SAML là gì?
SAML (Security Assertion Markup Language) là một chuẩn giao thức được sử dụng rộng rãi trong việc truyền tải thông tin xác thực và phân quyền giữa các hệ thống khác nhau. Được áp dụng chủ yếu trong các ứng dụng web, SAML cho phép xác thực người dùng và đối tác bằng cách sử dụng chứng chỉ số và các thông tin khác để xác nhận danh tính.
SAML được sử dụng rộng rãi trong môi trường doanh nghiệp, với sự phổ biến hơn so với tiêu chuẩn SSO (Single Sign-On) khác như OIDC (OpenID Connect). Khi sử dụng xác thực SAML, không chỉ có việc xác thực người dùng diễn ra, mà cả thông tin thuộc tính liên quan cũng được xác thực. Điều này cho phép kiểm soát phạm vi truy cập của người dùng dựa trên các thuộc tính đã xác thực. Ngoài việc giúp người dùng chỉ cần đăng nhập một lần, SAML cũng hỗ trợ việc quản lý quyền truy cập chi tiết, cho phép hạn chế quyền truy cập vào các chức năng cụ thể cho các phòng ban, đơn vị trong tổ chức.
Do đó, SAML không chỉ được sử dụng cho mục đích xác thực (Authentication), mà còn có khả năng hỗ trợ trong việc quản lý quyền truy cập (Authorization) cho các ứng dụng.
Các thành phần của SAML
SAML entities
- End users: là người cần được xác thực trước khi được phép sử dụng ứng dụng.
- Service providers: Đây là ứng dụng hoặc dịch vụ yêu cầu thông tin về người dùng được xác thực. Nó sẽ nhận Assertion và xác minh tính hợp lệ của nó.
- Identity providers: Đây là thực thể xác thực người dùng và tạo ra Assertion. Nó sẽ xác thực thông tin về người dùng và sau đó tạo ra Assertion chứa thông tin về người dùng và gửi nó đến Service Provider.
SAML components
- Assertion: là một tài liệu XML chứa thông tin về xác thực và phân quyền. Nó được phát hành bởi Issuer và được gửi đến Service Provider. Assertion bao gồm các thông tin về Subject, các quyền và vai trò của Subject, thời gian hiệu lực và các chữ ký số.
- Protocol: là một tập hợp các quy tắc và thông tin để cho phép các thực thể SAML tương tác với nhau. Giao thức SAML cung cấp các thủ tục xác thực, phân quyền và truyền thông giữa các thực thể.
- Bindings: cung cấp các phương thức để truyền Assertion và các thông tin khác giữa Issuer và Service Provider. Các bindings phổ biến nhất bao gồm HTTP Redirect, HTTP POST và Artifact.
- Profiles: cung cấp các quy định và yêu cầu cho việc triển khai các giao thức và bindings của SAML trong các kịch bản sử dụng cụ thể. Các profile phổ biến bao gồm Single Sign-On (SSO), Single Logout (SLO) và Identity Provider Discovery.
SAML Flow
Ở đây mình mượn ảnh flow SAML authentication với Azure Active Directory để nói về SAML Flow.
- Bước 1: Người dùng mở trình duyệt lên và truy cập vào web browser. Ở đây web browser là thành phần ám chỉ cái mà người dùng tương tác trực tiếp.
- Bước 2: Web browser gửi request yêu cầu truy cập vào source trên Web App (Service Provider)
- Bước 3: Web app (Service Provider) kiểm tra, generate SAML Authorization request và redirect tới Identity Provider (ở đây là Azure AD)
- Bước 4: Người dùng thực hiện login (authenticated) vào Identity Provider (ở đây là Azure AD)
- Bước 5: Identity Provider gửi SAML tokens đến Web Browser
- Bước 6: Web Browser thực hiện chuyển tiếp SAML tokens đến Service Provider
- Bước 7: Service Provider thực hiện validate SAML response và token, check thành công thì chuyển sang bước 8
- Bước 8: Sau khi validate thành công SAML response và token, Service Provider sẽ cho phép người dùng truy cập vào source mà người dùng đã thực hiện request trước đó.
Để rõ ràng hơn về flow và những giá trị truyền qua lại giữa End User, Service providers và Identity providers, mình ví dụ như sau
Người dùng truy cập vào Service providers
1 2 3 4 5 6 7 8 9 10 | <span class="token request-line"><span class="token method property">GET</span> <span class="token request-target url">/login?next=http%3A%2F%2Flocalhost%3A5000%2F</span> <span class="token http-version property">HTTP/1.1</span></span> <span class="token header-name keyword">Host:</span> localhost:5000 <span class="token header-name keyword">Upgrade-Insecure-Requests:</span> 1 <span class="token header-name keyword">User-Agent:</span> Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36 <span class="token header-name keyword">Accept:</span> text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 <span class="token header-name keyword">Accept-Encoding:</span> gzip, deflate <span class="token header-name keyword">Accept-Language:</span> en-US,en;q=0.9 <span class="token header-name keyword">Cookie:</span> <cookie> <span class="token header-name keyword">Connection:</span> close |
Service providers sẽ trả về response với options login với SAML, người dùng tiếp tục click vào login với SAML, lúc này trình duyệt sẽ gửi 1 request đến Service providers yêu cầu login bằng SAML
1 2 3 4 5 6 7 8 9 10 11 | <span class="token request-line"><span class="token method property">GET</span> <span class="token request-target url">/saml/login?next=%2F</span> <span class="token http-version property">HTTP/1.1</span></span> <span class="token header-name keyword">Host:</span> localhost:5000 <span class="token header-name keyword">Upgrade-Insecure-Requests:</span> 1 <span class="token header-name keyword">User-Agent:</span> Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36 <span class="token header-name keyword">Accept:</span> text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 <span class="token header-name keyword">Referer:</span> http://localhost:5000/login?next=http%3A%2F%2Flocalhost%3A5000%2F <span class="token header-name keyword">Accept-Encoding:</span> gzip, deflate <span class="token header-name keyword">Accept-Language:</span> en-US,en;q=0.9 <span class="token header-name keyword">Cookie:</span> <cookie> <span class="token header-name keyword">Connection:</span> close |
Service providers trả về 1 response yêu cầu redirect sang Identity providers
1 2 3 4 5 6 7 8 9 10 11 12 | <span class="token response-status"><span class="token http-version property">HTTP/1.0</span> <span class="token status-code number">302</span> <span class="token reason-phrase string">FOUND</span></span> <span class="token header-name keyword">Content-Type:</span> text/html; charset=utf-8 <span class="token header-name keyword">Content-Length:</span> 1417 <span class="token header-name keyword">Location:</span> https://dev-9lrlvyer.us.auth0.com/samlp/6Rbq6LnufpOuZ99RiWdimnQfwiDBVYtM?SAMLRequest=nZJfT8IwFMW%2FytL3sYJAoGEzIDFiQOeYGHkxZetGY9ey3hbl21uGf%2BILD7y1t%2Bf%2B7rknHUnAZGzNViastgyM91kJCcSVQ2S1JIoCd1daMSAmI8vxYk46LUx2WhmVKYF%2BG9rnGygA04Yribzxz%2FFGSbAV00um9zxjz8k8RFtjdiQIhMqo2CowpIcxDoBWInAVsaHZ%2B7XS5RsIW4Y5K6gVBnlTZ51LeoSeEOAYOdv7Q6HF%2FsB0y0KLuj1xK1NVg9sF%2FWRT9%2BfSFrtHux4OE%2F6S80o%2BFR98Olm9mgXyZtMQ8dyf3Oc2r%2FVsUE9K2d1uavcCYNlMgqHShKiDO1c%2B7vntQYq7BA8Ibq%2BRF39nNOEy57I8n8%2FmJAJyl6axHz8uU%2BStmIZmIydA0chlTJq52rtVuqLmPPFYceaLRkqYNNwcUHRJvqPgb%2FTRBiYPjj2bxkrw7HCBGaOpBO4sIS%2BIjvT%2FnzD6Ag%3D%3D <span class="token header-name keyword">Vary:</span> Cookie <span class="token header-name keyword">Server:</span> Werkzeug/0.16.1 Python/3.7.12 <span class="token header-name keyword">Date:</span> Thu, 18 May 2023 04:08:01 GMT <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <title>Redirecting...</title> <h1>Redirecting...</h1> |
Người dùng thực hiện login vào Identity providers với tài khoản và mật khẩu, sau đó Identity providers sẽ trả về 1 SAMLResponse như sau
1 2 3 4 5 6 7 8 9 | <span class="token response-status"><span class="token http-version property">HTTP/2</span> <span class="token status-code number">200</span> <span class="token reason-phrase string">OK</span></span> <span class="token header-name keyword">Date:</span> Thu, 18 May 2023 04:13:44 GMT <span class="token header-name keyword">Content-Type:</span> text/html; charset=utf-8 ... <span class="token header-name keyword">Set-Cookie:</span> <cookie> <span class="token header-name keyword">Alt-Svc:</span> h3=":443"; ma=86400, h3-29=":443"; ma=86400 <html><head><title>Working...</title></head><body><form method="post" name="hiddenform" action="http://localhost:5000/saml/callback?org_slug=default"><input type="hidden" name="SAMLResponse" value="PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIElEPSJfMTk4MmU4NGQ2ZWQ0ZGJjNTNiZWMiICBJblJlc3BvbnNlVG89ImlkLVdYQ01qRXFHOEVzZ3BkbmZsIiAgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMjMtMDUtMThUMDQ6MTM6NDQuMDIzWiIgIERlc3RpbmF0aW9uPSJodHRwOi8vbG9jYWxob3N0OjUwMDAvc2FtbC9jYWxsYmFjaz9vcmdfc2x1Zz1kZWZhdWx0Ij48c2FtbDpJc3N1ZXIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+dXJuOmRldi05bHJsdnllci51cy5hdXRoMC5jb208L3NhbWw6SXNzdWVyPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbHA6U3RhdHVzPjxzYW1sOkFzc2VydGlvbiB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBWZXJzaW9uPSIyLjAiIElEPSJfSWJCOXlIbXhRVUZEWnpOZ3Z3elBicFRPQzh4ZXZ1SG8iIElzc3VlSW5zdGFudD0iMjAyMy0wNS0xOFQwNDoxMzo0My45NzlaIj48c2FtbDpJc3N1ZXI+dXJuOmRldi05bHJsdnllci51cy5hdXRoMC5jb208L3NhbWw6SXNzdWVyPjxTaWduYXR1cmUgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxTaWduZWRJbmZvPjxDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PFNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiLz48UmVmZXJlbmNlIFVSST0iI19JYkI5eUhteFFVRkRaek5ndnd6UGJwVE9DOHhldnVIbyI+PFRyYW5zZm9ybXM+PFRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PFRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvVHJhbnNmb3Jtcz48RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2Ii8+PERpZ2VzdFZhbHVlPm5jVkM4N2p1ZmY0YWtBTDZPRWpVa1RGUFhYWHF1SEZzNmdxdHliOHBBNTg9PC9EaWdlc3RWYWx1ZT48L1JlZmVyZW5jZT48L1NpZ25lZEluZm8+PFNpZ25hdHVyZVZhbHVlPlExVjZtMXdkMG1UNi9VZ3o5WnhFcTF1SXMyUWRpVklCQ2YxaWEyT0RyVTdkckd6V0twdnZVUmpqNTdhdjArdFkwaU5ackk0R1FiczZOM3lIUGpsUjRNaisxaysrYVE2V01vTExHWC93TGZ3dUltckFMWnpYVkgxTUp2RGNld2tsTTM5enJQUmpHNFM4NGxMNzM3blpYTTdnWXVCK1NqdDJWOUNhamZIYW9qSE5zcjlJQWFQWlQ5c2FlYkRTNytxKzBQWGZkVWVscm9Pa1BaUExzNy8vT2M0cERUUDU4TTBmekhMVWRQQ1VFQjhZc0lpVkpnNU8rbFhyb3hDUWlHdFRVUDM0UUIrbHR0Sm9zYnBYTGFXcVNZSjJjTW1GcmhWb1Y1a0VTK01qbWt4YUt3UTMxSzJGb3NlVGcwUHJnTjU2aHQ3K0VBKzlxUUtZVFRvSTZITnhKUT09PC9TaWduYXR1cmVWYWx1ZT48S2V5SW5mbz48WDUwOURhdGE+PFg1MDlDZXJ0aWZpY2F0ZT5NSUlERFRDQ0FmV2dBd0lCQWdJSkN6TW5LaWdSWEIvYk1BMEdDU3FHU0liM0RRRUJDd1VBTUNReElqQWdCZ05WQkFNVEdXUmxkaTA1YkhKc2RubGxjaTUxY3k1aGRYUm9NQzVqYjIwd0hoY05Nakl3TnpFeU1EYzBORFEwV2hjTk16WXdNekl3TURjME5EUTBXakFrTVNJd0lBWURWUVFERXhsa1pYWXRPV3h5YkhaNVpYSXVkWE11WVhWMGFEQXVZMjl0TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUEzV0lEL1hKekZHTUwrTFExZjNMbW5rd2NCNWYrQWo2bjJOYm9yL3pFaVE4TDRsN0xUMXQ4M1RMV1BWd0NnbUlOQjRjODNrNGk3amY2ZHQ1QzJBbkxZUWJZcEdPeEpiS013dUc1Nk9NUy81aVZJOElDc3QxeHlzSkZlRTJveVB4YitWbk5DZEdqcFdOM0RZUzkxNldicm9pc2s1MlE2WExEdkRleXpCeEdsUDB3dFdiMnlDYWhFNDRVQjA4TGpIOWp2c0t5UGFJUzZTUjMwb1hjMndFdUZpM0krL0RGNU9UbEFRREs1MngxVW1FeHNSL21hcGRIZEhqWHNNSWhNOWxIU3Y5SWtkVmRralFEZXZmU3lLK1poRVU1d3pUVFNqMnpEZS9laFE4T2gvMlRUdlFUczJ6Umw5b1ROdHFjTnZDblZscWxWVk9OUUZxNVg1VGlWdDc3bFFJREFRQUJvMEl3UURBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJUckdmV2hjRWJHSHdXNXNOOUhwS1dEZkU2QlFEQU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFLcGdmaFFJZU94QzVGTWlVSzdSUDJGN2p2ZlJPSlAxK1RmdnpiQXlsUC9SVzlzc0NGZXJDVDFiR2Z6YVBySjFDd3lmRTZQRlJHREVaMXFBTWRzb09iYzFHYUxCaGdlL2djTEtzYXN5U293V0ZRZ1YrT2thMWFlWWJ6OWVrajloU0M3bE5VWitKZkY0SFFuM2haL3NxYjc3WFpaeWwwWXBod1BORWN0bGZBM3I2SVJtbnZHV2V1ZFpFYllMMUI1YVNBeTBSNHI0NXFtczJGS3loM2xZRDVLa2kyRTlsMXhMZ2t2MU1OV1diYmo4RjJ0TTFNZjJKcGllY1NNbC8rQi8yQTRPcXRDclJJL2F3bWh2Zk4yNVRDL1RjSDJuQlcybHROR0ZwUFYrQTVyQnd2UzdoaTluclRmYTNjaVlYREI3c2tCSW5WaUVtWHpZZUx4cmN2bTNicVE9PC9YNTA5Q2VydGlmaWNhdGU+PC9YNTA5RGF0YT48L0tleUluZm8+PC9TaWduYXR1cmU+PHNhbWw6U3ViamVjdD48c2FtbDpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDp1bnNwZWNpZmllZCI+Z29vZ2xlLW9hdXRoMnwxMTcwNjkyNzEwMjAwNTg2NzQ0NDA8L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0ZXI9IjIwMjMtMDUtMThUMDU6MTM6NDMuOTc5WiIgUmVjaXBpZW50PSJodHRwOi8vbG9jYWxob3N0OjUwMDAvc2FtbC9jYWxsYmFjaz9vcmdfc2x1Zz1kZWZhdWx0IiBJblJlc3BvbnNlVG89ImlkLVdYQ01qRXFHOEVzZ3BkbmZsIi8+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+PC9zYW1sOlN1YmplY3Q+PHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMjMtMDUtMThUMDQ6MTM6NDMuOTc5WiIgTm90T25PckFmdGVyPSIyMDIzLTA1LTE4VDA1OjEzOjQzLjk3OVoiPjxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PHNhbWw6QXVkaWVuY2U+aHR0cDovL2xvY2FsaG9zdDo1MDAwL3NhbWwvY2FsbGJhY2s/b3JnX3NsdWc9ZGVmYXVsdDwvc2FtbDpBdWRpZW5jZT48L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWw6Q29uZGl0aW9ucz48c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMjMtMDUtMThUMDQ6MTM6NDMuOTc5WiIgU2Vzc2lvbkluZGV4PSJfcHRNNTdOWk9YVllfRk1jdkxiZTQzYm4tQmw0OFI3X3QiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3Nlczp1bnNwZWNpZmllZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIj48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iRmlyc3ROYW1lIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj50ZXN0PC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9Ikxhc3ROYW1lIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj50ZXN0PC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDUvMDUvaWRlbnRpdHkvY2xhaW1zL3VwbiI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+dGVzdEBtYWlsLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy5hdXRoMC5jb20vaWRlbnRpdGllcy9kZWZhdWx0L3Byb3ZpZGVyIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5nb29nbGUtb2F1dGgyPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLmF1dGgwLmNvbS9pZGVudGl0aWVzL2RlZmF1bHQvdXNlcl9pZCI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+MTE3MDY5MjExMTExMTExPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLmF1dGgwLmNvbS9pZGVudGl0aWVzL2RlZmF1bHQvY29ubmVjdGlvbiI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+Z29vZ2xlLW9hdXRoMjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy5hdXRoMC5jb20vaWRlbnRpdGllcy9kZWZhdWx0L2lzU29jaWFsIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6Ym9vbGVhbiI+dHJ1ZTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg=="> <input type="hidden" name="RelayState" value=""> <noscript> <p> Script is disabled. Click Submit to continue. </p><input type="submit" value="Submit"> </noscript> </form> <script language="javascript" type="text/javascript"> window.setTimeout(function(){document.forms[0].submit();}, 0); </script> </body> </html> |
Trình duyệt sẽ tự động POST SAMLResponse về Service providers
1 2 3 4 5 6 7 8 9 | <span class="token request-line"><span class="token method property">POST</span> <span class="token request-target url">/saml/callback?org_slug=default</span> <span class="token http-version property">HTTP/1.1</span></span> <span class="token header-name keyword">Host:</span> localhost:5000 <span class="token header-name keyword">Content-Length:</span> 6801 ... <span class="token header-name keyword">Cookie:</span> <cookie> <span class="token header-name keyword">Connection:</span> close SAMLResponse=PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIElEPSJfMTk4MmU4NGQ2ZWQ0ZGJjNTNiZWMiICBJblJlc3BvbnNlVG89ImlkLVdYQ01qRXFHOEVzZ3BkbmZsIiAgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMjMtMDUtMThUMDQ6MTM6NDQuMDIzWiIgIERlc3RpbmF0aW9uPSJodHRwOi8vbG9jYWxob3N0OjUwMDAvc2FtbC9jYWxsYmFjaz9vcmdfc2x1Zz1kZWZhdWx0Ij48c2FtbDpJc3N1ZXIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI%2BdXJuOmRldi05bHJsdnllci51cy5hdXRoMC5jb208L3NhbWw6SXNzdWVyPjxzYW1scDpTdGF0dXM%2BPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbHA6U3RhdHVzPjxzYW1sOkFzc2VydGlvbiB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBWZXJzaW9uPSIyLjAiIElEPSJfSWJCOXlIbXhRVUZEWnpOZ3Z3elBicFRPQzh4ZXZ1SG8iIElzc3VlSW5zdGFudD0iMjAyMy0wNS0xOFQwNDoxMzo0My45NzlaIj48c2FtbDpJc3N1ZXI%2BdXJuOmRldi05bHJsdnllci51cy5hdXRoMC5jb208L3NhbWw6SXNzdWVyPjxTaWduYXR1cmUgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxTaWduZWRJbmZvPjxDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BPFNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiLz48UmVmZXJlbmNlIFVSST0iI19JYkI5eUhteFFVRkRaek5ndnd6UGJwVE9DOHhldnVIbyI%2BPFRyYW5zZm9ybXM%2BPFRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8%2BPFRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvVHJhbnNmb3Jtcz48RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2Ii8%2BPERpZ2VzdFZhbHVlPm5jVkM4N2p1ZmY0YWtBTDZPRWpVa1RGUFhYWHF1SEZzNmdxdHliOHBBNTg9PC9EaWdlc3RWYWx1ZT48L1JlZmVyZW5jZT48L1NpZ25lZEluZm8%2BPFNpZ25hdHVyZVZhbHVlPlExVjZtMXdkMG1UNi9VZ3o5WnhFcTF1SXMyUWRpVklCQ2YxaWEyT0RyVTdkckd6V0twdnZVUmpqNTdhdjArdFkwaU5ackk0R1FiczZOM3lIUGpsUjRNaisxaysrYVE2V01vTExHWC93TGZ3dUltckFMWnpYVkgxTUp2RGNld2tsTTM5enJQUmpHNFM4NGxMNzM3blpYTTdnWXVCK1NqdDJWOUNhamZIYW9qSE5zcjlJQWFQWlQ5c2FlYkRTNytxKzBQWGZkVWVscm9Pa1BaUExzNy8vT2M0cERUUDU4TTBmekhMVWRQQ1VFQjhZc0lpVkpnNU8rbFhyb3hDUWlHdFRVUDM0UUIrbHR0Sm9zYnBYTGFXcVNZSjJjTW1GcmhWb1Y1a0VTK01qbWt4YUt3UTMxSzJGb3NlVGcwUHJnTjU2aHQ3K0VBKzlxUUtZVFRvSTZITnhKUT09PC9TaWduYXR1cmVWYWx1ZT48S2V5SW5mbz48WDUwOURhdGE%2BPFg1MDlDZXJ0aWZpY2F0ZT5NSUlERFRDQ0FmV2dBd0lCQWdJSkN6TW5LaWdSWEIvYk1BMEdDU3FHU0liM0RRRUJDd1VBTUNReElqQWdCZ05WQkFNVEdXUmxkaTA1YkhKc2RubGxjaTUxY3k1aGRYUm9NQzVqYjIwd0hoY05Nakl3TnpFeU1EYzBORFEwV2hjTk16WXdNekl3TURjME5EUTBXakFrTVNJd0lBWURWUVFERXhsa1pYWXRPV3h5YkhaNVpYSXVkWE11WVhWMGFEQXVZMjl0TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUEzV0lEL1hKekZHTUwrTFExZjNMbW5rd2NCNWYrQWo2bjJOYm9yL3pFaVE4TDRsN0xUMXQ4M1RMV1BWd0NnbUlOQjRjODNrNGk3amY2ZHQ1QzJBbkxZUWJZcEdPeEpiS013dUc1Nk9NUy81aVZJOElDc3QxeHlzSkZlRTJveVB4YitWbk5DZEdqcFdOM0RZUzkxNldicm9pc2s1MlE2WExEdkRleXpCeEdsUDB3dFdiMnlDYWhFNDRVQjA4TGpIOWp2c0t5UGFJUzZTUjMwb1hjMndFdUZpM0krL0RGNU9UbEFRREs1MngxVW1FeHNSL21hcGRIZEhqWHNNSWhNOWxIU3Y5SWtkVmRralFEZXZmU3lLK1poRVU1d3pUVFNqMnpEZS9laFE4T2gvMlRUdlFUczJ6Umw5b1ROdHFjTnZDblZscWxWVk9OUUZxNVg1VGlWdDc3bFFJREFRQUJvMEl3UURBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJUckdmV2hjRWJHSHdXNXNOOUhwS1dEZkU2QlFEQU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFLcGdmaFFJZU94QzVGTWlVSzdSUDJGN2p2ZlJPSlAxK1RmdnpiQXlsUC9SVzlzc0NGZXJDVDFiR2Z6YVBySjFDd3lmRTZQRlJHREVaMXFBTWRzb09iYzFHYUxCaGdlL2djTEtzYXN5U293V0ZRZ1YrT2thMWFlWWJ6OWVrajloU0M3bE5VWitKZkY0SFFuM2haL3NxYjc3WFpaeWwwWXBod1BORWN0bGZBM3I2SVJtbnZHV2V1ZFpFYllMMUI1YVNBeTBSNHI0NXFtczJGS3loM2xZRDVLa2kyRTlsMXhMZ2t2MU1OV1diYmo4RjJ0TTFNZjJKcGllY1NNbC8rQi8yQTRPcXRDclJJL2F3bWh2Zk4yNVRDL1RjSDJuQlcybHROR0ZwUFYrQTVyQnd2UzdoaTluclRmYTNjaVlYREI3c2tCSW5WaUVtWHpZZUx4cmN2bTNicVE9PC9YNTA5Q2VydGlmaWNhdGU%2BPC9YNTA5RGF0YT48L0tleUluZm8%2BPC9TaWduYXR1cmU%2BPHNhbWw6U3ViamVjdD48c2FtbDpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDp1bnNwZWNpZmllZCI%2BZ29vZ2xlLW9hdXRoMnwxMTcwNjkyNzEwMjAwNTg2NzQ0NDA8L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0ZXI9IjIwMjMtMDUtMThUMDU6MTM6NDMuOTc5WiIgUmVjaXBpZW50PSJodHRwOi8vbG9jYWxob3N0OjUwMDAvc2FtbC9jYWxsYmFjaz9vcmdfc2x1Zz1kZWZhdWx0IiBJblJlc3BvbnNlVG89ImlkLVdYQ01qRXFHOEVzZ3BkbmZsIi8%2BPC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24%2BPC9zYW1sOlN1YmplY3Q%2BPHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMjMtMDUtMThUMDQ6MTM6NDMuOTc5WiIgTm90T25PckFmdGVyPSIyMDIzLTA1LTE4VDA1OjEzOjQzLjk3OVoiPjxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24%2BPHNhbWw6QXVkaWVuY2U%2BaHR0cDovL2xvY2FsaG9zdDo1MDAwL3NhbWwvY2FsbGJhY2s%2Fb3JnX3NsdWc9ZGVmYXVsdDwvc2FtbDpBdWRpZW5jZT48L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWw6Q29uZGl0aW9ucz48c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMjMtMDUtMThUMDQ6MTM6NDMuOTc5WiIgU2Vzc2lvbkluZGV4PSJfcHRNNTdOWk9YVllfRk1jdkxiZTQzYm4tQmw0OFI3X3QiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3Nlczp1bnNwZWNpZmllZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIj48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iRmlyc3ROYW1lIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj50ZXN0PC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU%2BPHNhbWw6QXR0cmlidXRlIE5hbWU9Ikxhc3ROYW1lIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj50ZXN0PC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU%2BPHNhbWw6QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDUvMDUvaWRlbnRpdHkvY2xhaW1zL3VwbiI%2BPHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI%2BdGVzdEBtYWlsLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy5hdXRoMC5jb20vaWRlbnRpdGllcy9kZWZhdWx0L3Byb3ZpZGVyIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5nb29nbGUtb2F1dGgyPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU%2BPHNhbWw6QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLmF1dGgwLmNvbS9pZGVudGl0aWVzL2RlZmF1bHQvdXNlcl9pZCI%2BPHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI%2BMTE3MDY5MjExMTExMTExPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU%2BPHNhbWw6QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLmF1dGgwLmNvbS9pZGVudGl0aWVzL2RlZmF1bHQvY29ubmVjdGlvbiI%2BPHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI%2BZ29vZ2xlLW9hdXRoMjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy5hdXRoMC5jb20vaWRlbnRpdGllcy9kZWZhdWx0L2lzU29jaWFsIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6Ym9vbGVhbiI%2BdHJ1ZTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ%2BPC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg%3D%3D&RelayState= |
Chúng ta có thể decode base64 đoạn SAMLResponse này ra, cấu trúc nó sẽ như sau
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 | <span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">samlp:</span>Response</span> <span class="token attr-name"><span class="token namespace">xmlns:</span>samlp</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>urn:oasis:names:tc:SAML:2.0:protocol<span class="token punctuation">"</span></span> <span class="token attr-name">ID</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>_1982e84d6ed4dbc53bec<span class="token punctuation">"</span></span> <span class="token attr-name">InResponseTo</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>id-WXCMjEqG8Esgpdnfl<span class="token punctuation">"</span></span> <span class="token attr-name">Version</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>2.0<span class="token punctuation">"</span></span> <span class="token attr-name">IssueInstant</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>2023-05-18T04:13:44.023Z<span class="token punctuation">"</span></span> <span class="token attr-name">Destination</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>http://localhost:5000/saml/callback?org_slug=default<span class="token punctuation">"</span></span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">saml:</span>Issuer</span> <span class="token attr-name"><span class="token namespace">xmlns:</span>saml</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>urn:oasis:names:tc:SAML:2.0:assertion<span class="token punctuation">"</span></span><span class="token punctuation">></span></span>urn:dev-9lrlvyer.us.auth0.com<span class="token tag"><span class="token tag"><span class="token punctuation"></</span><span class="token namespace">saml:</span>Issuer</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">samlp:</span>Status</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">samlp:</span>StatusCode</span> <span class="token attr-name">Value</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>urn:oasis:names:tc:SAML:2.0:status:Success<span class="token punctuation">"</span></span> <span class="token punctuation">/></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span><span class="token namespace">samlp:</span>Status</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">saml:</span>Assertion</span> <span class="token attr-name"><span class="token namespace">xmlns:</span>saml</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>urn:oasis:names:tc:SAML:2.0:assertion<span class="token punctuation">"</span></span> <span class="token attr-name">Version</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>2.0<span class="token punctuation">"</span></span> <span class="token attr-name">ID</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>_IbB9yHmxQUFDZzNgvwzPbpTOC8xevuHo<span class="token punctuation">"</span></span> <span class="token attr-name">IssueInstant</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>2023-05-18T04:13:43.979Z<span class="token punctuation">"</span></span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">saml:</span>Issuer</span><span class="token punctuation">></span></span>urn:dev-9lrlvyer.us.auth0.com<span class="token tag"><span class="token tag"><span class="token punctuation"></</span><span class="token namespace">saml:</span>Issuer</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span>Signature</span> <span class="token attr-name">xmlns</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>http://www.w3.org/2000/09/xmldsig#<span class="token punctuation">"</span></span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span>SignedInfo</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span>CanonicalizationMethod</span> <span class="token attr-name">Algorithm</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>http://www.w3.org/2001/10/xml-exc-c14n#<span class="token punctuation">"</span></span> <span class="token punctuation">/></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span>SignatureMethod</span> <span class="token attr-name">Algorithm</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>http://www.w3.org/2001/04/xmldsig-more#rsa-sha256<span class="token punctuation">"</span></span> <span class="token punctuation">/></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span>Reference</span> <span class="token attr-name">URI</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>#_IbB9yHmxQUFDZzNgvwzPbpTOC8xevuHo<span class="token punctuation">"</span></span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span>Transforms</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span>Transform</span> <span class="token attr-name">Algorithm</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>http://www.w3.org/2000/09/xmldsig#enveloped-signature<span class="token punctuation">"</span></span> <span class="token punctuation">/></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span>Transform</span> <span class="token attr-name">Algorithm</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>http://www.w3.org/2001/10/xml-exc-c14n#<span class="token punctuation">"</span></span> <span class="token punctuation">/></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span>Transforms</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span>DigestMethod</span> <span class="token attr-name">Algorithm</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>http://www.w3.org/2001/04/xmlenc#sha256<span class="token punctuation">"</span></span> <span class="token punctuation">/></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span>DigestValue</span><span class="token punctuation">></span></span>ncVC87juff4akAL6OEjUkTFPXXXquHFs6gqtyb8pA58=<span class="token tag"><span class="token tag"><span class="token punctuation"></</span>DigestValue</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span>Reference</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span>SignedInfo</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span>SignatureValue</span><span class="token punctuation">></span></span> Q1V6m1wd0mT6/Ugz9ZxEq1uIs2QdiVIBCf1ia2ODrU7drGzWKpvvURjj57av0+tY0iNZrI4GQbs6N3yHPjlR4Mj+1k++aQ6WMoLLGX/wLfwuImrALZzXVH1MJvDcewklM39zrPRjG4S84lL737nZXM7gYuB+Sjt2V9CajfHaojHNsr9IAaPZT9saebDS7+q+0PXfdUelroOkPZPLs7//Oc4pDTP58M0fzHLUdPCUEB8YsIiVJg5O+lXroxCQiGtTUP34QB+lttJosbpXLaWqSYJ2cMmFrhVoV5kES+MjmkxaKwQ31K2FoseTg0PrgN56ht7+EA+9qQKYTToI6HNxJQ==<span class="token tag"><span class="token tag"><span class="token punctuation"></</span>SignatureValue</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span>KeyInfo</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span>X509Data</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span>X509Certificate</span><span class="token punctuation">></span></span> MIIDDTCCAfWgAwIBAgIJCzMnKigRXB/bMA0GCSqGSIb3DQEBCwUAMCQxIjAgBgNVBAMTGWRldi05bHJsdnllci51cy5hdXRoMC5jb20wHhcNMjIwNzEyMDc0NDQ0WhcNMzYwMzIwMDc0NDQ0WjAkMSIwIAYDVQQDExlkZXYtOWxybHZ5ZXIudXMuYXV0aDAuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3WID/XJzFGML+LQ1f3LmnkwcB5f+Aj6n2Nbor/zEiQ8L4l7LT1t83TLWPVwCgmINB4c83k4i7jf6dt5C2AnLYQbYpGOxJbKMwuG56OMS/5iVI8ICst1xysJFeE2oyPxb+VnNCdGjpWN3DYS916Wbroisk52Q6XLDvDeyzBxGlP0wtWb2yCahE44UB08LjH9jvsKyPaIS6SR30oXc2wEuFi3I+/DF5OTlAQDK52x1UmExsR/mapdHdHjXsMIhM9lHSv9IkdVdkjQDevfSyK+ZhEU5wzTTSj2zDe/ehQ8Oh/2TTvQTs2zRl9oTNtqcNvCnVlqlVVONQFq5X5TiVt77lQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTrGfWhcEbGHwW5sN9HpKWDfE6BQDAOBgNVHQ8BAf8EBAMCAoQwDQYJKoZIhvcNAQELBQADggEBAKpgfhQIeOxC5FMiUK7RP2F7jvfROJP1+TfvzbAylP/RW9ssCFerCT1bGfzaPrJ1CwyfE6PFRGDEZ1qAMdsoObc1GaLBhge/gcLKsasySowWFQgV+Oka1aeYbz9ekj9hSC7lNUZ+JfF4HQn3hZ/sqb77XZZyl0YphwPNEctlfA3r6IRmnvGWeudZEbYL1B5aSAy0R4r45qms2FKyh3lYD5Kki2E9l1xLgkv1MNWWbbj8F2tM1Mf2JpiecSMl/+B/2A4OqtCrRI/awmhvfN25TC/TcH2nBW2ltNGFpPV+A5rBwvS7hi9nrTfa3ciYXDB7skBInViEmXzYeLxrcvm3bqQ=<span class="token tag"><span class="token tag"><span class="token punctuation"></</span>X509Certificate</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span>X509Data</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span>KeyInfo</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span>Signature</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">saml:</span>Subject</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">saml:</span>NameID</span> <span class="token attr-name">Format</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified<span class="token punctuation">"</span></span><span class="token punctuation">></span></span> google-oauth2|117069271020058674440<span class="token tag"><span class="token tag"><span class="token punctuation"></</span><span class="token namespace">saml:</span>NameID</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">saml:</span>SubjectConfirmation</span> <span class="token attr-name">Method</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>urn:oasis:names:tc:SAML:2.0:cm:bearer<span class="token punctuation">"</span></span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">saml:</span>SubjectConfirmationData</span> <span class="token attr-name">NotOnOrAfter</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>2023-05-18T05:13:43.979Z<span class="token punctuation">"</span></span> <span class="token attr-name">Recipient</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>http://localhost:5000/saml/callback?org_slug=default<span class="token punctuation">"</span></span> <span class="token attr-name">InResponseTo</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>id-WXCMjEqG8Esgpdnfl<span class="token punctuation">"</span></span> <span class="token punctuation">/></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span><span class="token namespace">saml:</span>SubjectConfirmation</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span><span class="token namespace">saml:</span>Subject</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">saml:</span>Conditions</span> <span class="token attr-name">NotBefore</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>2023-05-18T04:13:43.979Z<span class="token punctuation">"</span></span> <span class="token attr-name">NotOnOrAfter</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>2023-05-18T05:13:43.979Z<span class="token punctuation">"</span></span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">saml:</span>AudienceRestriction</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">saml:</span>Audience</span><span class="token punctuation">></span></span>http://localhost:5000/saml/callback?org_slug=default<span class="token tag"><span class="token tag"><span class="token punctuation"></</span><span class="token namespace">saml:</span>Audience</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span><span class="token namespace">saml:</span>AudienceRestriction</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span><span class="token namespace">saml:</span>Conditions</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">saml:</span>AuthnStatement</span> <span class="token attr-name">AuthnInstant</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>2023-05-18T04:13:43.979Z<span class="token punctuation">"</span></span> <span class="token attr-name">SessionIndex</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>_ptM57NZOXVY_FMcvLbe43bn-Bl48R7_t<span class="token punctuation">"</span></span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">saml:</span>AuthnContext</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">saml:</span>AuthnContextClassRef</span><span class="token punctuation">></span></span>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified<span class="token tag"><span class="token tag"><span class="token punctuation"></</span><span class="token namespace">saml:</span>AuthnContextClassRef</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span><span class="token namespace">saml:</span>AuthnContext</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span><span class="token namespace">saml:</span>AuthnStatement</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">saml:</span>AttributeStatement</span> <span class="token attr-name"><span class="token namespace">xmlns:</span>xs</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>http://www.w3.org/2001/XMLSchema<span class="token punctuation">"</span></span> <span class="token attr-name"><span class="token namespace">xmlns:</span>xsi</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>http://www.w3.org/2001/XMLSchema-instance<span class="token punctuation">"</span></span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">saml:</span>Attribute</span> <span class="token attr-name">Name</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>FirstName<span class="token punctuation">"</span></span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">saml:</span>AttributeValue</span> <span class="token attr-name"><span class="token namespace">xsi:</span>type</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>xs:string<span class="token punctuation">"</span></span><span class="token punctuation">></span></span>test<span class="token tag"><span class="token tag"><span class="token punctuation"></</span><span class="token namespace">saml:</span>AttributeValue</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span><span class="token namespace">saml:</span>Attribute</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">saml:</span>Attribute</span> <span class="token attr-name">Name</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>LastName<span class="token punctuation">"</span></span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">saml:</span>AttributeValue</span> <span class="token attr-name"><span class="token namespace">xsi:</span>type</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>xs:string<span class="token punctuation">"</span></span><span class="token punctuation">></span></span>test<span class="token tag"><span class="token tag"><span class="token punctuation"></</span><span class="token namespace">saml:</span>AttributeValue</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span><span class="token namespace">saml:</span>Attribute</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">saml:</span>Attribute</span> <span class="token attr-name">Name</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn<span class="token punctuation">"</span></span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">saml:</span>AttributeValue</span> <span class="token attr-name"><span class="token namespace">xsi:</span>type</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>xs:string<span class="token punctuation">"</span></span><span class="token punctuation">></span></span>test@mail.com<span class="token tag"><span class="token tag"><span class="token punctuation"></</span><span class="token namespace">saml:</span>AttributeValue</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span><span class="token namespace">saml:</span>Attribute</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">saml:</span>Attribute</span> <span class="token attr-name">Name</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>http://schemas.auth0.com/identities/default/provider<span class="token punctuation">"</span></span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">saml:</span>AttributeValue</span> <span class="token attr-name"><span class="token namespace">xsi:</span>type</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>xs:string<span class="token punctuation">"</span></span><span class="token punctuation">></span></span>google-oauth2<span class="token tag"><span class="token tag"><span class="token punctuation"></</span><span class="token namespace">saml:</span>AttributeValue</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span><span class="token namespace">saml:</span>Attribute</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">saml:</span>Attribute</span> <span class="token attr-name">Name</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>http://schemas.auth0.com/identities/default/user_id<span class="token punctuation">"</span></span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">saml:</span>AttributeValue</span> <span class="token attr-name"><span class="token namespace">xsi:</span>type</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>xs:string<span class="token punctuation">"</span></span><span class="token punctuation">></span></span>117069211111111<span class="token tag"><span class="token tag"><span class="token punctuation"></</span><span class="token namespace">saml:</span>AttributeValue</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span><span class="token namespace">saml:</span>Attribute</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">saml:</span>Attribute</span> <span class="token attr-name">Name</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>http://schemas.auth0.com/identities/default/connection<span class="token punctuation">"</span></span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">saml:</span>AttributeValue</span> <span class="token attr-name"><span class="token namespace">xsi:</span>type</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>xs:string<span class="token punctuation">"</span></span><span class="token punctuation">></span></span>google-oauth2<span class="token tag"><span class="token tag"><span class="token punctuation"></</span><span class="token namespace">saml:</span>AttributeValue</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span><span class="token namespace">saml:</span>Attribute</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">saml:</span>Attribute</span> <span class="token attr-name">Name</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>http://schemas.auth0.com/identities/default/isSocial<span class="token punctuation">"</span></span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">saml:</span>AttributeValue</span> <span class="token attr-name"><span class="token namespace">xsi:</span>type</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>xs:boolean<span class="token punctuation">"</span></span><span class="token punctuation">></span></span>true<span class="token tag"><span class="token tag"><span class="token punctuation"></</span><span class="token namespace">saml:</span>AttributeValue</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span><span class="token namespace">saml:</span>Attribute</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span><span class="token namespace">saml:</span>AttributeStatement</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span><span class="token namespace">saml:</span>Assertion</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span><span class="token namespace">samlp:</span>Response</span><span class="token punctuation">></span></span> |
Rất là nhiều thẻ và thông tin, hãy xem ý nghĩa của từng thẻ và thuộc tính
ID="_1982e84d6ed4dbc53bec": ID của SAML Response. Mỗi SAML Response duy nhất sẽ có một ID riêng để phân biệt nó với các Response khác.
InResponseTo="id-WXCMjEqG8Esgpdnfl": ID của yêu cầu xác thực ban đầu. Response này đang trả lời yêu cầu xác thực có ID là "id-WXCMjEqG8Esgpdnfl".
Version="2.0": Phiên bản của giao thức SAML được sử dụng.
IssueInstant="2023-05-18T04:13:44.023Z": Thời điểm SAML Response được phát hành.
Destination="http://localhost:5000/saml/callback?org_slug=default": Đích của SAML Response, nơi nó được gửi đến.
<saml:Issuer>: Định danh của nhà cung cấp dịch vụ xác thực (IdP) – tức là Auth0 trong trường hợp này.
<samlp:Status>: Trạng thái của SAML Response, cho biết xác thực thành công hay không. Trạng thái này chứa một phần tử <samlp:StatusCode> với giá trị "urn:oasis:names:tc:SAML:2.0:status:Success" để chỉ rằng xác thực thành công.
<saml:Assertion>: Khẳng định chứa thông tin chi tiết về xác thực.
<Signature>: Chứng thực ký số của SAML Response, đảm bảo tính toàn vẹn và xác thực của nó.
<saml:Subject>: Mô tả đối tượng mà xác thực áp dụng cho.
<saml:Conditions>: Các điều kiện và hạn chế áp dụng cho xác thực, ví dụ như thời gian được phép sử dụng, như ví dụ ở đây là vào 1 tiếng, từ 2023-05-18T04:13:43.979Z đến 2023-05-18T05:13:43.979Z.
<saml:AuthnStatement>: Tuyên bố về quá trình xác thực.
<saml:AttributeStatement>: Tuyên bố về các thuộc tính của đối tượng xác thực.
Ngoài ra, có nhiều phần tử <saml:Attribute> trong <saml:AttributeStatement> để mô tả các thuộc tính của đối tượng xác thực, chẳng hạn như FirstName, LastName, Email, và các thuộc tính từ Identity Provider (ở đây là Auth0).
Sau khi gửi SAMLResponse cho Service Provider, Service Provider sẽ thực hiện validate SAML response. Nếu thành công, Service Provider sẽ cho phép người dùng truy cập vào source mà người dùng đã thực hiện request trước đó (ở đây là cung cấp session hợp lệ).
1 2 3 4 5 6 7 8 9 10 11 12 13 | <span class="token response-status"><span class="token http-version property">HTTP/1.0</span> <span class="token status-code number">302</span> <span class="token reason-phrase string">FOUND</span></span> <span class="token header-name keyword">Content-Type:</span> text/html; charset=utf-8 <span class="token header-name keyword">Content-Length:</span> 209 <span class="token header-name keyword">Location:</span> http://localhost:5000/ <span class="token header-name keyword">Set-Cookie:</span> remember_token=3-d4e21fdbb3a3c708808e397654825310|11cbe4fdf2454251c7af78125c61747354921f9e28901819a7f411822593e68a2f6523d71575a9805acfb6c065c739be5c718624bbc43e45fb9844468a2c1261; Expires=Sun, 18-Jun-2023 04:13:44 GMT; HttpOnly; Path=/ <span class="token header-name keyword">Set-Cookie:</span> session=.eJw1z8tKBDEQheF3yVqhkrqkMi8zJHVBEVvp7lmJ724Luj_8fOer3HOP46Xczv0RT-X-6uVW0EkTOBIdFBdCGzy6StVpzqzNe7fs4TlXEyAJNs6-1kgkqSgEhtR4BoyOHakyGI8hXtdgs4mROalNUqqmJDDUs3ZdIHUYlwvyGfv73GI7_2l27Hk_P95iu4TTI5R4DgE1wJ6tIl8AbBPIl0hSXR6_pccR-9-tZ6doNf3aTbQOqqCBowuTNsYK5fsHjlJNAA.ZGWl-A.RUAq6b39hHkpiBfG-jt-RcNRzM0; Expires=Thu, 18-May-2023 10:13:44 GMT; HttpOnly; Path=/ .... <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <title>Redirecting...</title> <h1>Redirecting...</h1> <p>You should be redirected automatically to target URL: <a href="/">/</a>. If not click the link. |
OK vậy là xong phần giới thiệu về SAML và cách thức hoạt động của SAML. Phần tiếp theo sẽ là phần tập trung vào việc khai thác các lỗ hổng liên quan đến SAML. Các bạn chờ đến phần tiếp theo nhé