我尝试使用SAML 2.0在Gitlab上实现SSO,我遇到了一些问题。
我公司的IdP经理给我发了他们的元数据,并按照关于SAML的Gitlab文档我配置了这样的Gitlab。
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_block_auto_created_users'] = true
gitlab_rails['omniauth_auto_link_ldap_user'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = false
gitlab_rails['omniauth_providers'] =
[
{
name: "saml",
args:
{
assertion_consumer_service_url: "https://my.domain.com/gitlab/auth/saml/callback",
idp_cert: "
-----BEGIN CERTIFICATE-----
IDP_Certificate
-----END CERTIFICATE-----
",
idp_sso_target_url: "https://my_idp_target_URL",
issuer: "sp-gitlab",
name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
},
label: "SSO"
}
]
我将我的元数据发送给了IdP,他们被接受了。
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2017-11-22T09:24:33Z" ID="_1910909d-5325-4cba-a56f-4f9082e05e24" entityID="sp-gitlab">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
My cert
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
Mycert
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://my.domain.com/gitlab/auth/saml/callback" index="0" isDefault="true"/>
<md:AttributeConsumingService index="1" isDefault="true">
<md:ServiceName xml:lang="en">Required attributes</md:ServiceName>
<md:RequestedAttribute FriendlyName="Email address" Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute FriendlyName="Full name" Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute FriendlyName="Given name" Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<md:RequestedAttribute FriendlyName="Family name" Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
</md:EntityDescriptor>
当我尝试使用SSO连接到Gitlab时出现错误。我的AuthnRequest的签名不存在。 IdP的经理告诉我问题来自我的申请证书。所以这是关于Gitlab HTTPS的问题
nginx['redirect_http_to_https'] = true
nginx['redirect_http_to_https_port'] = 443
...
nginx['ssl_certificate'] = "/etc/gitlab/ssl/prod.cer"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/prod.key"
我的Gitlab实例运行在Apache Proxy之后,用于Gitlab的证书也用于这个Apache的网站。
那么为什么我的AuthnRequest中没有签名?我错在哪里或者我错过了什么?
附: :我是SAML和Gitlab配置的新手,所以我可能错过了一些明显的东西
您需要将证书和私钥添加到gitlab参数中。此外,您需要指定安全性参数以启用签名的生成。
这是一个示例:
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_providers'] = [
{
name: 'saml',
args: {
assertion_consumer_service_url: 'https://mywebsite/users/auth/saml/callback',
assertion_consumer_service_binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
idp_cert_fingerprint: '77:EE:EE:AA:67:FA:78:4C:E2:ED:E8:57:AC:EE:AC:AB:AA:FF:FD:FD',
idp_sso_target_url: 'https://idp.url/auth/SSOPOST/metaAlias/ent/providerIDP',
idp_sso_target_binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
idp_slo_target_url: 'https://idp.url/auth/IDPSloPOST/metaAlias/ent/providerIDP',
idp_slo_target_binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
sso_binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
protocol_binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
issuer: 'sp_gitlab',
name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
certificate: "-----BEGIN CERTIFICATE-----
MIIDzjCCArYCCQCxUOzAVm5w3DANBgkqhkiG9w0BAQUFADCBqDELMAkGA1UEBhMC
....
v84ULsyAgv8sVJ4XerZ9wr7B
-----END CERTIFICATE-----",
private_key: "-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAxcTsJ0sBMAH9NwEvDT5qcGBA6JiChtM90I9di7YC98lO5qFM
....
lfIj9QAaFdL9lPskg6zX6HEooOEoLib8fm9IZCIChjhsdjoj/6QXP6k=
-----END RSA PRIVATE KEY-----",
security: {
authn_requests_signed: true,
embed_sign: true,
digest_method: "XMLSecurity::Document::SHA1",
signature_method: "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
}
},
label: 'SAML Auth'
}
]
根据我的知识和经验,AuthnRequest中没有签名。签名或加密在下一个HTTP请求中开始。
见:https://en.wikipedia.org/wiki/SAML_2.0#Authentication_Request_Protocol
你有什么地方和哪里有错误?
(示例)Authnrequest没有签名:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_a976498d2ebe858cc56d486b5af2085ed957f45c5a"
Version="2.0"
IssueInstant="2017-08-10T13:29:09Z"
Destination="https://<idp_url>/idp/profile/SAML2/Redirect/SSO"
AssertionConsumerServiceURL="https://<mahara_adress>/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>
<saml:Issuer>https://<mahara_adress>/mahara</saml:Issuer>
</samlp:AuthnRequest>