我正在研究SAML身份验证
我在rsa-sha256中设置了摘要和签名方法,但是当我创建重定向认证用户的请求时,请求在rsa-sha1中…
url中有SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1
但是我想让它是rsa-sha256
设置:
def saml_settings
settings = OneLogin::RubySaml::Settings.new({:idp_cert_fingerprint_algorithm => XMLSecurity::Document::SHA256})
settings.assertion_consumer_service_url = "..."
settings.issuer = "..."
settings.idp_sso_target_url = "..."
settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
#settings.authn_context = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
settings.certificate = CONFIG_CERTIFICATE
settings.private_key = CONFIG_PRIVATE_KEY
settings.security[:authn_requests_signed] = true # Enable or not signature on AuthNRequest
settings.security[:logout_requests_signed] = true # Enable or not signature on Logout Request
settings.security[:logout_responses_signed] = true # Enable or not signature on Logout Response
settings.security[:digest_method] = XMLSecurity::Document::SHA256
settings.security[:signature_method] = XMLSecurity::Document::SHA256
settings.security[:embed_sign] = false
settings
end
request = OneLogin::RubySaml::Authrequest.new
redirect_to(request.create(saml_settings))
这里,request.create(saml_settings)返回url中,有SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1
我怎么能改变这是在rsa-sha256?
事实上,我找到了答案:
在库中,sha1或sha256加密将由设置定义,
在OneLogin::RubySaml::Authrequest的create_params方法中我们有
if settings.security[:authn_requests_signed] && !settings.security[:embed_sign] && settings.private_key
params['SigAlg'] = XMLSecurity::Document::SHA1
...
end
所以,我有
settings.security[:embed_sign] = false
所以条件为TRUE。但必须是FALSE
所以我写了
settings.security[:embed_sign] = true
(实际上,它必须为true)
和
request.create(saml_settings, {:SigAlg => XMLSecurity::Document::SHA256}))
完成了!
(cf http://www.rubydoc.info/github/onelogin/ruby-saml/OneLogin/RubySaml/Authrequest#create-instance_method)