时间戳

首页 > 解决方案 > WSO2外部IdP注册:管理几个AttributeConsumingService

wso2 - WSO2外部IdP注册:管理几个AttributeConsumingService

问题描述

我正在使用 WSO2 身份服务器版本 5.8.0 和 5.9.0 我面临这个问题:我有外部 IdP,我希望允许 SAML 与这些 IdP 集成。我可以在 WSO2 中注册它们,一切都很好。

该问题与AttributeConsumingService在外部 IdP 中我注册了这个 WSO2 ServiceMetadata 有关:

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_3574ad74-ba7a-4ea5-b3e8-dbb2dafb55df" entityID="http://wso2_590_ai">
   <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
      <md:KeyDescriptor use="signing">
         <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
               <ds:X509Certificate><!--Certificate info--></ds:X509Certificate>
            </ds:X509Data>
         </ds:KeyInfo>
      </md:KeyDescriptor>
      <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:9443/samlsso" />
      <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
      <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:9443/commonauth" index="0" isDefault="true" />
      <md:AttributeConsumingService index="0">
         <md:ServiceName xml:lang="it">set0</md:ServiceName>
         <md:RequestedAttribute FriendlyName="Field A" Name="fielda" />
         <md:RequestedAttribute FriendlyName="Field B" Name="fieldb" />
      </md:AttributeConsumingService>
      <md:AttributeConsumingService index="1">
         <md:ServiceName xml:lang="it">set1</md:ServiceName>
         <md:RequestedAttribute FriendlyName="Field A" Name="fielda" />
         <md:RequestedAttribute FriendlyName="Field B" Name="fieldb" />
         <md:RequestedAttribute FriendlyName="Field C" Name="fieldc" />
         <md:RequestedAttribute FriendlyName="Field D" Name="fieldd" />
      </md:AttributeConsumingService>
      <md:AttributeConsumingService index="2">
         <md:ServiceName xml:lang="it">set2</md:ServiceName>
         <md:RequestedAttribute FriendlyName="Field A" Name="fielda" />
         <md:RequestedAttribute FriendlyName="Field C" Name="fieldc" />
      </md:AttributeConsumingService>
      <md:AttributeConsumingService index="3">
         <md:ServiceName xml:lang="it">set3</md:ServiceName>
         <md:RequestedAttribute FriendlyName="Field A" Name="fielda" />
         <md:RequestedAttribute FriendlyName="Field D" Name="fieldd" />
      </md:AttributeConsumingService>
      <md:AttributeConsumingService index="4">
         <md:ServiceName xml:lang="it">set4</md:ServiceName>
         <md:RequestedAttribute FriendlyName="Field B" Name="fieldb" />
         <md:RequestedAttribute FriendlyName="Field D" Name="fieldd" />
      </md:AttributeConsumingService>
      <md:AttributeConsumingService index="5">
         <md:ServiceName xml:lang="it">set5</md:ServiceName>
         <md:RequestedAttribute FriendlyName="Field B" Name="fieldb" />
         <md:RequestedAttribute FriendlyName="Field C" Name="fieldc" />
      </md:AttributeConsumingService>
   </md:SPSSODescriptor>
   <md:Organization>
      <md:OrganizationName xml:lang="it">Service provider WSO2 590</md:OrganizationName>
      <md:OrganizationDisplayName xml:lang="it">WSO2 590</md:OrganizationDisplayName>
      <md:OrganizationURL xml:lang="it">https://localhost:9443/</md:OrganizationURL>
   </md:Organization>
</md:EntityDescriptor>

正如您在我的元数据中看到的,我可以处理几个AttributeConsumingService. 我如何告诉 WSO2 一个 ServiceProvider 想要使用AttributeConsumingService number 1, 另一个 theAttributeConsumingService number 2等等?

我可以设置 AttributeConsumingService 的唯一一点是在外部 IdP 注册期间,但这有点奇怪,因为我应该多次注册同一个 IdP 以及相关的 entityId 问题......

谢谢

安杰洛

标签: wso2wso2is

解决方案

我想我能够解决这个问题。

我修改了org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.buildAuthnRequest(HttpServletRequest, boolean, String, AuthenticationContext)方法。就在指令之后 

//Get the inbound SAMLRequest
AuthnRequest inboundAuthnRequest = getAuthnRequest(context);

我添加了以下代码:

Integer attrConsServiceIndex = inboundAuthnRequest.getAttributeConsumingServiceIndex();
if( attrConsServiceIndex != null && attrConsServiceIndex > 0 ) {
   if( log.isInfoEnabled() ) {
log.info("Inbound SAML Request AttributeConsumingServiceIndex "+ attrConsServiceIndex+" Settato nella auth request SAML");
    }
authRequest.setAttributeConsumingServiceIndex(attrConsServiceIndex);
}

以这种方式,如果服务提供者处理的应用程序发送一个不同于 0 的 AttributeConsumingServiceIndex,这将在 WSO2 IS 为外部 IdP 构建的 AuthnRequest 中设置。我不知道是否有不同的方法来解决它,但据我调查,这是我发现的唯一解决方案

我希望这是有用的

安杰洛

推荐阅读