SAML2.0介紹
https://www.cnblogs.com/shuidao/p/3463947.html
https://www.jianshu.com/p/636c1ee16eba
php-saml
https://github.com/onelogin/php-saml
①使用composer直接引入
composer require onelogin/php-saml
遇到問題:提示未找到方法 XMLSecurityKey
少了xmlseclibs
composer require robrichards/xmlseclibs
引入xmlseclibs後發現 還是找不到 定位原因 不識別命名空間 寫全路徑也無果(優先項目。。。放棄此方式)
②直接SSH 克隆 [email protected]:onelogin/php-saml.git
目錄 /php-saml/extlib/ 下有xmlseclibs 無需引入 使用master時輸出xml文件時提示有錯誤,排查無果可能和文件格式有關(優先項目。。。放棄此方式)
③ 切換到composer分支 git checkout composer
可以正確使用
④正式使用
1.進入目錄php-saml
2.複製settings-example.php 改名爲 settings.php
3.進入settings.php,做下面配置
4.settings.php會在new OneLogin_Saml2_Auth() 被解析成xml 發起請求時base_64加密後傳給IDP
SP 的配置 entityId和 assertionConsumerService(ACS)回調地址 我對接的時候是給到IDP方他們也需要配置。
IDP 的配置 entityId、 singleSignOnService和x509cert 請求地址 由IDP方提供,x509cert 由IDP提供crt格式的文件。
⑤sp發起請求
此處寫自己的邏輯 用法就是這樣
session_start();
require_once dirname(__DIR__) . '/repair/php-saml/_toolkit_loader.php';
$auth = new OneLogin_Saml2_Auth();
$auth->login();
⑥sp acs 回調
IDP方會POST請求回調地址(SP ACS)帶回加密的SAMLResponse
此處寫自己的邏輯 用法就是這樣 方法 $auth->getAttributes(); 獲取數據
session_start();
require_once dirname(__DIR__) . '/repair/php-saml/_toolkit_loader.php';
$auth = new OneLogin_Saml2_Auth();
// 解析$_POST['SAMLResponse'];
$auth->processResponse();
$errors = $auth->getErrors();
// 驗證是否出錯
if (!empty($errors)) {
print_r('<p>' . implode(', ', $errors) . '</p>');
exit();
}
// 驗證用戶是否登錄成功
if (!$auth->isAuthenticated()) {
echo "<p>Not authenticated</p>";
exit();
}
// 獲取信息
$auth->getAttributes();
$auth->processResponse(); 此處報的問題 (我是嘗試了這幾個問題)基本上要是配置好了沒啥問題
1.settings.php配置中idp 的 entityId 和 SAMLResponse中返回的不一致,GG。
2.ACS地址和idp返回的不一致,GG。
3.settings.php配置中idp 的 x509cert 和 idp給到的crt文件中的密鑰不一致,GG。
⑦分析
用戶通過瀏覽器請求SP,SP收到消息判斷用戶是否已登錄,已登錄則直接進入SP端的應用頁面。未登錄則發起請求跳轉到IDP端
在IDP端做登錄操作,登錄成功後回調回來(未成功IDP的程序過不了回不來)回到SP的ACS地址 ACS取到登錄用戶的信息判斷權限給予相應的頁面。
SP MetaData XML
<?xml version="1.0"?>
<md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
validUntil="2017-03-22T03:38:44Z"
cacheDuration="PT604800S"
entityID="SPID"
ID="pfx4db3d6e9-bef2-9b2b-961e-a85a811c95cd">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#pfx4db3d6e9-bef2-9b2b-961e-a85a811c95cd">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>5tn7T+Huj5/oATHzs1AprexGP9c=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>xgCIo5ZlGdLhDKOMvVMNco3bVdrtkb4qlPmg9VoA4TnuzIlHhHh5l3gFWTDdysOdXUQdRd9lzV69BgAMeXZsmrB1D41zM/84aegE0+YPFuDmqWQGHlebR8yg6/U4AxFqbwysuEsShZlmcfOXsW7rprea8yRYV00noVMnkpLGb30=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICczCCAdwCCQCV7Ygh7CZGAzANBgkqhkiG9w0BAQUFADB+MQswCQYDVQQGEwJCSjEQMA4GA1UECAwHQmVpSmluZzEQMA4GA1UEBwwHYmVpamluZzEPMA0GA1UECgwGdG9wc2VjMRIwEAYDVQQLDAl0b3BzZWN2cG4xDDAKBgNVBAMMA3d4ZzEYMBYGCSqGSIb3DQEJARYJd0AxNjMuY29tMB4XDTE2MTEyODAxNTQ1MloXDTI2MTEyNjAxNTQ1MlowfjELMAkGA1UEBhMCQkoxEDAOBgNVBAgMB0JlaUppbmcxEDAOBgNVBAcMB2JlaWppbmcxDzANBgNVBAoMBnRvcHNlYzESMBAGA1UECwwJdG9wc2VjdnBuMQwwCgYDVQQDDAN3eGcxGDAWBgkqhkiG9w0BCQEWCXdAMTYzLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0vL2a5imTmJWywWb2rVg+4pULY2A1l8jv/w5T20him9z+qIQd+vhrzsIHTEp7cQb45GAkDsux0UQEB68QLKUWO5YVxH2bS94DFfUIwi2CKfXF1tcygr8fhpf7bNzbQsr0/ec0IZd4BoTlhQkoUR8pkPZ/viYOlIxq3fEpMgI1skCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAH4ecASOZOA60xqvMaqidlwRdFwG/l/iM6TUW1cpiNSiwNKD9X5hOBeNsL7PSKhxpJp/bXVCaawZSyl4uFy0rJ+LhGnEtxIbuOj3nAfmEiggtYxpAcUOJeKHqAxjD21ItsWkAikELrmClU06hnqhl6eLA1iqVfY1CpJ4zqm4b5/g==</ds:X509Certificate>
</ds:X509Data></ds:KeyInfo>
</ds:Signature>
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data> <ds:X509Certificate>MIICczCCAdwCCQCV7Ygh7CZGAzANBgkqhkiG9w0BAQUFADB+MQswCQYDVQQGEwJCSjEQMA4GA1UECAwHQmVpSmluZzEQMA4GA1UEBwwHYmVpamluZzEPMA0GA1UECgwGdG9wc2VjMRIwEAYDVQQLDAl0b3BzZWN2cG4xDDAKBgNVBAMMA3d4ZzEYMBYGCSqGSIb3DQEJARYJd0AxNjMuY29tMB4XDTE2MTEyODAxNTQ1MloXDTI2MTEyNjAxNTQ1MlowfjELMAkGA1UEBhMCQkoxEDAOBgNVBAgMB0JlaUppbmcxEDAOBgNVBAcMB2JlaWppbmcxDzANBgNVBAoMBnRvcHNlYzESMBAGA1UECwwJdG9wc2VjdnBuMQwwCgYDVQQDDAN3eGcxGDAWBgkqhkiG9w0BCQEWCXdAMTYzLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0vL2a5imTmJWywWb2rVg+4pULY2A1l8jv/w5T20him9z+qIQd+vhrzsIHTEp7cQb45GAkDsux0UQEB68QLKUWO5YVxH2bS94DFfUIwi2CKfXF1tcygr8fhpf7bNzbQsr0/ec0IZd4BoTlhQkoUR8pkPZ/viYOlIxq3fEpMgI1skCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAH4ecASOZOA60xqvMaqidlwRdFwG/l/iM6TUW1cpiNSiwNKD9X5hOBeNsL7PSKhxpJp/bXVCaawZSyl4uFy0rJ+LhGnEtxIbuOj3nAfmEiggtYxpAcUOJeKHqAxjD21ItsWkAikELrmClU06hnqhl6eLA1iqVfY1CpJ4zqm4b5/g==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIICczCCAdwCCQCV7Ygh7CZGAzANBgkqhkiG9w0BAQUFADB+MQswCQYDVQQGEwJCSjEQMA4GA1UECAwHQmVpSmluZzEQMA4GA1UEBwwHYmVpamluZzEPMA0GA1UECgwGdG9wc2VjMRIwEAYDVQQLDAl0b3BzZWN2cG4xDDAKBgNVBAMMA3d4ZzEYMBYGCSqGSIb3DQEJARYJd0AxNjMuY29tMB4XDTE2MTEyODAxNTQ1MloXDTI2MTEyNjAxNTQ1MlowfjELMAkGA1UEBhMCQkoxEDAOBgNVBAgMB0JlaUppbmcxEDAOBgNVBAcMB2JlaWppbmcxDzANBgNVBAoMBnRvcHNlYzESMBAGA1UECwwJdG9wc2VjdnBuMQwwCgYDVQQDDAN3eGcxGDAWBgkqhkiG9w0BCQEWCXdAMTYzLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0vL2a5imTmJWywWb2rVg+4pULY2A1l8jv/w5T20him9z+qIQd+vhrzsIHTEp7cQb45GAkDsux0UQEB68QLKUWO5YVxH2bS94DFfUIwi2CKfXF1tcygr8fhpf7bNzbQsr0/ec0IZd4BoTlhQkoUR8pkPZ/viYOlIxq3fEpMgI1skCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAH4ecASOZOA60xqvMaqidlwRdFwG/l/iM6TUW1cpiNSiwNKD9X5hOBeNsL7PSKhxpJp/bXVCaawZSyl4uFy0rJ+LhGnEtxIbuOj3nAfmEiggtYxpAcUOJeKHqAxjD21ItsWkAikELrmClU06hnqhl6eLA1iqVfY1CpJ4zqm4b5/g==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://www.samltool.com/logout"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.samltool.com/consume" index="1"/>
</md:SPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en-US">topsecsp</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en-US">gatewaysp</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en-US">https://www.samltool.com/topsecgates</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="technical">
<md:GivenName>spgivenname</md:GivenName>
<md:EmailAddress>[email protected]</md:EmailAddress>
</md:ContactPerson>
<md:ContactPerson contactType="support">
<md:GivenName>spgivenname2</md:GivenName>
<md:EmailAddress>[email protected]</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
IDP MetaData XML舉例
<?xml version="1.0"?>
<md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
validUntil="2017-03-22T03:34:04Z"
cacheDuration="PT1490585644S"
entityID="IDP"
ID="pfx86cbd802-0592-6a71-85e5-a41c784d83fe">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#pfx86cbd802-0592-6a71-85e5-a41c784d83fe">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>J+LkZwC6iL9SJnto7T6vc3YjgH8=</ds:DigestValue></ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>Krol/IicGEToYJCFTOvMii5XYspdlVDUB7oUETrrR33BcbFEHiskFMJilPo86Awkw5GpaK4XiLdVH2W/LCDPdAX9mVGTJfUdjwF3+LW1kEF+Woiwerxw60oL8WPF+g38N/2Jnhy8wXmHWhUWeSae2v7HICy94SnwDdsT/3dlk+E=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICczCCAdwCCQCV7Ygh7CZGAzANBgkqhkiG9w0BAQUFADB+MQswCQYDVQQGEwJCSjEQMA4GA1UECAwHQmVpSmluZzEQMA4GA1UEBwwHYmVpamluZzEPMA0GA1UECgwGdG9wc2VjMRIwEAYDVQQLDAl0b3BzZWN2cG4xDDAKBgNVBAMMA3d4ZzEYMBYGCSqGSIb3DQEJARYJd0AxNjMuY29tMB4XDTE2MTEyODAxNTQ1MloXDTI2MTEyNjAxNTQ1MlowfjELMAkGA1UEBhMCQkoxEDAOBgNVBAgMB0JlaUppbmcxEDAOBgNVBAcMB2JlaWppbmcxDzANBgNVBAoMBnRvcHNlYzESMBAGA1UECwwJdG9wc2VjdnBuMQwwCgYDVQQDDAN3eGcxGDAWBgkqhkiG9w0BCQEWCXdAMTYzLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0vL2a5imTmJWywWb2rVg+4pULY2A1l8jv/w5T20him9z+qIQd+vhrzsIHTEp7cQb45GAkDsux0UQEB68QLKUWO5YVxH2bS94DFfUIwi2CKfXF1tcygr8fhpf7bNzbQsr0/ec0IZd4BoTlhQkoUR8pkPZ/viYOlIxq3fEpMgI1skCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAH4ecASOZOA60xqvMaqidlwRdFwG/l/iM6TUW1cpiNSiwNKD9X5hOBeNsL7PSKhxpJp/bXVCaawZSyl4uFy0rJ+LhGnEtxIbuOj3nAfmEiggtYxpAcUOJeKHqAxjD21ItsWkAikELrmClU06hnqhl6eLA1iqVfY1CpJ4zqm4b5/g==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<md:IDPSSODescriptor
WantAuthnRequestsSigned="false"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://www.samltool.com/logout"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://www.samltool.com/login"/>
</md:IDPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en-US">topsec</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en-US">gateway</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en-US">https://www.samltool.com/gateway</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="technical">
<md:GivenName>testIDP</md:GivenName>
<md:EmailAddress>[email protected]</md:EmailAddress>
</md:ContactPerson>
<md:ContactPerson contactType="support">
<md:GivenName>testID</md:GivenName>
<md:EmailAddress>[email protected]</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>