Help > Forum > Integrazione del sito web > Single Sign On - SAML
Single Sign On - SAML
Security Assertion Markup Language (SAML) è uno standard basato su XML che consente di comunicare le decisioni di autenticazione tra un servizio e un altro. Website Toolbox supporta SAML per l'accesso Single Sign-On in un forum Website Toolbox da un portale aziendale o provider di identità per i clienti che hanno acquistato un piano di abbonamento al forum Standard o Premium.Un provider di identità è un provider attendibile che consente di utilizzare Single Sign-On per accedere ad altri siti Web. Un provider di servizi è un sito web che ospita applicazioni (ad esempio: Website Toolbox).
Segui le istruzioni riportate di seguito per integrare l'SSO SAML nel tuo sito web:
- Stabilire un provider di identità SAML e raccogliere informazioni dal provider di identità. Si tratta del provider che invierà richieste di Single Sign-On a Website Toolbox.
- La versione di SAML utilizzata dall'IdP (1.1 o 2.0). Supportiamo solo SAML 2.0.
- ID dell'entità dell'IDP (noto anche come emittente).
- File XML dei metadati IDP.
- Potrebbe essere necessario utilizzare i seguenti valori per configurare SAML SSO nel provider di identità del sito Web.
- ID entità - https://USERNAME.websitetoolbox.com/sp
- URL ACS - https://USERNAME.websitetoolbox.com/saml/module.php/saml/sp/saml2-acs.php/USERNAME (Assertion Consumer Service)
- Tipo oggetto - Nome utente, ID federazione o ID utente dell'utente. (Consente di specificare quale campo definisce l'identità dell'utente per l'applicazione).
- Nome ID Formato: i formati nameID consentiti sono:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistenturn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressurn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
- ID entità - https://USERNAME.websitetoolbox.com/sp
- Aggiungere i seguenti URL alla Impostazioni SSO per configurare il provider di servizi avviato Login and Logout.
- Pagina di accesso - URL della pagina di accesso del tuo sito web.
- Pagina di log out - URL della pagina di log out del tuo sito web.
- Fornisci il tuo file di metadati del provider di identità ai nostri assistenza clienti per la configurazione di SAML.
-
È necessario impostare i seguenti attributi utente per gli utenti che accedono tramite SAML:
Attributo Descrizione UserID Userid univoco dell'utente. (Obbligatorio) nome utente Nome utente. (Obbligatorio) mail Indirizzo e-mail dell'utente. (Obbligatorio) Una chiave Chiave API di Website Toolbox Forum. (Obbligatorio) È possibile ottenere la chiave API qui. Nickname Il nick name dell'utente. (Obbligatorio se si utilizza il Salesforce IDP) Nome Nome dell'utente. (Facoltativo) Cognome Cognome dell'utente. (Facoltativo) Impostare questi attributi utilizzando un'istruzione attributo nell'asserzione SAML. Esempio:
<saml:AttributeStatement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> <saml:Attribute Name="userId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">00528000000Seyz</saml:AttributeValue></saml:Attribute> <saml:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">nSrivastava</saml:AttributeValue></saml:Attribute> <saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">neeraj@gmail.com</saml:AttributeValue></saml:Attribute> <saml:Attribute Name="apikey" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">0XrYQtH5ZsHf58QtH5Zs8NKRMdKVJFyr8i5hpOO</saml:AttributeValue></saml:Attribute> </saml:AttributeStatement>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://USERNAME.websitetoolbox.com/saml/module.php/saml/sp/saml2-acs.php/default-sp" ID="_87fcab9d9410312049f835674a7e65d41466607023109" IssueInstant="2016-06-22T14:50:23.109Z" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://abc.my.salesforce.com</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#_87fcab9d9410312049f835674a7e65d41466607023109"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml samlp xs xsi"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>1N29VuJQuNw0bglPXTYSw6L5lgw=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>hYyGfKIP+7LLoJI2TKbPLTBfDtiMoDKGmEG4fh2G9Qk0nJNAcjJmiv/9X0n7MZQVvyQ+h38C27Jp Rxwl1OwdGp6snec0pHrH1GeGt3TB3Cj6MeGAgA8LvWZpusTChwR/LcIPW9uAkNSg40SEKK8aFjYp 4rAM0BcGqfs2QSrcloSGfBsGz5VJw9NIavoudKMDbjvGTD21T3k2VFoSmFZshChgfBD3Zb4jC5IL 7BAOSkLiv/NwLeHjQtizltv5tFNz5eEPryjxgMIynMXI/qJrGrr0ZbQ6EOY4DpPFRkjR+y369ueU h6Oq930IoVexF3oGb0fahWjvESQln6VOtXWZKQ==</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIErDCCA5SgAwIBAgIOAU8B/mTiAAAAAEQfI+YwDQYJKoZIhvcNAQELBQAwgZAxKDAmBgNVBAMM H1NlbGZTaWduZWRDZXJ0XzA2QXVnMjAxNV8wNzUxMzIxGDAWBgNVBAsMDzAwRDI4MDAwMDAwV3ZM VTEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNV BAgMAkNBMQwwCgYDVQQGEwNVU0EwHhcNMTUwODA2MDc1MTMzWhcNMTcwODA2MDAwMDAwWjCBkDEo MCYGA1UEAwwfU2VsZlNpZ25lZENlcnRfMDZBdWcyMDE1XzA3NTEzMjEYMBYGA1UECwwPMDBEMjgw MDAwMDBXdkxVddfdfdfDVQQKDA5TYWxlc2ZvcmNlLmNvbTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNj bzELMAkGA1UECAwCQ0ExDDAKBgNVBAYTA1VTQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAKAceZ4/GgiElg3OMOSv6cphKL3czcuIaenqVuKjbhXxEKzL7UwR7ZEU48GnSDG3QvqCGFQq 9xEm0aLSTvFGRDBP9qpdfdfdfd+71HItGxSZi6YV+TajRM1x31FpiqLl8udI/Iw5WsZHYHy4nsrs 7O2DD6hJSPNHFNSbxu5zxbzcRAaoW+9EBJuV4uT/22++ztJMx3baSgDQ3EPcGTHUDt+L5gefsPmW x8gGl1wtR4sbJb9A4BxiZ+FOv1+o9L3sXQb7po4yqPXCRe9XhdD46YiewZP1+5B0nPudqxPp8F0T U4hRfWHSHvzl1FgEhKRyjHF5hwdfgdfdfovKuwwUjF0CAwEAAaOCAQAwgf0wHQYDVR0OBBYEFCTT nL3o0HiBU0eH0XyChY7VvQcFMA8GA1UdEwEB/wQFMAMBAf8wgcoGA1UdIwSBwjCBv4AUJNOcvejQ eIFTR4fRfIKFjtW9BwWhgZakgZMwgZAxKDAmBgNVBAMMH1NlbGZTaWduZWRDZXJ0XzA2QXVnMjAx NV8wNzUxMzIxGDAWBgNVBAsMDzAwRDI4MDAwMDAwV3ZMVTEXMBUGA1UECgwOU2FsZXNmb3JjZS5j b20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0GCDgFP Af5k4gAAAABEHyPmMA0GCSqGSIb3DQEBCwUAA4IBAQBLS6O9Eb86P4FtBiR4YPoGAUn2O48jnXrP oIx4677l5zilyt3Wt0KCuMfZZ0aCMzP8Q09XVDuKPYJcNb3zki8+jUw8Uo4elKZ9KPQC3Z2mKmro /59qs11p6c1Yrr+k2qtNX/gM4/j1B6shcUctqQPsP763b14vrzKfUkAzDkZ/feuCkey3+87Cucdg WnvZoPirfvPYBcYSJkxygUDcv4bPM7y81AnIxZFqrFDqECoicny/On9ZskzwHdN9PnsiWP4N/LqT OX3dospwsHrxXCClSi4Ua193vXyDPL6F8UCaUsBr6IzuYunXVcioEHWF5cWBueERSAH+8C/wLjxx a9jH</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_c111e599082e09ec1e67f2c4c5fd53f01466607023109" IssueInstant="2016-06-22T14:50:23.109Z" Version="2.0"> <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://neeraj3-dev-ed.my.salesforce.com</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#_c111e599082e09ec1e67f2c4c5fd53f01466607023109"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml xs xsi"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>VWSipDpvJ5SpsmgrjL+7vrlIsCM=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>CfehXdklPiozqvyM8igaXQjGntyWdZPkqt1LuQDV2lVbNnR7b+hD/2zQ7oQRmAyl4/SRPMYdwU7+ nuYINyYyIEmbVPWkxLoKrJYNWqadVTSJcY4AHmqk06xGzQ49Z/7KZpRWBGvrfD5gFkymIB00DUPs PqQn/fLi/9tcBk9SVOmMupPANnxpHkZnJ4sy54PYhj4U3SjYkGDLx/FXXS6a4D7wjR2FqZ5ReZi7 xwB2fUNXYnvf2LsSQ9ubGZLFNd5u1MecwRoGJj74ZYly1/+bscnLQQ0+0ls15JszoV798NUY0UgI k/UGEg1nEVfiQabCZrW/ZwqetwXmCuf1CmF2lw==</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIErDCCA5SgAwIBAgIOAU8B/mTiAAAAAEQfI+YwDQYJKoZIhvcNAQELBQAwgZAxKDAmBgNVBAMM H1NlbGZTaWduZWRDZXJ0XzA2QXVnMjAxNV8wNzUxMzIxGDAWBgNVBAsMDzAwRDI4MDAwMDAwV3ZM VTEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNV BAgMAkNBMQwwCgYDVQQGEwNVU0EwHhcNMTUwODA2MDc1MTMzWhcNMTcwODA2MDAwMDAwWjCBkDEo MCYGA1UEAwwfU2VsZlNpZ25lZENlsdsdsdsBdWcyMDE1XzA3NTEzMjEYMBYGA1UECwwPMDBEMjgw MDAwMDBXdkxVMRcwFQYDVQQKDA5TYWxlc2ZvcmNlLmNvbTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNj bzELMAkGA1UECAwCQ0ExDDAKBgNVBAYTA1VTQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAKAceZ4/GgiElg3OMOdfdfdfKL3czcuIaenqVuKjbhXxEKzL7UwR7ZEU48GnSDG3QvqCGFQq 9xEm0aLSTvFGRDBP9qpaZKE5Mc+71HItGxSZi6YV+TajRM1x31FpiqLl8udI/Iw5WsZHYHy4nsrs 7O2DD6hJSPNHFNSbxu5zxbzcRAaoW+9EBJuV4uT/22++ztJMx3baSgDQ3EPcGTHUDt+L5gefsPmW x8gGl1wtR4sbJb9A4BxdfdFOv1+o9L3sXQb7po4yqPXCRe9XhdD46YiewZP1+5B0nPudqxPp8F0T U4hRfWHSHvzl1FgEhKRyjHF5hwnJlJ4GcovKuwwUjF0CAwEAAaOCAQAwgf0wHQYDVR0OBBYEFCTT nL3o0HiBU0eH0XyChY7VvQcFMA8GA1UdEwEB/wQFMAMBAf8wgcoGA1UdIwSBwjCBv4AUJNOcvejQ eIFTR4fRfIKFjtW9BwWhgZakgZMwgZAxKDAmBgNVBAMMH1NlbGZTaWduZWRDZXJ0XzA2QXVnMjAx NV8wNzUxMzIxGDAWBgNVBAsMDzAwRDI4MDAwMDAwV3ZMVTEXMBUGA1UECgwOU2FsZXNmb3JjZS5j b20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0GCDgFP Af5k4gAAAABEHyPmMA0GCSqGSIb3DQEBCwUAA4IBAQBLS6O9Eb86P4FtBiR4YPoGAUn2O48jnXrP oIx4677l5zilyt3Wt0KCuMfZZ0aCMzP8Q09XVDuKPYJcNb3zki8+jUw8Uo4elKZ9KPQC3Z2mKmro /59qs11p6c1Yrr+k2qtNX/gM4/j1B6shcUctqQPsP763b14vrzKfUkAzDkZ/feuCkey3+87Cucdg WnvZoPirfvPYBcYSJkxygUDcv4bPM7y81AnIxZFqrFDqECoicny/On9ZskzwHdN9PnsiWP4N/LqT OX3dospwsHrxXCClSi4Ua193vXyDPL6F8UCaUsBr6IzuYunXVcioEHWF5cWBueERSAH+8C/wLjxx a9jH</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">nSrivastava</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2016-06-22T14:55:23.110Z" Recipient="http://USERNAME.websitetoolbox/saml/module.php/saml/sp/saml2-acs.php/default-sp"/> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2016-06-22T14:49:53.110Z" NotOnOrAfter="2016-06-22T14:55:23.110Z"> <saml:AudienceRestriction> <saml:Audience>https://USERNAME.websitetoolbox/sp</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2016-06-22T14:50:23.110Z"> <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement> <saml:Attribute Name="userId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">00528000000sgQZ</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">nSrivastava</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">neeraj@websitetoolbox.com</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="is_portal_user" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">false</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="apikey" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">uJWAd1W9Q99sdk8vj3ujZqd3e4jJ0PTLLrdUSlkNVf</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="nickName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">neerajs</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="lastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">neeraj</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">srivastava</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </samlp:Response>
Di seguito sono riportati alcuni link relativi alla documentazione SAML2.0, che possono aiutare a comprendere la configurazione SSO SAML2.0:
- https://en.wikipedia.org/wiki/SAML_2.0
- https://en.wikipedia.org/wiki/Identity_provider
- http://www.slideshare.net/koivimik/introduction-to-saml-20
- https://help.salesforce.com/HTViewHelpDoc?id=identity_provider_about.htm
Si noti che sosteniamo anche altri metodi Single Sign On che potrebbe essere più facile da configurare.
If you still need help, please contact us.