如何嵌入了SAML 2.0 SSO的AuthNRequest內的簽名在PHP

Question

我IDP需要與嵌入式，簽名和加密，其中請求URL看起來像這樣的AuthNRequest：

http://idp.example.com/SSOService.php?SAMLRequest= {VAL1}

AuthNRequest與嵌入的簽名（HTTP-POST綁定）

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfx41d8ef22-e612-8c50-9960-1b16f15741b3" Version="2.0" ProviderName="SP test" IssueInstant="2014-07-16T23:52:45Z" Destination="http://idp.example.com/SSOService.php" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://sp.example.com/demo1/index.php?acs"> 
    <saml:Issuer>http://sp.example.com/demo1/metadata.php</saml:Issuer> 
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
    <ds:SignedInfo> 
     <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
     <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> 
     <ds:Reference URI="#pfx41d8ef22-e612-8c50-9960-1b16f15741b3"> 
     <ds:Transforms> 
      <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> 
      <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
     </ds:Transforms> 
     <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> 
     <ds:DigestValue>yJN6cXUwQxTmMEsPesBP2NkqYFI=</ds:DigestValue> 
     </ds:Reference> 
    </ds:SignedInfo> 
    <ds:SignatureValue>...</ds:SignatureValue> 
    <ds:KeyInfo> 
     <ds:X509Data> 
     <ds:X509Certificate>...</ds:X509Certificate> 
     </ds:X509Data> 
    </ds:KeyInfo> 
    </ds:Signature> 
    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/> 
    <samlp:RequestedAuthnContext Comparison="exact"> 
    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> 
    </samlp:RequestedAuthnContext> 
</samlp:AuthnRequest> 

但是我的請求看起來像

http://idp.example.com/SSOService.php?SAMLRequest= {VAL1} &簽名= {VAL2} & SigAlg = {VAL3}

在OneLogin的[PHP-SAML]我的設置所需要的消息進行簽名和加密的

'nameIdEncrypted' => true, 
'authnRequestsSigned' => true, 
'logoutRequestSigned' => true, 
'logoutResponseSigned' => true, 
'signMetadata' => true, 
'wantMessagesSigned' => true, 
'wantAssertionsSigned' => true,'wantAssertionsEncrypted' => true, 
'wantNameIdEncrypted' => true, 
'requestedAuthnContext' => true, 
'wantXMLValidation' => true, 
'signatureAlgorithm' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', 

和SimpleSAMLphp 我的IDP-遠程配置

$metadata['https:/my.idp.com/idplogin'] = array(
     'name' => array(
       'en' => 'my.idp.com', 
       'no' => 'my.idp.com', 
     ), 
     'description'   => 'IDP SSO', 
     'sign.authnrequest' => TRUE, 
     'sign.logout' => TRUE, 
     'signature.algorithm' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', 
     'assertion.encryption' => TRUE, 
     'sharedkey' => 'SHAREDKEY.crt', 
      'SingleLogoutService' => 
      array (
      0 => 
      array (
       'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', 
       'Location' => 'http://iam.sp.com/module.php/saml/sp/saml2-logout.php/default-sp', 
      ), 
     ), 
      'AssertionConsumerService' => 
      array (
      0 => 
      array (
       'index' => 0, 
       'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', 
       'Location' => 'http://iam.sp.com/module.php/saml/sp/saml2-acs.php/default-sp', 
      ), 
      1 => 
      array (
       'index' => 1, 
       'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post', 
       'Location' => 'http://iam.sp.com/module.php/saml/sp/saml1-acs.php/default-sp', 
      ), 
      2 => 
      array (
       'index' => 2, 
       'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact', 
       'Location' => 'http://iam.sp.com/module.php/saml/sp/saml2-acs.php/default-sp', 
      ), 
      3 => 
      array (
       'index' => 3, 
       'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01', 
       'Location' => 'http://iam.sp.com/module.php/saml/sp/saml1-acs.php/default-sp/artifact', 
      ), 
     ), 
     'SingleSignOnService' => 'https:/my.idp.com/samljct', 
     'redirect.sign' => TRUE, 
     'redirect.validate' => TRUE, 
     'acs.Bindings' => array(
       'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', 
       'urn:oasis:names:tc:SAML:1.0:profiles:browser-post', 
     ), 
     'certFingerprint'  => 'FINGERPRINTED', 
     'certificate'   => 'SPCERTYA.crt' 
); 

和我的SP配置

$config = array(
    'admin' => array(
     'core:AdminPassword', 
    ), 
    'default-sp' => array(
     'saml:SP', 
     'entityID' => null, 
     'idp' => null, 
     'discoURL' => null, 
     'privatekey' => 'MYSTUFF.pem', 
     'certificate' => 'MYSTUFF.crt', 
     'metadata.sign.authnrequest' => TRUE, 
     'metadata.sign.enable' => TRUE, 
     'redirect.sign' => TRUE, 
     'redirect.validate' => TRUE, 
     'assertion.encryption' => TRUE, 
     'IsPassive' => FALSE, 
     'signature.algorithm' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', 
    ), 

在這兩種服務中，我不確定如何在AuthNRequest中嵌入簽名？

Answer 1

更改在IDP遠程配置如下一行：

'SingleSignOnService' => 'https:/my.idp.com/samljct', 

到：

'SingleSignOnService' => array(
    array(
     'Location' => 'https:/my.idp.com/samljct', 
     'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', 
    ), 
), 

應該工作。