O SAML (Security Assertion Markup Language) é um padrão baseado em XML para a autenticação e autorização de informações entre dois parceiros confiáveis. Ele é baseado em outros padrões:
Identity Provider (IDP) / Asserting Party
O fluig Identity suporta o Single Sign On baseado no SAML 2.0. Eles suportam os SSO SP-initiated e IDP-initiated.
Recebe a resposta SAML.
Verifica a assinatura.
Valida a resposta SAML.
Verifica o status da resposta, se foi uma autenticação válida ou não. Se o status for uma falha, ignora a assertion.
Valida o emissor. Isto exige que o IDP seja registrado com o SP.
Se criptografado, descriptografa a assertion.
Valida que a resposta possui uma assertion, declarações de autenticação e declarações de atributos.
Certifica-se que a assertion é valida na instância dada e é intencionada para o SP.
Determina a autorização dos usuários baseado nas declarações de autenticação e atributos na assertion.
Se autorizado, redireciona o usuário para o recurso requisitado/protegido.
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://www.google.com/a/domain.com/acs"
ID="cknmoleiackllcefehnhjinlfiaajgggmeaffkfa"
IsPassive="false"
IssueInstant="2012-10-18T23:40:09Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
ProviderName="google.com"
Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">google.com</saml:Issuer>
<samlp:NameIDPolicy
AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
</samlp:AuthnRequest> |
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response Destination="https://login.salesforce.com"
ID="_13302cb62e037657beae3cac41a35218"
IssueInstant="2013-12-20T21:45:08.659Z" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">TotvsLabs</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
……………………………………
<ds:SignatureValue>Kco2wsDhR5LrpyZhp869SHtc0v9G5OTe/sPkTF8cqMoAeWJSdcFUc1HMyNkpnY8Cfyp1jE7SNYSalK7yE7aOL7QV7wDuBTAb/G2u7mHDTIOIW3TG1wxOI6uZT2NmL4UFGuVbg8lNB59Fca63lVvGawPxZ8PdjU2F/nR3vEJOLLo=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICBjCCAW8CBgFC6DL/BTANBgkqhkiG9w0BAQsFADBJMSYwJAYDVQQLEx1Ub3R2c0xhYnMgUHJp………………………Bmfp9VNd6/zu
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature> <saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion ID="_5ed003a04c22e77bbf0aa57da0658e6b"
IssueInstant="2013-12-20T21:45:08.714Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">TotvsLabs</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
……………………………
</ds:SignedInfo>
<ds:SignatureValue>Gant8FV0/+nB63AsU7T4Qv8sLb5xw6xeTrcPYIbxlqpROTwb1ihjvaGM5eZbap/yFAqFA6MVpsJ7yaTIYtcLajnE9NTf1Hqiq6rjuLUUAOiamgkmDr5iq83VqjrfCjQBf4/5VtxmI5nHdEbOFmaRy797GZQJ5fk5lQA+fxNbAKc=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICBjCCAW8CBgFC6DL/BTANBgkqhkiG9w0BAQsFADBJMSYwJAYDVQQLEx1Ub3R2c0xhYnMgUHJp………………………Bmfp9VNd6/zu</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData
NotOnOrAfter="2013-12-20T21:55:08.714Z" Recipient="https://login.salesforce.com"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2013-12-20T21:45:08.714Z" NotOnOrAfter="2013-12-20T21:55:08.714Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://saml.salesforce.com</saml2:Audience> </saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2013-12-20T21:45:08.525Z">
<saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="Role" Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement> </saml2:Assertion>
</saml2p:Response> |
<!-- Hotjar Tracking Code for tdn.totvs.com -->
<script>
(function(h,o,t,j,a,r){
h.hj=h.hj||function(){(h.hj.q=h.hj.q||[]).push(arguments)};
h._hjSettings={hjid:577655,hjsv:5};
a=o.getElementsByTagName('head')[0];
r=o.createElement('script');r.async=1;
r.src=t+h._hjSettings.hjid+j+h._hjSettings.hjsv;
a.appendChild(r);
})(window,document,'//static.hotjar.com/c/hotjar-','.js?sv=');
</script>
|