/"/>
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:9000/idp/slo/redirect/"/>
<ns0:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
</ns0:NameIDFormat>
<ns0:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</ns0:NameIDFormat>
<ns0:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</ns0:NameIDFormat>
<ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:9000/idp/sso/post/"/>
<ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:9000/idp/sso/redirect/"/>
<ns0:AttributeConsumingService index="1">
<ns0:ServiceName xml:lang="en"/>
<ns0:RequestedAttribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="username" isRequired="true"/>
<ns0:RequestedAttribute Name="urn:oid:1.2.840.113549.1.9.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="email" isRequired="true"/>
<ns0:RequestedAttribute Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="first_name" isRequired="true"/>
<ns0:RequestedAttribute Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="last_name" isRequired="true"/>
</ns0:AttributeConsumingService>
</ns0:IDPSSODescriptor>
</ns0:EntityDescriptor>
注意:djangosaml2idp-由Django python框架构建的IdP的SSO SAML
感谢您的支持
推荐答案
RequestedAttribute用于服务提供商(SP)元数据。这是SP了解其需要哪些属性的一种方式,但受IdP释放这些属性的制约。AttributeConsumingService也是SP元数据的一部分。
每个here都有一个示例。
这篇关于如何将声明添加到SAML IDP元数据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!