如何在 IDP 和 SP 之间交换 SAML 断言

Question

这是在 IDP 和 SP 之间交换 SAML 断言的代码的 sn-p，我可以从 IDP 获取 SAML 断言，但是在 SP 端从 IDP 获取 SAML 断言的代码不起作用。

def exchange_assertion(self):
    """Send assertion to a SP."""
    # sp[u'sp_url'] = http://localhost/Shibboleth.sso/SAML2/ECP
    response = self.session.post(
        sp[u'sp_url'],
        headers={'Content-Type': 'application/vnd.paos+xml'},
        data=self.assertion,
        authenticated=False,
        redirect=False)

    # the status code is 302, so I assume it's okay so far.
    self._check_response(response)

    # sp[u'auth_url'] is url of which points to SP where it expects
    # the saml assertion can be fetched from the context, but 
    # it doesn't unfortunately.
    r = self._handle_http_302_ecp_redirect(self.session, response, sp[u'auth_url'],
                                           method='GET',
                                           headers={'Content-Type':
                                           'application/vnd.paos+xml'})

def _handle_http_302_ecp_redirect(self, session, response, location, method, **kwargs):
    return session.get(location, authenticated=False, **kwargs)

我被卡住的地方是无法从上下文 ['environment'] 中获取 saml 断言。那么，这里出了什么问题？提前感谢您的任何建议。

Answer 1

啊，apache下有些配置错误，问题已经解决了。

/etc/shibboleth/shibboleth2.xml中的配置配置为使用默认Application，所以我必须在apache下将applicationId改为'default'，配置如下，

<Location ~ "/this is the auth uri/">
    ShibRequestSetting requireSession 1
    AuthType shibboleth
    ShibRequestSetting applicationId default
    #ShibRequireAll On
    #ShibRequireSession On
    ShibExportAssertion Off
    Require valid-user
</Location>

然后就可以了。