AI 助理
备案控制台
开发者社区 大数据 文章 正文

阿里云子账号SAML SSO流程分析

2018-02-24 7605
版权
版权声明:
本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《 阿里云开发者社区用户服务协议》和 《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写 侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。
本文涉及的产品
全局流量管理 GTM,标准版 1个月
云解析 DNS,旗舰版 1个月
公共DNS(含HTTPDNS解析),每月1000万次HTTP解析
简介: 0.Saml术语和流程 统一认证中心(Indentity Provider) 此处指客户的统一认证中心服务提供者(Service Provider) 此处指阿里云 此图片说明了以下步骤。1.用户尝试访问WebApp1。

0.Saml术语和流程

统一认证中心(Indentity Provider) 此处指客户的统一认证中心
服务提供者(Service Provider) 此处指阿里云

201111192044014292.gif
此图片说明了以下步骤。
1.用户尝试访问WebApp1。
2.WebApp1 生成一个 SAML 身份验证请求。SAML 请求将进行编码并嵌入到SSO 服务的网址中。包含用户尝试访问的 WebApp1 应用程序的编码网址的 RelayState 参数也会嵌入到 SSO 网址中。该 RelayState 参数作为不透明标识符,将直接传回该标识符而不进行任何修改或检查。
3.WebApp1将重定向发送到用户的浏览器。重定向网址包含应向SSO 服务提交的编码 SAML 身份验证请求。
4.SSO(统一认证中心或叫Identity Provider)解码 SAML 请求,并提取 WebApp1的 ACS(声明客户服务)网址以及用户的目标网址(RelayState 参数)。然后,统一认证中心对用户进行身份验证。统一认证中心可能会要求提供有效登录凭据或检查有效会话 Cookie 以验证用户身份。
5.统一认证中心生成一个 SAML 响应,其中包含经过验证的用户的用户名。按照 SAML 2.0 规范,此响应将使用统一认证中心的 DSA/RSA 公钥和私钥进行数字签名。
6.统一认证中心对 SAML 响应和 RelayState 参数进行编码,并将该信息返回到用户的浏览器。统一认证中心提供了一种机制,以便浏览器可以将该信息转发到 WebApp1 ACS。
WebApp1使用统一认证中心的公钥验证 SAML 响应。如果成功验证该响应,ACS 则会将用户重定向到目标网址。
7.用户将重定向到目标网址并登录到 WebApp1。

1.准备工作

获取AliyunMetadata
aliyun saml metadata.xml中指定了阿里云方的证书公钥,数据交换格式NameIDFormat,以及endpoint地址https://signin.aliyun.com/saml/SSO

<?xml version="1.0" encoding="utf-8"?>

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="https___signin.aliyun.com_saml_SSO" entityID="https://signin.aliyun.com/saml/SSO">  
  <md:SPSSODescriptor WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> 
    <md:KeyDescriptor use="signing"> 
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">  
        <ds:X509Data> 
          <ds:X509Certificate>MIIDUTCCAjmgAwIBAgIEIv2v9DANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJDTjERMA8GA1UE BxMISGFuZ3pob3UxFDASBgNVBAoTC0FsaWJhYmEgSW5jMQ8wDQYDVQQLEwZBcHNhcmExEDAOBgNV BAMTB0FsaWJhYmEwHhcNMTcwMzE0MTc1OTE5WhcNMjcwMzEyMTc1OTE5WjBZMQswCQYDVQQGEwJD TjERMA8GA1UEBxMISGFuZ3pob3UxFDASBgNVBAoTC0FsaWJhYmEgSW5jMQ8wDQYDVQQLEwZBcHNh cmExEDAOBgNVBAMTB0FsaWJhYmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqK2HR tf4smv9pCQtPenFE1w6lvxsHiv0J/knvpC1BU4iAWcS8LxAElKb49QbKHuUxcwEGJfm0+zZpqS+J I3jmGc4aHYACyL2WxtKNx/5EK1Qs5ugCipn7g+ySOqXxc/Rv2S7muw6LTrGVTT7vo09EUDkZM34s TupuU7tzX0ktYhimxwskG9o7bvZuQKQf66gN8l/DUzyUl59/0wA1+x5A5B3pvaABCA6dq4mi8mtJ fTXcqWm06+FgVNPgKo59uP6y08rQJXjKDwLIf0owuoiRrPLR5JKC1vQ6PSz0cGv8tGUts5dr/0zG FHy4h3aufQiXCSi44WUB3FejQQfgEiBdAgMBAAGjITAfMB0GA1UdDgQWBBShWN61nZsWz9MYnSrV kCkJnSdFtDANBgkqhkiG9w0BAQsFAAOCAQEAMMAl+C3oyI6kZNmvX05Sb0q6UAM8wqjFKbPhSSiy srjVZwjEjiZnOSnoX8vO07fsZpcVmByHzGXWuBxxKCviCpQCS9hyOTF6bvAoXwe37h02Uhv3tKI0 7FRkXJA7HeB0HEuHPCBxxWVWJfgtkeUETnGV06CrUlGON7Du3h37EUzfTqmKhlsqKeK8uqw3gLYq Bp6ULrP1PbNo2AaHMYaZhFL1dSUtNYvekZppregZKMIDqtEm6Pwpw2lj8gjTC40PQ0GuXEeTsfE5 dhw42xc9RkyUg1Go04k9Z/UMxTX0KVMiRZ9DF2FWjWp1AAQJ3TvZ2Ao/XOhmk4GWRehUoHr7Hw==</ds:X509Certificate> 
        </ds:X509Data> 
      </ds:KeyInfo> 
    </md:KeyDescriptor>  
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>  
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>  
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>  
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>  
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://signin.aliyun.com/saml/SSO" index="0" isDefault="true"/> 
  </md:SPSSODescriptor> 
</md:EntityDescriptor>

获取onalipay.xyz metadata.xml


<?xml version="1.0" encoding="utf-8"?>

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="_3f71fd07-84e5-4343-915a-9e74ab6108b9" entityID="http://myComputer.onalipay.xyz/adfs/services/trust">  
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">  
    <ds:SignedInfo> 
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>  
      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>  
      <ds:Reference URI="#_3f71fd07-84e5-4343-915a-9e74ab6108b9"> 
        <ds:Transforms> 
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>  
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
        </ds:Transforms>  
        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>  
        <ds:DigestValue>V5OSnZNev7S2DYV4MDJ4aiFDXBg5PPYZQ9Q3New34Pk=</ds:DigestValue> 
      </ds:Reference> 
    </ds:SignedInfo>  
    <ds:SignatureValue>DQOdDymLabJtJkBE5RRWc7f1Fla99mkEjSadAW5pLnAxES8Lee8olVNzpa4hEbh0WA5DpTM9f8hgTdCiaMkb7l7I9Woeye2gZLBV1CIXFojuVfrgXSCtJ3CPFpxYDIp+0/uHzh9H/GbAwmsYER4TZ820ieq8hFPZFgU/yc1vNZcfm2ZCGMRDbSHq1XlpIokAmX0YOALaTTj9yhxkSz7uSvyQHHLkBZ98CqutklutXYtl7WT44TGOF7TVenKzWKTrKCG1SApO9BcDoI4ZZ4DEzfQHzVrCpLIuRFx+BlDuzf/1wwmgNdC5ay5TUzvOTyAO/85Efawb1k4K++tCZVjHRA==</ds:SignatureValue>  
    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  
      <X509Data> 
        <X509Certificate>MIIC6jCCAdKgAwIBAgIQQjxWDhuaDJBKjtlkcvHaZzANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JBJ/XlM2moN9CELgLnS2OCvYfUeRoauhr7jFS/BjTkMxE5YXCq5fu8DYHrkxxaf81nHDbVTotGjvpUS4w/K8Pn3AXToTAVFlU7M9EcwqV5Q8Gu3V484pyn8dMGqZ60bFh84PHyBxpBZSV3KU6V6mVE10vqkhdQP/tcU50ZsNWNLd3AR06ra9OfnNGPNdkZkYKwmRqorkz9ssVGCEerZ53TTWfWCjnOj5X2spzNNdROqtNgSEEUYFkSFT3oUtJMooadX+e3WZZBnb/1zKaT+rZwBhoMIW//eUntOHUKobZTMXkLTrKPYXZyXgsZ66OMShlBVwCXrDoPPXUwMJaKluwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAF5ex4WzzfPF+Y9mjEGBhcR5QJSgnn2+2C2J/0NJ3BuHP/FPnHiyzEC1+ujTB6x1sTug+IW/kFUuIAMUnhPrJwm+uTXTIULlhfEgf5d3dnzvM3lAL/AQfJC9v2PxrgHhVEtgMd0WCnHLTUoXDKCDWcGA7OXx1f23srrZLc9P+/4ShXPkwLyudo6h1yfuJpFZ0g4txu4+2/Xln3c2+R0+hcXV/CJuMqN7i3faZKpY+oMiq4gvvWAjn6d7NpcY/oYt6lhbLsnpXTKQgq7zDe7ikLeHiP3ISonv4rPR6UZkDWZiZ4FpC1lN04lXE3tfexrb98TmLkSdnrABHDwbbhmmtX</X509Certificate> 
      </X509Data> 
    </KeyInfo> 
  </ds:Signature>  
  <RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" xsi:type="fed:ApplicationServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/ws-sx/ws-trust/200512 http://schemas.xmlsoap.org/ws/2005/02/trust http://docs.oasis-open.org/wsfed/federation/200706" ServiceDisplayName="myComputer.onalipay.xyz">  
    <KeyDescriptor use="encryption"> 
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  
        <X509Data> 
          <X509Certificate>MIIC8DCCAdigAwIBAgIQPI1g9KgllrtFXb9zx50BvTANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylBREZTIEVuY3J5cHRpb24gLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDQxMjAwBgNVBAMTKUFERlMgRW5jcnlwdGlvbiAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1QDXR4rpuSj7hkSyLuWTT/JeN7TTsYDsf+IHLRRq94Q43Xkytz1NM/XF/Xy3vO2Ae5UYGvEqKyfwUJv7+xTsNc+7a5DMXnnk8cvjP0mjiOBuLVNEnQ3Sf07c2ae7zMYIiYa/A+La7Qhr3cPTswb+35U9t+uvuDob0pUshCXAxtLXfiN9SUnA19JIt9XOZPp97btekuWXLJO8ePAY2XzLQtHjVOspCmJerpI3Rh9qFWtijAdoh8FpIb/5PEJWEw4nKyoqZIPdbkoZrNwSYA5sBDrVohMrVchO+FLMXiJ9xzI84EDcT/rE2KNqG1ezf+nLByC2/Y19UnPPLOWWXN7PRQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDKuCTiE7fkmQ/7LtKQFxYDL7n9PI8C2DeGYjQBp7aBOCQKBzX9ARLg6DPtHRIu4cAGfhT/W1dlUyfK5O0nS24vg0OmtpwSPgdlI7RdUxXPq0jhw/v9XMdvrkKqc/y8s5v9OQqxzRYAbzS9eJ4O7GgGpHDOfLcIwcfGMzWVXz9gGQ+840Z3z8XQgz0R8vIqbJmc/7YEMbxwc5u1s1Tk6DNqoflVllbT050I4DRGLgXmKgCDJ9gY0Jlzftd4hXhKBGu996cn3kKVuy6pg1r/jKJOEchbRpLI8LQkrr3OlYdmWZN+GhB8fCbySIf0Db/tZJkwSMIfR7KcaQxSY0Tr2H8v</X509Certificate> 
        </X509Data> 
      </KeyInfo> 
    </KeyDescriptor>  
    <fed:ClaimTypesRequested> 
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" Optional="true">  
        <auth:DisplayName>E-Mail Address</auth:DisplayName>  
        <auth:Description>The e-mail address of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" Optional="true">  
        <auth:DisplayName>Given Name</auth:DisplayName>  
        <auth:Description>The given name of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" Optional="true">  
        <auth:DisplayName>Name</auth:DisplayName>  
        <auth:Description>The unique name of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" Optional="true">  
        <auth:DisplayName>UPN</auth:DisplayName>  
        <auth:Description>The user principal name (UPN) of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/CommonName" Optional="true">  
        <auth:DisplayName>Common Name</auth:DisplayName>  
        <auth:Description>The common name of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/EmailAddress" Optional="true">  
        <auth:DisplayName>AD FS 1.x E-Mail Address</auth:DisplayName>  
        <auth:Description>The e-mail address of the user when interoperating with AD FS 1.1 or ADFS 1.0</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/Group" Optional="true">  
        <auth:DisplayName>Group</auth:DisplayName>  
        <auth:Description>A group that the user is a member of</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/UPN" Optional="true">  
        <auth:DisplayName>AD FS 1.x UPN</auth:DisplayName>  
        <auth:Description>The UPN of the user when interoperating with AD FS 1.1 or ADFS 1.0</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" Optional="true">  
        <auth:DisplayName>Role</auth:DisplayName>  
        <auth:Description>A role that the user has</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" Optional="true">  
        <auth:DisplayName>Surname</auth:DisplayName>  
        <auth:Description>The surname of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" Optional="true">  
        <auth:DisplayName>PPID</auth:DisplayName>  
        <auth:Description>The private identifier of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" Optional="true">  
        <auth:DisplayName>Name ID</auth:DisplayName>  
        <auth:Description>The SAML name identifier of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant" Optional="true">  
        <auth:DisplayName>Authentication time stamp</auth:DisplayName>  
        <auth:Description>Used to display the time and date that the user was authenticated</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" Optional="true">  
        <auth:DisplayName>Authentication method</auth:DisplayName>  
        <auth:Description>The method used to authenticate the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid" Optional="true">  
        <auth:DisplayName>Deny only group SID</auth:DisplayName>  
        <auth:Description>The deny-only group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid" Optional="true">  
        <auth:DisplayName>Deny only primary SID</auth:DisplayName>  
        <auth:Description>The deny-only primary SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid" Optional="true">  
        <auth:DisplayName>Deny only primary group SID</auth:DisplayName>  
        <auth:Description>The deny-only primary group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" Optional="true">  
        <auth:DisplayName>Group SID</auth:DisplayName>  
        <auth:Description>The group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid" Optional="true">  
        <auth:DisplayName>Primary group SID</auth:DisplayName>  
        <auth:Description>The primary group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" Optional="true">  
        <auth:DisplayName>Primary SID</auth:DisplayName>  
        <auth:Description>The primary SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" Optional="true">  
        <auth:DisplayName>Windows account name</auth:DisplayName>  
        <auth:Description>The domain account name of the user in the form of &lt;domain&gt;\&lt;user&gt;</auth:Description> 
      </auth:ClaimType> 
    </fed:ClaimTypesRequested>  
    <fed:TargetScopes> 
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256</Address> 
      </EndpointReference>  
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/services/trust/2005/issuedtokenmixedsymmetricbasic256</Address> 
      </EndpointReference>  
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/services/trust/13/issuedtokenmixedasymmetricbasic256</Address> 
      </EndpointReference>  
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256</Address> 
      </EndpointReference>  
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/ls/</Address> 
      </EndpointReference>  
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>http://mycomputer.onalipay.xyz/adfs/services/trust</Address> 
      </EndpointReference> 
    </fed:TargetScopes>  
    <fed:ApplicationServiceEndpoint> 
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256</Address> 
      </EndpointReference> 
    </fed:ApplicationServiceEndpoint>  
    <fed:PassiveRequestorEndpoint> 
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/ls/</Address> 
      </EndpointReference> 
    </fed:PassiveRequestorEndpoint> 
  </RoleDescriptor>  
  <RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" xsi:type="fed:SecurityTokenServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/ws-sx/ws-trust/200512 http://schemas.xmlsoap.org/ws/2005/02/trust http://docs.oasis-open.org/wsfed/federation/200706" ServiceDisplayName="myComputer.onalipay.xyz">  
    <KeyDescriptor use="signing"> 
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  
        <X509Data> 
          <X509Certificate>MIIC6jCCAdKgAwIBAgIQQjxWDhuaDJBKjtlkcvHaZzANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JBJ/XlM2moN9CELgLnS2OCvYfUeRoauhr7jFS/BjTkMxE5YXCq5fu8DYHrkxxaf81nHDbVTotGjvpUS4w/K8Pn3AXToTAVFlU7M9EcwqV5Q8Gu3V484pyn8dMGqZ60bFh84PHyBxpBZSV3KU6V6mVE10vqkhdQP/tcU50ZsNWNLd3AR06ra9OfnNGPNdkZkYKwmRqorkz9ssVGCEerZ53TTWfWCjnOj5X2spzNNdROqtNgSEEUYFkSFT3oUtJMooadX+e3WZZBnb/1zKaT+rZwBhoMIW//eUntOHUKobZTMXkLTrKPYXZyXgsZ66OMShlBVwCXrDoPPXUwMJaKluwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAF5ex4WzzfPF+Y9mjEGBhcR5QJSgnn2+2C2J/0NJ3BuHP/FPnHiyzEC1+ujTB6x1sTug+IW/kFUuIAMUnhPrJwm+uTXTIULlhfEgf5d3dnzvM3lAL/AQfJC9v2PxrgHhVEtgMd0WCnHLTUoXDKCDWcGA7OXx1f23srrZLc9P+/4ShXPkwLyudo6h1yfuJpFZ0g4txu4+2/Xln3c2+R0+hcXV/CJuMqN7i3faZKpY+oMiq4gvvWAjn6d7NpcY/oYt6lhbLsnpXTKQgq7zDe7ikLeHiP3ISonv4rPR6UZkDWZiZ4FpC1lN04lXE3tfexrb98TmLkSdnrABHDwbbhmmtX</X509Certificate> 
        </X509Data> 
      </KeyInfo> 
    </KeyDescriptor>  
    <fed:TokenTypesOffered> 
      <fed:TokenType Uri="urn:oasis:names:tc:SAML:2.0:assertion"/>  
      <fed:TokenType Uri="urn:oasis:names:tc:SAML:1.0:assertion"/> 
    </fed:TokenTypesOffered>  
    <fed:ClaimTypesOffered> 
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" Optional="true">  
        <auth:DisplayName>E-Mail Address</auth:DisplayName>  
        <auth:Description>The e-mail address of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" Optional="true">  
        <auth:DisplayName>Given Name</auth:DisplayName>  
        <auth:Description>The given name of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" Optional="true">  
        <auth:DisplayName>Name</auth:DisplayName>  
        <auth:Description>The unique name of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" Optional="true">  
        <auth:DisplayName>UPN</auth:DisplayName>  
        <auth:Description>The user principal name (UPN) of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/CommonName" Optional="true">  
        <auth:DisplayName>Common Name</auth:DisplayName>  
        <auth:Description>The common name of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/EmailAddress" Optional="true">  
        <auth:DisplayName>AD FS 1.x E-Mail Address</auth:DisplayName>  
        <auth:Description>The e-mail address of the user when interoperating with AD FS 1.1 or ADFS 1.0</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/Group" Optional="true">  
        <auth:DisplayName>Group</auth:DisplayName>  
        <auth:Description>A group that the user is a member of</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/UPN" Optional="true">  
        <auth:DisplayName>AD FS 1.x UPN</auth:DisplayName>  
        <auth:Description>The UPN of the user when interoperating with AD FS 1.1 or ADFS 1.0</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" Optional="true">  
        <auth:DisplayName>Role</auth:DisplayName>  
        <auth:Description>A role that the user has</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" Optional="true">  
        <auth:DisplayName>Surname</auth:DisplayName>  
        <auth:Description>The surname of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" Optional="true">  
        <auth:DisplayName>PPID</auth:DisplayName>  
        <auth:Description>The private identifier of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" Optional="true">  
        <auth:DisplayName>Name ID</auth:DisplayName>  
        <auth:Description>The SAML name identifier of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant" Optional="true">  
        <auth:DisplayName>Authentication time stamp</auth:DisplayName>  
        <auth:Description>Used to display the time and date that the user was authenticated</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" Optional="true">  
        <auth:DisplayName>Authentication method</auth:DisplayName>  
        <auth:Description>The method used to authenticate the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid" Optional="true">  
        <auth:DisplayName>Deny only group SID</auth:DisplayName>  
        <auth:Description>The deny-only group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid" Optional="true">  
        <auth:DisplayName>Deny only primary SID</auth:DisplayName>  
        <auth:Description>The deny-only primary SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid" Optional="true">  
        <auth:DisplayName>Deny only primary group SID</auth:DisplayName>  
        <auth:Description>The deny-only primary group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" Optional="true">  
        <auth:DisplayName>Group SID</auth:DisplayName>  
        <auth:Description>The group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid" Optional="true">  
        <auth:DisplayName>Primary group SID</auth:DisplayName>  
        <auth:Description>The primary group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" Optional="true">  
        <auth:DisplayName>Primary SID</auth:DisplayName>  
        <auth:Description>The primary SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" Optional="true">  
        <auth:DisplayName>Windows account name</auth:DisplayName>  
        <auth:Description>The domain account name of the user in the form of &lt;domain&gt;\&lt;user&gt;</auth:Description> 
      </auth:ClaimType> 
    </fed:ClaimTypesOffered>  
    <fed:SecurityTokenServiceEndpoint> 
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/services/trust/2005/certificatemixed</Address>  
        <Metadata> 
          <Metadata xmlns="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex">  
            <wsx:MetadataSection xmlns="" Dialect="http://schemas.xmlsoap.org/ws/2004/09/mex">  
              <wsx:MetadataReference> 
                <Address xmlns="http://www.w3.org/2005/08/addressing">https://mycomputer.onalipay.xyz/adfs/services/trust/mex</Address> 
              </wsx:MetadataReference> 
            </wsx:MetadataSection> 
          </Metadata> 
        </Metadata> 
      </EndpointReference> 
    </fed:SecurityTokenServiceEndpoint>  
    <fed:PassiveRequestorEndpoint> 
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/ls/</Address> 
      </EndpointReference> 
    </fed:PassiveRequestorEndpoint> 
  </RoleDescriptor>  
  <SPSSODescriptor WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> 
    <KeyDescriptor use="encryption"> 
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  
        <X509Data> 
          <X509Certificate>MIIC8DCCAdigAwIBAgIQPI1g9KgllrtFXb9zx50BvTANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylBREZTIEVuY3J5cHRpb24gLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDQxMjAwBgNVBAMTKUFERlMgRW5jcnlwdGlvbiAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1QDXR4rpuSj7hkSyLuWTT/JeN7TTsYDsf+IHLRRq94Q43Xkytz1NM/XF/Xy3vO2Ae5UYGvEqKyfwUJv7+xTsNc+7a5DMXnnk8cvjP0mjiOBuLVNEnQ3Sf07c2ae7zMYIiYa/A+La7Qhr3cPTswb+35U9t+uvuDob0pUshCXAxtLXfiN9SUnA19JIt9XOZPp97btekuWXLJO8ePAY2XzLQtHjVOspCmJerpI3Rh9qFWtijAdoh8FpIb/5PEJWEw4nKyoqZIPdbkoZrNwSYA5sBDrVohMrVchO+FLMXiJ9xzI84EDcT/rE2KNqG1ezf+nLByC2/Y19UnPPLOWWXN7PRQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDKuCTiE7fkmQ/7LtKQFxYDL7n9PI8C2DeGYjQBp7aBOCQKBzX9ARLg6DPtHRIu4cAGfhT/W1dlUyfK5O0nS24vg0OmtpwSPgdlI7RdUxXPq0jhw/v9XMdvrkKqc/y8s5v9OQqxzRYAbzS9eJ4O7GgGpHDOfLcIwcfGMzWVXz9gGQ+840Z3z8XQgz0R8vIqbJmc/7YEMbxwc5u1s1Tk6DNqoflVllbT050I4DRGLgXmKgCDJ9gY0Jlzftd4hXhKBGu996cn3kKVuy6pg1r/jKJOEchbRpLI8LQkrr3OlYdmWZN+GhB8fCbySIf0Db/tZJkwSMIfR7KcaQxSY0Tr2H8v</X509Certificate> 
        </X509Data> 
      </KeyInfo> 
    </KeyDescriptor>  
    <KeyDescriptor use="signing"> 
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  
        <X509Data> 
          <X509Certificate>MIIC6jCCAdKgAwIBAgIQQjxWDhuaDJBKjtlkcvHaZzANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JBJ/XlM2moN9CELgLnS2OCvYfUeRoauhr7jFS/BjTkMxE5YXCq5fu8DYHrkxxaf81nHDbVTotGjvpUS4w/K8Pn3AXToTAVFlU7M9EcwqV5Q8Gu3V484pyn8dMGqZ60bFh84PHyBxpBZSV3KU6V6mVE10vqkhdQP/tcU50ZsNWNLd3AR06ra9OfnNGPNdkZkYKwmRqorkz9ssVGCEerZ53TTWfWCjnOj5X2spzNNdROqtNgSEEUYFkSFT3oUtJMooadX+e3WZZBnb/1zKaT+rZwBhoMIW//eUntOHUKobZTMXkLTrKPYXZyXgsZ66OMShlBVwCXrDoPPXUwMJaKluwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAF5ex4WzzfPF+Y9mjEGBhcR5QJSgnn2+2C2J/0NJ3BuHP/FPnHiyzEC1+ujTB6x1sTug+IW/kFUuIAMUnhPrJwm+uTXTIULlhfEgf5d3dnzvM3lAL/AQfJC9v2PxrgHhVEtgMd0WCnHLTUoXDKCDWcGA7OXx1f23srrZLc9P+/4ShXPkwLyudo6h1yfuJpFZ0g4txu4+2/Xln3c2+R0+hcXV/CJuMqN7i3faZKpY+oMiq4gvvWAjn6d7NpcY/oYt6lhbLsnpXTKQgq7zDe7ikLeHiP3ISonv4rPR6UZkDWZiZ4FpC1lN04lXE3tfexrb98TmLkSdnrABHDwbbhmmtX</X509Certificate> 
        </X509Data> 
      </KeyInfo> 
    </KeyDescriptor>  
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mycomputer.onalipay.xyz/adfs/ls/"/>  
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mycomputer.onalipay.xyz/adfs/ls/"/>  
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>  
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>  
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>  
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mycomputer.onalipay.xyz/adfs/ls/" index="0" isDefault="true"/>  
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://mycomputer.onalipay.xyz/adfs/ls/" index="1"/>  
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mycomputer.onalipay.xyz/adfs/ls/" index="2"/> 
  </SPSSODescriptor>  
  <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> 
    <KeyDescriptor use="encryption"> 
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  
        <X509Data> 
          <X509Certificate>MIIC8DCCAdigAwIBAgIQPI1g9KgllrtFXb9zx50BvTANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylBREZTIEVuY3J5cHRpb24gLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDQxMjAwBgNVBAMTKUFERlMgRW5jcnlwdGlvbiAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1QDXR4rpuSj7hkSyLuWTT/JeN7TTsYDsf+IHLRRq94Q43Xkytz1NM/XF/Xy3vO2Ae5UYGvEqKyfwUJv7+xTsNc+7a5DMXnnk8cvjP0mjiOBuLVNEnQ3Sf07c2ae7zMYIiYa/A+La7Qhr3cPTswb+35U9t+uvuDob0pUshCXAxtLXfiN9SUnA19JIt9XOZPp97btekuWXLJO8ePAY2XzLQtHjVOspCmJerpI3Rh9qFWtijAdoh8FpIb/5PEJWEw4nKyoqZIPdbkoZrNwSYA5sBDrVohMrVchO+FLMXiJ9xzI84EDcT/rE2KNqG1ezf+nLByC2/Y19UnPPLOWWXN7PRQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDKuCTiE7fkmQ/7LtKQFxYDL7n9PI8C2DeGYjQBp7aBOCQKBzX9ARLg6DPtHRIu4cAGfhT/W1dlUyfK5O0nS24vg0OmtpwSPgdlI7RdUxXPq0jhw/v9XMdvrkKqc/y8s5v9OQqxzRYAbzS9eJ4O7GgGpHDOfLcIwcfGMzWVXz9gGQ+840Z3z8XQgz0R8vIqbJmc/7YEMbxwc5u1s1Tk6DNqoflVllbT050I4DRGLgXmKgCDJ9gY0Jlzftd4hXhKBGu996cn3kKVuy6pg1r/jKJOEchbRpLI8LQkrr3OlYdmWZN+GhB8fCbySIf0Db/tZJkwSMIfR7KcaQxSY0Tr2H8v</X509Certificate> 
        </X509Data> 
      </KeyInfo> 
    </KeyDescriptor>  
    <KeyDescriptor use="signing"> 
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  
        <X509Data> 
          <X509Certificate>MIIC6jCCAdKgAwIBAgIQQjxWDhuaDJBKjtlkcvHaZzANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JBJ/XlM2moN9CELgLnS2OCvYfUeRoauhr7jFS/BjTkMxE5YXCq5fu8DYHrkxxaf81nHDbVTotGjvpUS4w/K8Pn3AXToTAVFlU7M9EcwqV5Q8Gu3V484pyn8dMGqZ60bFh84PHyBxpBZSV3KU6V6mVE10vqkhdQP/tcU50ZsNWNLd3AR06ra9OfnNGPNdkZkYKwmRqorkz9ssVGCEerZ53TTWfWCjnOj5X2spzNNdROqtNgSEEUYFkSFT3oUtJMooadX+e3WZZBnb/1zKaT+rZwBhoMIW//eUntOHUKobZTMXkLTrKPYXZyXgsZ66OMShlBVwCXrDoPPXUwMJaKluwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAF5ex4WzzfPF+Y9mjEGBhcR5QJSgnn2+2C2J/0NJ3BuHP/FPnHiyzEC1+ujTB6x1sTug+IW/kFUuIAMUnhPrJwm+uTXTIULlhfEgf5d3dnzvM3lAL/AQfJC9v2PxrgHhVEtgMd0WCnHLTUoXDKCDWcGA7OXx1f23srrZLc9P+/4ShXPkwLyudo6h1yfuJpFZ0g4txu4+2/Xln3c2+R0+hcXV/CJuMqN7i3faZKpY+oMiq4gvvWAjn6d7NpcY/oYt6lhbLsnpXTKQgq7zDe7ikLeHiP3ISonv4rPR6UZkDWZiZ4FpC1lN04lXE3tfexrb98TmLkSdnrABHDwbbhmmtX</X509Certificate> 
        </X509Data> 
      </KeyInfo> 
    </KeyDescriptor>  
    <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://mycomputer.onalipay.xyz/adfs/services/trust/artifactresolution" index="0"/>  
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mycomputer.onalipay.xyz/adfs/ls/"/>  
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mycomputer.onalipay.xyz/adfs/ls/"/>  
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>  
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>  
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>  
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mycomputer.onalipay.xyz/adfs/ls/"/>  
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mycomputer.onalipay.xyz/adfs/ls/"/>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="E-Mail Address"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Given Name"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="UPN"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/claims/CommonName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Common Name"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/claims/EmailAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="AD FS 1.x E-Mail Address"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/claims/Group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Group"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/claims/UPN" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="AD FS 1.x UPN"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Role"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Surname"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="PPID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name ID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Authentication time stamp"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Authentication method"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Deny only group SID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Deny only primary SID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Deny only primary group SID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Group SID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Primary group SID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Primary SID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Windows account name"></Attribute> 
  </IDPSSODescriptor> 
</EntityDescriptor>

这个xml里内容很多阿里云只需要里面的一些内容:
证书公钥,signInUrl,signOutUrl以及entityId
阿里云解析到的信息如下

{
    "requestId": "requestId",
    "samlSsoProperties": {
        "ssoEnabled": true,
        "entityId": "http://myComputer.onalipay.xyz/adfs/services/trust",
        "signInUrl": "https://mycomputer.onalipay.xyz/adfs/ls/",
        "signOutUrl": "https://mycomputer.onalipay.xyz/adfs/ls/",
        "certificate": "MIIC6jCCAdKgAwIBAgIQQjxWDhuaDJBKjtlkcvHaZzANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JBJ/XlM2moN9CELgLnS2OCvYfUeRoauhr7jFS/BjTkMxE5YXCq5fu8DYHrkxxaf81nHDbVTotGjvpUS4w/K8Pn3AXToTAVFlU7M9EcwqV5Q8Gu3V484pyn8dMGqZ60bFh84PHyBxpBZSV3KU6V6mVE10vqkhdQP/tcU50ZsNWNLd3AR06ra9OfnNGPNdkZkYKwmRqorkz9ssVGCEerZ53TTWfWCjnOj5X2spzNNdROqtNgSEEUYFkSFT3oUtJMooadX+e3WZZBnb/1zKaT+rZwBhoMIW//eUntOHUKobZTMXkLTrKPYXZyXgsZ66OMShlBVwCXrDoPPXUwMJaKluwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAF5ex4WzzfPF+Y9mjEGBhcR5QJSgnn2+2C2J/0NJ3BuHP/FPnHiyzEC1+ujTB6x1sTug+IW/kFUuIAMUnhPrJwm+uTXTIULlhfEgf5d3dnzvM3lAL/AQfJC9v2PxrgHhVEtgMd0WCnHLTUoXDKCDWcGA7OXx1f23srrZLc9P+/4ShXPkwLyudo6h1yfuJpFZ0g4txu4+2/Xln3c2+R0+hcXV/CJuMqN7i3faZKpY+oMiq4gvvWAjn6d7NpcY/oYt6lhbLsnpXTKQgq7zDe7ikLeHiP3ISonv4rPR6UZkDWZiZ4FpC1lN04lXE3tfexrb98TmLkSdnrABHDwbbhmmtX",
        "validUntil": "2018-11-01T07:18:36.000UTC"
    },
    "success": true
}

我们将onalpay.xyz的metadata.xml在enterprise.console.aliyun.com企业控制台的人员管理的目录设置->SSO设置中上传并开启sso.并且在域名管理中绑定了一个onalipay.xyz的域名

2.阿里云Saml协议解析

2.1 samlRequest

登录signin.aliyun.com输入账号名 administrator@onalipay.xyz会跳转到地址
https://mycomputer.onalipay.xyz/adfs/ls/?SAMLRequest=hZFPb4IwGMbv%2BxSkdygwFWwE42bMTFxGBHfYrasVaqBlfYuRffqhaOYu7vgmz583v2cyPValdeAahJIR8hwXWVwytRUyj9AmW9ghmsYPE6BV6ddk1phCrvlXw8FYMwCuTed7VhKaiuuU64NgfLNeRagwpgaCMYhcCunQUrSNdJiq8CkKp%2BkbsuZdipDUnKuvhqrtRHVjuHaU7Gw1bZ1j%2B43pdge4BIyshdKMnz%2BJ0I6WwJG1nEeI7oJ9MMrH%2BwELgiL0huO8oNzfe4yGXthpIKEA4sB%2FXQANX0owVJoI%2Ba4X2J5vP7qZOyDekPgjZ%2BB6H8hKtDKKqfJJyJ5LoyVRFAQQSSsOxDCSzl5XxHdc8tmLgLxkWWInb2mGrPcrX%2F%2FEtyMugfRE72fVl2IU9wOQ88f6NuF%2BAL1OhOL%2FB5ng25L4cv4dPf4B&RelayState=https%3A%2F%2Fhome.console.aliyun.com%2F
其中 https://mycomputer.onalipay.xyz/adfs/ls/ 为metadata.xml中配置的signinUrl

SamlRequest是经过了deflated压缩和urlencode的xml数据,解析后的内容如下
SamlRequest解析 https://idp.ssocircle.com/sso/toolbox/samlDecode.jsp

<?xml version="1.0" encoding="utf-8"?>

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://signin.aliyun.com/saml/SSO" Destination="https://mycomputer.onalipay.xyz/adfs/ls/" ForceAuthn="false" ID="af7j76g9j4c77h8159ghae2j1ca818" IsPassive="false" IssueInstant="2017-12-30T04:15:26.401Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://signin.aliyun.com/saml/SSO</saml2:Issuer>
</saml2p:AuthnRequest>

SamlRequest标记了ID,Issuer,IssueInstant,Destination等信息
RelayState说明了认证结束后跳转到的地址:RelayState=home.console.aliyun.com

2.2 SamlResponse

https://mycomputer.onalipay.xyz/adfs/ls/ 接收到samlRequest后会获取当前的用户信息跳转到统一登录中心的登录页登录,登录成功后回给Issuer(https://signin.aliyun.com/saml/SSO)一个SamlResponse包,内容如下:
https://signin.aliyun.com/saml/SSO
Post:
SAMLResponse:
PHNhbWxwOlJlc3BvbnNlIElEPSJfM2I4MTQ2YjAtZWFhOC00NjdjLThmYzctM2RhYjE4YmIwYzI3IiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNy0xMi0zMFQwNDoxNTo0MC44NjJaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9zaWduaW4uYWxpeXVuLmNvbS9zYW1sL1NTTyIgQ29uc2VudD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNvbnNlbnQ6dW5zcGVjaWZpZWQiIEluUmVzcG9uc2VUbz0iYWY3ajc2ZzlqNGM3N2g4MTU5Z2hhZTJqMWNhODE4IiB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj48SXNzdWVyIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwOi8vbXlDb21wdXRlci5vbmFsaXBheS54eXovYWRmcy9zZXJ2aWNlcy90cnVzdDwvSXNzdWVyPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIgLz48L3NhbWxwOlN0YXR1cz48QXNzZXJ0aW9uIElEPSJfNmE5NTRhYjUtOGU0Ni00NzgzLWEyNzAtZjBkZmIxNTI4M2Y4IiBJc3N1ZUluc3RhbnQ9IjIwMTctMTItMzBUMDQ6MTU6NDAuODYyWiIgVmVyc2lvbj0iMi4wIiB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+PElzc3Vlcj5odHRwOi8vbXlDb21wdXRlci5vbmFsaXBheS54eXovYWRmcy9zZXJ2aWNlcy90cnVzdDwvSXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiAvPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNyc2Etc2hhMjU2IiAvPjxkczpSZWZlcmVuY2UgVVJJPSIjXzZhOTU0YWI1LThlNDYtNDc4My1hMjcwLWYwZGZiMTUyODNmOCI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIiAvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiIC8+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiIC8+PGRzOkRpZ2VzdFZhbHVlPjVsUnp2ZndrZ3BjRjlndVpUV2kxeGkzS25rTUVJRytESjFOOUw5TnBVOFE9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+PGRzOlNpZ25hdHVyZVZhbHVlPldGM2pkOE1LNm5iL3RtVTJGcUFlZ0QrT2lNUldKbWNoMGJ6MlVGSTlNZVdJYzIyQTQyNmFvYlM3YXpTOS9qK3Q0ODFUS3pkNzFiNHBpTXM1U25jTmM1dy9SZDhNL3lJNUdPQ0psMklXQVVlSlpUb1FycUlkQS9UV0h3Wi85bkVrUU1rYXkrRWt6M293SmhWZ3RZVlJLc2V3SHdDQWpXSWRPdEQ5a041RGxRZmExQTlSenhISVlxMWYxVzlXVTkyRnpWaDN3aEl4MzFpZ3R5K1hid1BtQjZQQnNNS1pFZnB3ckR2ZEcwdE91R1RKOWdtdUVwYVo4QWJxV0RhMENLYkx4a2xwZzV6enVDTTV0ejRRWEJMcEUxWWplb0tkR3BKdVZycS9kaEtENHJzOERXZlFtUG5KL2ZGNlNqV0Z1WVBYUUp1NWFDZU5xMlY4T1dkZTFnUDZPdz09PC9kczpTaWduYXR1cmVWYWx1ZT48S2V5SW5mbyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQzZqQ0NBZEtnQXdJQkFnSVFRanhXRGh1YURKQktqdGxrY3ZIYVp6QU5CZ2txaGtpRzl3MEJBUXNGQURBeE1TOHdMUVlEVlFRREV5WkJSRVpUSUZOcFoyNXBibWNnTFNCdGVVTnZiWEIxZEdWeUxtOXVZV3hwY0dGNUxuaDVlakFlRncweE56RXhNREV3TnpFNE16WmFGdzB4T0RFeE1ERXdOekU0TXpaYU1ERXhMekF0QmdOVkJBTVRKa0ZFUmxNZ1UybG5ibWx1WnlBdElHMTVRMjl0Y0hWMFpYSXViMjVoYkdsd1lYa3VlSGw2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE1SkJKL1hsTTJtb045Q0VMZ0xuUzJPQ3ZZZlVlUm9hdWhyN2pGUy9CalRrTXhFNVlYQ3E1ZnU4RFlIcmt4eGFmODFuSERiVlRvdEdqdnBVUzR3L0s4UG4zQVhUb1RBVkZsVTdNOUVjd3FWNVE4R3UzVjQ4NHB5bjhkTUdxWjYwYkZoODRQSHlCeHBCWlNWM0tVNlY2bVZFMTB2cWtoZFFQL3RjVTUwWnNOV05MZDNBUjA2cmE5T2ZuTkdQTmRrWmtZS3dtUnFvcmt6OXNzVkdDRWVyWjUzVFRXZldDam5PajVYMnNwek5OZFJPcXROZ1NFRVVZRmtTRlQzb1V0Sk1vb2FkWCtlM1daWkJuYi8xekthVCtyWndCaG9NSVcvL2VVbnRPSFVLb2JaVE1Ya0xUcktQWVhaeVhnc1o2Nk9NU2hsQlZ3Q1hyRG9QUFhVd01KYUtsdXdJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFGNWV4NFd6emZQRitZOW1qRUdCaGNSNVFKU2dubjIrMkMySi8wTkozQnVIUC9GUG5IaXl6RUMxK3VqVEI2eDFzVHVnK0lXL2tGVXVJQU1VbmhQckp3bSt1VFhUSVVMbGhmRWdmNWQzZG56dk0zbEFML0FRZkpDOXYyUHhyZ0hoVkV0Z01kMFdDbkhMVFVvWERLQ0RXY0dBN09YeDFmMjNzcnJaTGM5UCsvNFNoWFBrd0x5dWRvNmgxeWZ1SnBGWjBnNHR4dTQrMi9YbG4zYzIrUjAraGNYVi9DSnVNcU43aTNmYVpLcFkrb01pcTRndnZXQWpuNmQ3TnBjWS9vWXQ2bGhiTHNucFhUS1FncTd6RGU3aWtMZUhpUDNJU29udjRyUFI2VVprRFdaaVo0RnBDMWxOMDRsWEUzdGZleHJiOThUbUxrU2RuckFCSER3YmJobW10WDwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9LZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxTdWJqZWN0PjxOYW1lSUQ+QWRtaW5pc3RyYXRvckBvbmFsaXBheS54eXo8L05hbWVJRD48U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBJblJlc3BvbnNlVG89ImFmN2o3Nmc5ajRjNzdoODE1OWdoYWUyajFjYTgxOCIgTm90T25PckFmdGVyPSIyMDE3LTEyLTMwVDA0OjIwOjQwLjg2MloiIFJlY2lwaWVudD0iaHR0cHM6Ly9zaWduaW4uYWxpeXVuLmNvbS9zYW1sL1NTTyIgLz48L1N1YmplY3RDb25maXJtYXRpb24+PC9TdWJqZWN0PjxDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNy0xMi0zMFQwNDoxNTo0MC44NTVaIiBOb3RPbk9yQWZ0ZXI9IjIwMTctMTItMzBUMDU6MTU6NDAuODU1WiI+PEF1ZGllbmNlUmVzdHJpY3Rpb24+PEF1ZGllbmNlPmh0dHBzOi8vc2lnbmluLmFsaXl1bi5jb20vc2FtbC9TU088L0F1ZGllbmNlPjwvQXVkaWVuY2VSZXN0cmljdGlvbj48L0NvbmRpdGlvbnM+PEF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNy0xMi0zMFQwNDoxNTo0MC43NTdaIiBTZXNzaW9uSW5kZXg9Il82YTk1NGFiNS04ZTQ2LTQ3ODMtYTI3MC1mMGRmYjE1MjgzZjgiPjxBdXRobkNvbnRleHQ+PEF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpmZWRlcmF0aW9uOmF1dGhlbnRpY2F0aW9uOndpbmRvd3M8L0F1dGhuQ29udGV4dENsYXNzUmVmPjwvQXV0aG5Db250ZXh0PjwvQXV0aG5TdGF0ZW1lbnQ+PC9Bc3NlcnRpb24+PC9zYW1scDpSZXNwb25zZT4=
RelayState:
https://home.console.aliyun.com/

SamlResponse base64解码后:

<?xml version="1.0" encoding="utf-8"?>

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_3b8146b0-eaa8-467c-8fc7-3dab18bb0c27" Version="2.0" IssueInstant="2017-12-30T04:15:40.862Z" Destination="https://signin.aliyun.com/saml/SSO" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="af7j76g9j4c77h8159ghae2j1ca818">
  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://myComputer.onalipay.xyz/adfs/services/trust</Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_6a954ab5-8e46-4783-a270-f0dfb15283f8" IssueInstant="2017-12-30T04:15:40.862Z" Version="2.0">
    <Issuer>http://myComputer.onalipay.xyz/adfs/services/trust</Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
        <ds:Reference URI="#_6a954ab5-8e46-4783-a270-f0dfb15283f8">
          <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          </ds:Transforms>
          <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
          <ds:DigestValue>5lRzvfwkgpcF9guZTWi1xi3KnkMEIG+DJ1N9L9NpU8Q=</ds:DigestValue>
        </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>WF3jd8MK6nb/tmU2FqAegD+OiMRWJmch0bz2UFI9MeWIc22A426aobS7azS9/j+t481TKzd71b4piMs5SncNc5w/Rd8M/yI5GOCJl2IWAUeJZToQrqIdA/TWHwZ/9nEkQMkay+Ekz3owJhVgtYVRKsewHwCAjWIdOtD9kN5DlQfa1A9RzxHIYq1f1W9WU92FzVh3whIx31igty+XbwPmB6PBsMKZEfpwrDvdG0tOuGTJ9gmuEpaZ8AbqWDa0CKbLxklpg5zzuCM5tz4QXBLpE1YjeoKdGpJuVrq/dhKD4rs8DWfQmPnJ/fF6SjWFuYPXQJu5aCeNq2V8OWde1gP6Ow==</ds:SignatureValue>
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIC6jCCAdKgAwIBAgIQQjxWDhuaDJBKjtlkcvHaZzANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JBJ/XlM2moN9CELgLnS2OCvYfUeRoauhr7jFS/BjTkMxE5YXCq5fu8DYHrkxxaf81nHDbVTotGjvpUS4w/K8Pn3AXToTAVFlU7M9EcwqV5Q8Gu3V484pyn8dMGqZ60bFh84PHyBxpBZSV3KU6V6mVE10vqkhdQP/tcU50ZsNWNLd3AR06ra9OfnNGPNdkZkYKwmRqorkz9ssVGCEerZ53TTWfWCjnOj5X2spzNNdROqtNgSEEUYFkSFT3oUtJMooadX+e3WZZBnb/1zKaT+rZwBhoMIW//eUntOHUKobZTMXkLTrKPYXZyXgsZ66OMShlBVwCXrDoPPXUwMJaKluwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAF5ex4WzzfPF+Y9mjEGBhcR5QJSgnn2+2C2J/0NJ3BuHP/FPnHiyzEC1+ujTB6x1sTug+IW/kFUuIAMUnhPrJwm+uTXTIULlhfEgf5d3dnzvM3lAL/AQfJC9v2PxrgHhVEtgMd0WCnHLTUoXDKCDWcGA7OXx1f23srrZLc9P+/4ShXPkwLyudo6h1yfuJpFZ0g4txu4+2/Xln3c2+R0+hcXV/CJuMqN7i3faZKpY+oMiq4gvvWAjn6d7NpcY/oYt6lhbLsnpXTKQgq7zDe7ikLeHiP3ISonv4rPR6UZkDWZiZ4FpC1lN04lXE3tfexrb98TmLkSdnrABHDwbbhmmtX</ds:X509Certificate>
        </ds:X509Data>
      </KeyInfo>
    </ds:Signature>
    <Subject>
      <NameID>Administrator@onalipay.xyz</NameID>
      <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <SubjectConfirmationData InResponseTo="af7j76g9j4c77h8159ghae2j1ca818" NotOnOrAfter="2017-12-30T04:20:40.862Z" Recipient="https://signin.aliyun.com/saml/SSO"/>
      </SubjectConfirmation>
    </Subject>
    <Conditions NotBefore="2017-12-30T04:15:40.855Z" NotOnOrAfter="2017-12-30T05:15:40.855Z">
      <AudienceRestriction>
        <Audience>https://signin.aliyun.com/saml/SSO</Audience>
      </AudienceRestriction>
    </Conditions>
    <AuthnStatement AuthnInstant="2017-12-30T04:15:40.757Z" SessionIndex="_6a954ab5-8e46-4783-a270-f0dfb15283f8">
      <AuthnContext>
        <AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>
      </AuthnContext>
    </AuthnStatement>
  </Assertion>
</samlp:Response>

最重要的就是Subject里的NameID属性,阿里云会根据这个信息获取登录成功的账号是谁。
阿里云会以NameID中指定的账号登录成功。
RelayState告诉阿里云方登录成功后跳转到的页面,本例子为home.console.aliyun.com

3.结语

至此我们完成了阿里云Saml SSO登录的流程的分析,后续我们还会介绍阿里云SAML和Shibboleth IDP+LDAP如何打通。

文章标签:
云解析DNS
数据格式
XML
Windows
巴梨
目录
相关文章
UNfuxkable
|
存储 安全 测试技术
单点登录SSO的身份账户不一致漏洞
由于良好的可用性和安全性,单点登录 (SSO) 已被广泛用于在线身份验证。但是,它也引入了单点故障,因为所有服务提供商都完全信任由 SSO 身份提供商创建的用户的身份。在本文中调查了身份帐户不一致威胁,这是一种新的 SSO 漏洞,可导致在线帐户遭到入侵。该漏洞的存在是因为当前的 SSO 系统高度依赖用户的电子邮件地址来绑定具有真实身份的帐户,而忽略了电子邮件地址可能被其他用户重复使用的事实在 SSO 身份验证下,这种不一致允许控制重复使用的电子邮件地址的攻击者在不知道任何凭据(如密码)的情况下接管关联的在线帐户。
UNfuxkable
285 1
一个风轻云淡
|
存储 NoSQL 应用服务中间件
SSO(单点登陆)
SSO(单点登陆)
一个风轻云淡
860 0
探索云世界
|
7月前
|
弹性计算 Cloud Native 数据库
OpenLDAP+IDAAS+云SSO集成场景
上周拜访两家客户,有一家是IDAAS的重度用户,在使用Flink产品时发现不支持RAM Role,只能使用RAM User来管理用户,客户问在这种场景下IDaaS如何支持;另外一家用户使用了OpenLDAP来做企业的IDP,现在想使用云SSO来做多账号统一用户身份管理。本篇文章介绍一下这三个产品集成...
探索云世界
159 2
OpenLDAP+IDAAS+云SSO集成场景
开发工程师
《阿里云产品手册2022-2023 版》——应用身份服务 IDaaS
《阿里云产品手册2022-2023 版》——应用身份服务 IDaaS
开发工程师
185 0
chengfengpolang
Jasny SSO是否支持多种身份提供者?
Jasny SSO是否支持多种身份提供者?
chengfengpolang
67 0
六月的雨在钉钉
|
存储 NoSQL 应用服务中间件
SSO单点登录流程源码学习
单点登录系统无状态应用,通过对SSO单点登录系统验证码、LT存入redis,及补偿service的操作更加深入的了解单点登录系统登录流程
六月的雨在钉钉
604 0
SSO单点登录流程源码学习
夜溟07
|
数据安全/隐私保护
企业身份管理实战---RAM角色单点登录(SSO)
在上篇文章《企业身份管理--RAM用户SSO(单点登录)实战》中,我们介绍了企业账号到阿里云RAM账号SSO的原理和实战:企业员工在自己的员工系统认证完成后,可以通过SAML协议,按照自定的映射规则,通过浏览器免登到云端控制台。本文将介绍另外一种SSO方式:基于RAM角色的SSO。通过角色扮演的方式,访问云端控制台。
夜溟07
2401 0
企业身份管理实战---RAM角色单点登录(SSO)
夜溟07
|
数据安全/隐私保护 运维 安全
企业身份管理实战—RAM用户单点登录(SSO)
企业管理者在管理企业员工账号和使用的多个云平台的账号的时候,一般采取集中式的管理。但是企业在使用一家或多家云平台的资源服务时,如何统一的管理企业员工账号和多个云平台的账号身份,并打通本地到云上控制台的访问呢?本文就将介绍如何通过业界标准的协议,来解决这些问题。
夜溟07
2609 0
企业身份管理实战—RAM用户单点登录(SSO)
欧只
|
数据安全/隐私保护
OIDC SSO - 相关SSO流程和注意事项
## 背景信息 &gt; OIDC SSO相关文档总共4篇,主要内容为对OIDC实现SSO登录流程时的各个细节和相关技术的阐述:1. 《[OIDC SSO - OAuth2.0的授权模式选择](https://ata.alibaba-inc.com/articles/218489)》 2. 《OIDC SSO - 相关SSO流程和注意事项》 3. 《[OIDC SSO - Discovery Mech
欧只
577 0
usher.yue
|
存储 PHP 数据安全/隐私保护
SSO单点登录三种情况的实现方式详解
单点登录(SSO——Single Sign On)对于我们来说已经不陌生了。对于大型系统来说使用单点登录可以减少用户很多的麻烦。就拿百度来说吧,百度下面有很多的子系统——百度经验、百度知道、百度文库等等,如果我们使用这些系统的时候,每一个系统都需要我们输入用户名和密码登录一次的话,我相信用户体验肯定会直线下降。
usher.yue
1594 0