当使用 SAML2.0 协议(protocol)进行 Http 重定向绑定(bind)时,我应该像这样发送到身份提供者结构:
<q1:AuthnRequest
ID="{82AB4AE6-919C-5FE6-C843-8342E6F9AB61}" Version="2.0"
IssueInstant="2011-02-22T09:19:48+0100"
Destination="https://test.server.com/Service.jsf"
IsPassive="false"
AssertionConsumerServiceURL="http://myservice.com/sso/"
xmlns:q1="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">test.server.com</Issuer>
</q1:AuthnRequest>
我的问题是:
ID 的值如何?生成?ID="{82AB4AE6-919C-5FE6-C843-8342E6F9AB61}" Version="2.0"生成它的规则是什么?
最佳答案
生成 SAML ID 的确切方法没有明确定义——它必须仅符合 XML ID 的标准。 XML ID 是一个 xsd:NCName,它是从 xsd:Name 派生的,它不能以数字开头或包含空格,并且应该具有 160 位的“随机性”。
Java 中满足该条件的最简单的 ID 生成器是:
String id() {
return "a" + UUID.randomUUID();
}
// You will need to catch the NoSuchAlgorithmException during construction.
IdentifierGenerator idGenerator = new SecureRandomIdentifierGenerator();
String id() {
return idGenerator.generateIdentifier();
}
SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
String generateIdentifier() {
return generateIdentifier(16);
}
String generateIdentifier(int size) {
byte[] buf = new byte[size];
random.nextBytes(buf);
return "_".concat(new String(Hex.encode(buf)));
}
char[] charMapping = { 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p' };
Random random = new Random();
String createID() {
byte[] bytes = new byte[20]; // 160 bits
random.nextBytes(bytes);
char[] chars = new char[40];
for (int i = 0; i < bytes.length; i++) {
int left = (bytes[i] >> 4) & 0x0f;
int right = bytes[i] & 0x0f;
chars[i * 2] = charMapping[left];
chars[i * 2 + 1] = charMapping[right];
}
return String.valueOf(chars);
}
The xs:ID simple type is used to declare SAML identifiers for assertions, requests, and responses. Values declared to be of type xs:ID in this specification MUST satisfy the following properties in addition to those imposed by the definition of the xs:ID type itself:
• Any party that assigns an identifier MUST ensure that there is negligible probability that that party or any other party will accidentally assign the same identifier to a different data object. • Where a data object declares that it has a particular identifier, there MUST be exactly one such declaration.
The mechanism by which a SAML system entity ensures that the identifier is unique is left to the implementation. In the case that a random or pseudorandom technique is employed, the probability of two randomly chosen identifiers being identical MUST be less than or equal to 2^-128 and SHOULD be less than or equal to 2^-160. This requirement MAY be met by encoding a randomly chosen value between 128 and 160 bits in length. The encoding must conform to the rules defining the xs:ID datatype. A pseudorandom generator MUST be seeded with unique material in order to ensure the desired uniqueness properties between different systems.
The xs:NCName simple type is used in SAML to reference identifiers of type xs:ID since xs:IDREF cannot be used for this purpose. In SAML, the element referred to by a SAML identifier reference might actually be defined in a document separate from that in which the identifier reference is used. Using xs:IDREF would violate the requirement that its value match the value of an ID attribute on some element in the same XML document.
关于security - Saml 身份验证请求协议(protocol) ID,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/5076675/