security - Saml 身份验证请求协议(protocol) ID

Question

当使用 SAML2.0 协议(protocol)进行 Http 重定向绑定(bind)时，我应该像这样发送到身份提供者结构:

<q1:AuthnRequest 
         ID="{82AB4AE6-919C-5FE6-C843-8342E6F9AB61}" Version="2.0" 
           IssueInstant="2011-02-22T09:19:48+0100" 
           Destination="https://test.server.com/Service.jsf" 
           IsPassive="false" 
           AssertionConsumerServiceURL="http://myservice.com/sso/" 
          xmlns:q1="urn:oasis:names:tc:SAML:2.0:protocol"> 
          <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">test.server.com</Issuer>
</q1:AuthnRequest>

我的问题是: ID 的值如何？生成？
ID="{82AB4AE6-919C-5FE6-C843-8342E6F9AB61}" Version="2.0"
生成它的规则是什么？

Answer 1

生成 SAML ID 的确切方法没有明确定义——它必须仅符合 XML ID 的标准。 XML ID 是一个 xsd:NCName，它是从 xsd:Name 派生的，它不能以数字开头或包含空格，并且应该具有 160 位的“随机性”。
Java 中满足该条件的最简单的 ID 生成器是:

String id() {
  return "a" + UUID.randomUUID();
}

此外， OpenSAML SecureRandomIdentifierGenerator 也附带:

// You will need to catch the NoSuchAlgorithmException during construction.
IdentifierGenerator idGenerator = new SecureRandomIdentifierGenerator();

String id() {
  return idGenerator.generateIdentifier();
}

实际的生成代码如下所示:

SecureRandom random = SecureRandom.getInstance("SHA1PRNG");

String generateIdentifier() {
  return generateIdentifier(16);
}

String generateIdentifier(int size) {
  byte[] buf = new byte[size];
  random.nextBytes(buf);
  return "_".concat(new String(Hex.encode(buf)));
}

另一个选择来自 SAMLSSOUtil :

char[] charMapping = { 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p' };
Random random = new Random();

String createID() {
  byte[] bytes = new byte[20]; // 160 bits
  random.nextBytes(bytes);

  char[] chars = new char[40];

  for (int i = 0; i < bytes.length; i++) {
    int left = (bytes[i] >> 4) & 0x0f;
    int right = bytes[i] & 0x0f;
    chars[i * 2] = charMapping[left];
    chars[i * 2 + 1] = charMapping[right];
  }

  return String.valueOf(chars);
}

来自 Oasis文档:

The xs:ID simple type is used to declare SAML identifiers for assertions, requests, and responses. Values declared to be of type xs:ID in this specification MUST satisfy the following properties in addition to those imposed by the definition of the xs:ID type itself:

• Any party that assigns an identifier MUST ensure that there is negligible probability that that party or any other party will accidentally assign the same identifier to a different data object.• Where a data object declares that it has a particular identifier, there MUST be exactly one such declaration.

The mechanism by which a SAML system entity ensures that the identifier is unique is left to the implementation. In the case that a random or pseudorandom technique is employed, the probability of two randomly chosen identifiers being identical MUST be less than or equal to 2^-128 and SHOULD be less than or equal to 2^-160. This requirement MAY be met by encoding a randomly chosen value between 128 and 160 bits in length. The encoding must conform to the rules defining the xs:ID datatype. A pseudorandom generator MUST be seeded with unique material in order to ensure the desired uniqueness properties between different systems.

The xs:NCName simple type is used in SAML to reference identifiers of type xs:ID since xs:IDREF cannot be used for this purpose. In SAML, the element referred to by a SAML identifier reference might actually be defined in a document separate from that in which the identifier reference is used. Using xs:IDREF would violate the requirement that its value match the value of an ID attribute on some element in the same XML document.