阿里云子账号SAML SSO流程分析-阿里云开发者社区

开发者社区> 大数据> 正文

阿里云子账号SAML SSO流程分析

简介: 0.Saml术语和流程 统一认证中心(Indentity Provider) 此处指客户的统一认证中心服务提供者(Service Provider) 此处指阿里云 此图片说明了以下步骤。1.用户尝试访问WebApp1。

0.Saml术语和流程

统一认证中心(Indentity Provider) 此处指客户的统一认证中心
服务提供者(Service Provider) 此处指阿里云

201111192044014292.gif
此图片说明了以下步骤。
1.用户尝试访问WebApp1。
2.WebApp1 生成一个 SAML 身份验证请求。SAML 请求将进行编码并嵌入到SSO 服务的网址中。包含用户尝试访问的 WebApp1 应用程序的编码网址的 RelayState 参数也会嵌入到 SSO 网址中。该 RelayState 参数作为不透明标识符,将直接传回该标识符而不进行任何修改或检查。
3.WebApp1将重定向发送到用户的浏览器。重定向网址包含应向SSO 服务提交的编码 SAML 身份验证请求。
4.SSO(统一认证中心或叫Identity Provider)解码 SAML 请求,并提取 WebApp1的 ACS(声明客户服务)网址以及用户的目标网址(RelayState 参数)。然后,统一认证中心对用户进行身份验证。统一认证中心可能会要求提供有效登录凭据或检查有效会话 Cookie 以验证用户身份。
5.统一认证中心生成一个 SAML 响应,其中包含经过验证的用户的用户名。按照 SAML 2.0 规范,此响应将使用统一认证中心的 DSA/RSA 公钥和私钥进行数字签名。
6.统一认证中心对 SAML 响应和 RelayState 参数进行编码,并将该信息返回到用户的浏览器。统一认证中心提供了一种机制,以便浏览器可以将该信息转发到 WebApp1 ACS。
WebApp1使用统一认证中心的公钥验证 SAML 响应。如果成功验证该响应,ACS 则会将用户重定向到目标网址。
7.用户将重定向到目标网址并登录到 WebApp1。

1.准备工作

获取AliyunMetadata
aliyun saml metadata.xml中指定了阿里云方的证书公钥,数据交换格式NameIDFormat,以及endpoint地址https://signin.aliyun.com/saml/SSO

<?xml version="1.0" encoding="utf-8"?>

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="https___signin.aliyun.com_saml_SSO" entityID="https://signin.aliyun.com/saml/SSO">  
  <md:SPSSODescriptor WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> 
    <md:KeyDescriptor use="signing"> 
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">  
        <ds:X509Data> 
          <ds:X509Certificate>MIIDUTCCAjmgAwIBAgIEIv2v9DANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJDTjERMA8GA1UE BxMISGFuZ3pob3UxFDASBgNVBAoTC0FsaWJhYmEgSW5jMQ8wDQYDVQQLEwZBcHNhcmExEDAOBgNV BAMTB0FsaWJhYmEwHhcNMTcwMzE0MTc1OTE5WhcNMjcwMzEyMTc1OTE5WjBZMQswCQYDVQQGEwJD TjERMA8GA1UEBxMISGFuZ3pob3UxFDASBgNVBAoTC0FsaWJhYmEgSW5jMQ8wDQYDVQQLEwZBcHNh cmExEDAOBgNVBAMTB0FsaWJhYmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqK2HR tf4smv9pCQtPenFE1w6lvxsHiv0J/knvpC1BU4iAWcS8LxAElKb49QbKHuUxcwEGJfm0+zZpqS+J I3jmGc4aHYACyL2WxtKNx/5EK1Qs5ugCipn7g+ySOqXxc/Rv2S7muw6LTrGVTT7vo09EUDkZM34s TupuU7tzX0ktYhimxwskG9o7bvZuQKQf66gN8l/DUzyUl59/0wA1+x5A5B3pvaABCA6dq4mi8mtJ fTXcqWm06+FgVNPgKo59uP6y08rQJXjKDwLIf0owuoiRrPLR5JKC1vQ6PSz0cGv8tGUts5dr/0zG FHy4h3aufQiXCSi44WUB3FejQQfgEiBdAgMBAAGjITAfMB0GA1UdDgQWBBShWN61nZsWz9MYnSrV kCkJnSdFtDANBgkqhkiG9w0BAQsFAAOCAQEAMMAl+C3oyI6kZNmvX05Sb0q6UAM8wqjFKbPhSSiy srjVZwjEjiZnOSnoX8vO07fsZpcVmByHzGXWuBxxKCviCpQCS9hyOTF6bvAoXwe37h02Uhv3tKI0 7FRkXJA7HeB0HEuHPCBxxWVWJfgtkeUETnGV06CrUlGON7Du3h37EUzfTqmKhlsqKeK8uqw3gLYq Bp6ULrP1PbNo2AaHMYaZhFL1dSUtNYvekZppregZKMIDqtEm6Pwpw2lj8gjTC40PQ0GuXEeTsfE5 dhw42xc9RkyUg1Go04k9Z/UMxTX0KVMiRZ9DF2FWjWp1AAQJ3TvZ2Ao/XOhmk4GWRehUoHr7Hw==</ds:X509Certificate> 
        </ds:X509Data> 
      </ds:KeyInfo> 
    </md:KeyDescriptor>  
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>  
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>  
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>  
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>  
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://signin.aliyun.com/saml/SSO" index="0" isDefault="true"/> 
  </md:SPSSODescriptor> 
</md:EntityDescriptor>

获取onalipay.xyz metadata.xml


<?xml version="1.0" encoding="utf-8"?>

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="_3f71fd07-84e5-4343-915a-9e74ab6108b9" entityID="http://myComputer.onalipay.xyz/adfs/services/trust">  
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">  
    <ds:SignedInfo> 
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>  
      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>  
      <ds:Reference URI="#_3f71fd07-84e5-4343-915a-9e74ab6108b9"> 
        <ds:Transforms> 
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>  
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
        </ds:Transforms>  
        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>  
        <ds:DigestValue>V5OSnZNev7S2DYV4MDJ4aiFDXBg5PPYZQ9Q3New34Pk=</ds:DigestValue> 
      </ds:Reference> 
    </ds:SignedInfo>  
    <ds:SignatureValue>DQOdDymLabJtJkBE5RRWc7f1Fla99mkEjSadAW5pLnAxES8Lee8olVNzpa4hEbh0WA5DpTM9f8hgTdCiaMkb7l7I9Woeye2gZLBV1CIXFojuVfrgXSCtJ3CPFpxYDIp+0/uHzh9H/GbAwmsYER4TZ820ieq8hFPZFgU/yc1vNZcfm2ZCGMRDbSHq1XlpIokAmX0YOALaTTj9yhxkSz7uSvyQHHLkBZ98CqutklutXYtl7WT44TGOF7TVenKzWKTrKCG1SApO9BcDoI4ZZ4DEzfQHzVrCpLIuRFx+BlDuzf/1wwmgNdC5ay5TUzvOTyAO/85Efawb1k4K++tCZVjHRA==</ds:SignatureValue>  
    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  
      <X509Data> 
        <X509Certificate>MIIC6jCCAdKgAwIBAgIQQjxWDhuaDJBKjtlkcvHaZzANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JBJ/XlM2moN9CELgLnS2OCvYfUeRoauhr7jFS/BjTkMxE5YXCq5fu8DYHrkxxaf81nHDbVTotGjvpUS4w/K8Pn3AXToTAVFlU7M9EcwqV5Q8Gu3V484pyn8dMGqZ60bFh84PHyBxpBZSV3KU6V6mVE10vqkhdQP/tcU50ZsNWNLd3AR06ra9OfnNGPNdkZkYKwmRqorkz9ssVGCEerZ53TTWfWCjnOj5X2spzNNdROqtNgSEEUYFkSFT3oUtJMooadX+e3WZZBnb/1zKaT+rZwBhoMIW//eUntOHUKobZTMXkLTrKPYXZyXgsZ66OMShlBVwCXrDoPPXUwMJaKluwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAF5ex4WzzfPF+Y9mjEGBhcR5QJSgnn2+2C2J/0NJ3BuHP/FPnHiyzEC1+ujTB6x1sTug+IW/kFUuIAMUnhPrJwm+uTXTIULlhfEgf5d3dnzvM3lAL/AQfJC9v2PxrgHhVEtgMd0WCnHLTUoXDKCDWcGA7OXx1f23srrZLc9P+/4ShXPkwLyudo6h1yfuJpFZ0g4txu4+2/Xln3c2+R0+hcXV/CJuMqN7i3faZKpY+oMiq4gvvWAjn6d7NpcY/oYt6lhbLsnpXTKQgq7zDe7ikLeHiP3ISonv4rPR6UZkDWZiZ4FpC1lN04lXE3tfexrb98TmLkSdnrABHDwbbhmmtX</X509Certificate> 
      </X509Data> 
    </KeyInfo> 
  </ds:Signature>  
  <RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" xsi:type="fed:ApplicationServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/ws-sx/ws-trust/200512 http://schemas.xmlsoap.org/ws/2005/02/trust http://docs.oasis-open.org/wsfed/federation/200706" ServiceDisplayName="myComputer.onalipay.xyz">  
    <KeyDescriptor use="encryption"> 
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  
        <X509Data> 
          <X509Certificate>MIIC8DCCAdigAwIBAgIQPI1g9KgllrtFXb9zx50BvTANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylBREZTIEVuY3J5cHRpb24gLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDQxMjAwBgNVBAMTKUFERlMgRW5jcnlwdGlvbiAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1QDXR4rpuSj7hkSyLuWTT/JeN7TTsYDsf+IHLRRq94Q43Xkytz1NM/XF/Xy3vO2Ae5UYGvEqKyfwUJv7+xTsNc+7a5DMXnnk8cvjP0mjiOBuLVNEnQ3Sf07c2ae7zMYIiYa/A+La7Qhr3cPTswb+35U9t+uvuDob0pUshCXAxtLXfiN9SUnA19JIt9XOZPp97btekuWXLJO8ePAY2XzLQtHjVOspCmJerpI3Rh9qFWtijAdoh8FpIb/5PEJWEw4nKyoqZIPdbkoZrNwSYA5sBDrVohMrVchO+FLMXiJ9xzI84EDcT/rE2KNqG1ezf+nLByC2/Y19UnPPLOWWXN7PRQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDKuCTiE7fkmQ/7LtKQFxYDL7n9PI8C2DeGYjQBp7aBOCQKBzX9ARLg6DPtHRIu4cAGfhT/W1dlUyfK5O0nS24vg0OmtpwSPgdlI7RdUxXPq0jhw/v9XMdvrkKqc/y8s5v9OQqxzRYAbzS9eJ4O7GgGpHDOfLcIwcfGMzWVXz9gGQ+840Z3z8XQgz0R8vIqbJmc/7YEMbxwc5u1s1Tk6DNqoflVllbT050I4DRGLgXmKgCDJ9gY0Jlzftd4hXhKBGu996cn3kKVuy6pg1r/jKJOEchbRpLI8LQkrr3OlYdmWZN+GhB8fCbySIf0Db/tZJkwSMIfR7KcaQxSY0Tr2H8v</X509Certificate> 
        </X509Data> 
      </KeyInfo> 
    </KeyDescriptor>  
    <fed:ClaimTypesRequested> 
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" Optional="true">  
        <auth:DisplayName>E-Mail Address</auth:DisplayName>  
        <auth:Description>The e-mail address of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" Optional="true">  
        <auth:DisplayName>Given Name</auth:DisplayName>  
        <auth:Description>The given name of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" Optional="true">  
        <auth:DisplayName>Name</auth:DisplayName>  
        <auth:Description>The unique name of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" Optional="true">  
        <auth:DisplayName>UPN</auth:DisplayName>  
        <auth:Description>The user principal name (UPN) of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/CommonName" Optional="true">  
        <auth:DisplayName>Common Name</auth:DisplayName>  
        <auth:Description>The common name of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/EmailAddress" Optional="true">  
        <auth:DisplayName>AD FS 1.x E-Mail Address</auth:DisplayName>  
        <auth:Description>The e-mail address of the user when interoperating with AD FS 1.1 or ADFS 1.0</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/Group" Optional="true">  
        <auth:DisplayName>Group</auth:DisplayName>  
        <auth:Description>A group that the user is a member of</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/UPN" Optional="true">  
        <auth:DisplayName>AD FS 1.x UPN</auth:DisplayName>  
        <auth:Description>The UPN of the user when interoperating with AD FS 1.1 or ADFS 1.0</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" Optional="true">  
        <auth:DisplayName>Role</auth:DisplayName>  
        <auth:Description>A role that the user has</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" Optional="true">  
        <auth:DisplayName>Surname</auth:DisplayName>  
        <auth:Description>The surname of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" Optional="true">  
        <auth:DisplayName>PPID</auth:DisplayName>  
        <auth:Description>The private identifier of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" Optional="true">  
        <auth:DisplayName>Name ID</auth:DisplayName>  
        <auth:Description>The SAML name identifier of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant" Optional="true">  
        <auth:DisplayName>Authentication time stamp</auth:DisplayName>  
        <auth:Description>Used to display the time and date that the user was authenticated</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" Optional="true">  
        <auth:DisplayName>Authentication method</auth:DisplayName>  
        <auth:Description>The method used to authenticate the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid" Optional="true">  
        <auth:DisplayName>Deny only group SID</auth:DisplayName>  
        <auth:Description>The deny-only group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid" Optional="true">  
        <auth:DisplayName>Deny only primary SID</auth:DisplayName>  
        <auth:Description>The deny-only primary SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid" Optional="true">  
        <auth:DisplayName>Deny only primary group SID</auth:DisplayName>  
        <auth:Description>The deny-only primary group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" Optional="true">  
        <auth:DisplayName>Group SID</auth:DisplayName>  
        <auth:Description>The group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid" Optional="true">  
        <auth:DisplayName>Primary group SID</auth:DisplayName>  
        <auth:Description>The primary group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" Optional="true">  
        <auth:DisplayName>Primary SID</auth:DisplayName>  
        <auth:Description>The primary SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" Optional="true">  
        <auth:DisplayName>Windows account name</auth:DisplayName>  
        <auth:Description>The domain account name of the user in the form of &lt;domain&gt;\&lt;user&gt;</auth:Description> 
      </auth:ClaimType> 
    </fed:ClaimTypesRequested>  
    <fed:TargetScopes> 
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256</Address> 
      </EndpointReference>  
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/services/trust/2005/issuedtokenmixedsymmetricbasic256</Address> 
      </EndpointReference>  
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/services/trust/13/issuedtokenmixedasymmetricbasic256</Address> 
      </EndpointReference>  
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256</Address> 
      </EndpointReference>  
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/ls/</Address> 
      </EndpointReference>  
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>http://mycomputer.onalipay.xyz/adfs/services/trust</Address> 
      </EndpointReference> 
    </fed:TargetScopes>  
    <fed:ApplicationServiceEndpoint> 
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256</Address> 
      </EndpointReference> 
    </fed:ApplicationServiceEndpoint>  
    <fed:PassiveRequestorEndpoint> 
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/ls/</Address> 
      </EndpointReference> 
    </fed:PassiveRequestorEndpoint> 
  </RoleDescriptor>  
  <RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" xsi:type="fed:SecurityTokenServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/ws-sx/ws-trust/200512 http://schemas.xmlsoap.org/ws/2005/02/trust http://docs.oasis-open.org/wsfed/federation/200706" ServiceDisplayName="myComputer.onalipay.xyz">  
    <KeyDescriptor use="signing"> 
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  
        <X509Data> 
          <X509Certificate>MIIC6jCCAdKgAwIBAgIQQjxWDhuaDJBKjtlkcvHaZzANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JBJ/XlM2moN9CELgLnS2OCvYfUeRoauhr7jFS/BjTkMxE5YXCq5fu8DYHrkxxaf81nHDbVTotGjvpUS4w/K8Pn3AXToTAVFlU7M9EcwqV5Q8Gu3V484pyn8dMGqZ60bFh84PHyBxpBZSV3KU6V6mVE10vqkhdQP/tcU50ZsNWNLd3AR06ra9OfnNGPNdkZkYKwmRqorkz9ssVGCEerZ53TTWfWCjnOj5X2spzNNdROqtNgSEEUYFkSFT3oUtJMooadX+e3WZZBnb/1zKaT+rZwBhoMIW//eUntOHUKobZTMXkLTrKPYXZyXgsZ66OMShlBVwCXrDoPPXUwMJaKluwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAF5ex4WzzfPF+Y9mjEGBhcR5QJSgnn2+2C2J/0NJ3BuHP/FPnHiyzEC1+ujTB6x1sTug+IW/kFUuIAMUnhPrJwm+uTXTIULlhfEgf5d3dnzvM3lAL/AQfJC9v2PxrgHhVEtgMd0WCnHLTUoXDKCDWcGA7OXx1f23srrZLc9P+/4ShXPkwLyudo6h1yfuJpFZ0g4txu4+2/Xln3c2+R0+hcXV/CJuMqN7i3faZKpY+oMiq4gvvWAjn6d7NpcY/oYt6lhbLsnpXTKQgq7zDe7ikLeHiP3ISonv4rPR6UZkDWZiZ4FpC1lN04lXE3tfexrb98TmLkSdnrABHDwbbhmmtX</X509Certificate> 
        </X509Data> 
      </KeyInfo> 
    </KeyDescriptor>  
    <fed:TokenTypesOffered> 
      <fed:TokenType Uri="urn:oasis:names:tc:SAML:2.0:assertion"/>  
      <fed:TokenType Uri="urn:oasis:names:tc:SAML:1.0:assertion"/> 
    </fed:TokenTypesOffered>  
    <fed:ClaimTypesOffered> 
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" Optional="true">  
        <auth:DisplayName>E-Mail Address</auth:DisplayName>  
        <auth:Description>The e-mail address of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" Optional="true">  
        <auth:DisplayName>Given Name</auth:DisplayName>  
        <auth:Description>The given name of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" Optional="true">  
        <auth:DisplayName>Name</auth:DisplayName>  
        <auth:Description>The unique name of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" Optional="true">  
        <auth:DisplayName>UPN</auth:DisplayName>  
        <auth:Description>The user principal name (UPN) of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/CommonName" Optional="true">  
        <auth:DisplayName>Common Name</auth:DisplayName>  
        <auth:Description>The common name of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/EmailAddress" Optional="true">  
        <auth:DisplayName>AD FS 1.x E-Mail Address</auth:DisplayName>  
        <auth:Description>The e-mail address of the user when interoperating with AD FS 1.1 or ADFS 1.0</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/Group" Optional="true">  
        <auth:DisplayName>Group</auth:DisplayName>  
        <auth:Description>A group that the user is a member of</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/UPN" Optional="true">  
        <auth:DisplayName>AD FS 1.x UPN</auth:DisplayName>  
        <auth:Description>The UPN of the user when interoperating with AD FS 1.1 or ADFS 1.0</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" Optional="true">  
        <auth:DisplayName>Role</auth:DisplayName>  
        <auth:Description>A role that the user has</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" Optional="true">  
        <auth:DisplayName>Surname</auth:DisplayName>  
        <auth:Description>The surname of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" Optional="true">  
        <auth:DisplayName>PPID</auth:DisplayName>  
        <auth:Description>The private identifier of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" Optional="true">  
        <auth:DisplayName>Name ID</auth:DisplayName>  
        <auth:Description>The SAML name identifier of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant" Optional="true">  
        <auth:DisplayName>Authentication time stamp</auth:DisplayName>  
        <auth:Description>Used to display the time and date that the user was authenticated</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" Optional="true">  
        <auth:DisplayName>Authentication method</auth:DisplayName>  
        <auth:Description>The method used to authenticate the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid" Optional="true">  
        <auth:DisplayName>Deny only group SID</auth:DisplayName>  
        <auth:Description>The deny-only group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid" Optional="true">  
        <auth:DisplayName>Deny only primary SID</auth:DisplayName>  
        <auth:Description>The deny-only primary SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid" Optional="true">  
        <auth:DisplayName>Deny only primary group SID</auth:DisplayName>  
        <auth:Description>The deny-only primary group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" Optional="true">  
        <auth:DisplayName>Group SID</auth:DisplayName>  
        <auth:Description>The group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid" Optional="true">  
        <auth:DisplayName>Primary group SID</auth:DisplayName>  
        <auth:Description>The primary group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" Optional="true">  
        <auth:DisplayName>Primary SID</auth:DisplayName>  
        <auth:Description>The primary SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" Optional="true">  
        <auth:DisplayName>Windows account name</auth:DisplayName>  
        <auth:Description>The domain account name of the user in the form of &lt;domain&gt;\&lt;user&gt;</auth:Description> 
      </auth:ClaimType> 
    </fed:ClaimTypesOffered>  
    <fed:SecurityTokenServiceEndpoint> 
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/services/trust/2005/certificatemixed</Address>  
        <Metadata> 
          <Metadata xmlns="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex">  
            <wsx:MetadataSection xmlns="" Dialect="http://schemas.xmlsoap.org/ws/2004/09/mex">  
              <wsx:MetadataReference> 
                <Address xmlns="http://www.w3.org/2005/08/addressing">https://mycomputer.onalipay.xyz/adfs/services/trust/mex</Address> 
              </wsx:MetadataReference> 
            </wsx:MetadataSection> 
          </Metadata> 
        </Metadata> 
      </EndpointReference> 
    </fed:SecurityTokenServiceEndpoint>  
    <fed:PassiveRequestorEndpoint> 
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/ls/</Address> 
      </EndpointReference> 
    </fed:PassiveRequestorEndpoint> 
  </RoleDescriptor>  
  <SPSSODescriptor WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> 
    <KeyDescriptor use="encryption"> 
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  
        <X509Data> 
          <X509Certificate>MIIC8DCCAdigAwIBAgIQPI1g9KgllrtFXb9zx50BvTANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylBREZTIEVuY3J5cHRpb24gLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDQxMjAwBgNVBAMTKUFERlMgRW5jcnlwdGlvbiAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1QDXR4rpuSj7hkSyLuWTT/JeN7TTsYDsf+IHLRRq94Q43Xkytz1NM/XF/Xy3vO2Ae5UYGvEqKyfwUJv7+xTsNc+7a5DMXnnk8cvjP0mjiOBuLVNEnQ3Sf07c2ae7zMYIiYa/A+La7Qhr3cPTswb+35U9t+uvuDob0pUshCXAxtLXfiN9SUnA19JIt9XOZPp97btekuWXLJO8ePAY2XzLQtHjVOspCmJerpI3Rh9qFWtijAdoh8FpIb/5PEJWEw4nKyoqZIPdbkoZrNwSYA5sBDrVohMrVchO+FLMXiJ9xzI84EDcT/rE2KNqG1ezf+nLByC2/Y19UnPPLOWWXN7PRQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDKuCTiE7fkmQ/7LtKQFxYDL7n9PI8C2DeGYjQBp7aBOCQKBzX9ARLg6DPtHRIu4cAGfhT/W1dlUyfK5O0nS24vg0OmtpwSPgdlI7RdUxXPq0jhw/v9XMdvrkKqc/y8s5v9OQqxzRYAbzS9eJ4O7GgGpHDOfLcIwcfGMzWVXz9gGQ+840Z3z8XQgz0R8vIqbJmc/7YEMbxwc5u1s1Tk6DNqoflVllbT050I4DRGLgXmKgCDJ9gY0Jlzftd4hXhKBGu996cn3kKVuy6pg1r/jKJOEchbRpLI8LQkrr3OlYdmWZN+GhB8fCbySIf0Db/tZJkwSMIfR7KcaQxSY0Tr2H8v</X509Certificate> 
        </X509Data> 
      </KeyInfo> 
    </KeyDescriptor>  
    <KeyDescriptor use="signing"> 
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  
        <X509Data> 
          <X509Certificate>MIIC6jCCAdKgAwIBAgIQQjxWDhuaDJBKjtlkcvHaZzANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JBJ/XlM2moN9CELgLnS2OCvYfUeRoauhr7jFS/BjTkMxE5YXCq5fu8DYHrkxxaf81nHDbVTotGjvpUS4w/K8Pn3AXToTAVFlU7M9EcwqV5Q8Gu3V484pyn8dMGqZ60bFh84PHyBxpBZSV3KU6V6mVE10vqkhdQP/tcU50ZsNWNLd3AR06ra9OfnNGPNdkZkYKwmRqorkz9ssVGCEerZ53TTWfWCjnOj5X2spzNNdROqtNgSEEUYFkSFT3oUtJMooadX+e3WZZBnb/1zKaT+rZwBhoMIW//eUntOHUKobZTMXkLTrKPYXZyXgsZ66OMShlBVwCXrDoPPXUwMJaKluwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAF5ex4WzzfPF+Y9mjEGBhcR5QJSgnn2+2C2J/0NJ3BuHP/FPnHiyzEC1+ujTB6x1sTug+IW/kFUuIAMUnhPrJwm+uTXTIULlhfEgf5d3dnzvM3lAL/AQfJC9v2PxrgHhVEtgMd0WCnHLTUoXDKCDWcGA7OXx1f23srrZLc9P+/4ShXPkwLyudo6h1yfuJpFZ0g4txu4+2/Xln3c2+R0+hcXV/CJuMqN7i3faZKpY+oMiq4gvvWAjn6d7NpcY/oYt6lhbLsnpXTKQgq7zDe7ikLeHiP3ISonv4rPR6UZkDWZiZ4FpC1lN04lXE3tfexrb98TmLkSdnrABHDwbbhmmtX</X509Certificate> 
        </X509Data> 
      </KeyInfo> 
    </KeyDescriptor>  
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mycomputer.onalipay.xyz/adfs/ls/"/>  
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mycomputer.onalipay.xyz/adfs/ls/"/>  
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>  
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>  
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>  
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mycomputer.onalipay.xyz/adfs/ls/" index="0" isDefault="true"/>  
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://mycomputer.onalipay.xyz/adfs/ls/" index="1"/>  
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mycomputer.onalipay.xyz/adfs/ls/" index="2"/> 
  </SPSSODescriptor>  
  <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> 
    <KeyDescriptor use="encryption"> 
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  
        <X509Data> 
          <X509Certificate>MIIC8DCCAdigAwIBAgIQPI1g9KgllrtFXb9zx50BvTANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylBREZTIEVuY3J5cHRpb24gLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDQxMjAwBgNVBAMTKUFERlMgRW5jcnlwdGlvbiAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1QDXR4rpuSj7hkSyLuWTT/JeN7TTsYDsf+IHLRRq94Q43Xkytz1NM/XF/Xy3vO2Ae5UYGvEqKyfwUJv7+xTsNc+7a5DMXnnk8cvjP0mjiOBuLVNEnQ3Sf07c2ae7zMYIiYa/A+La7Qhr3cPTswb+35U9t+uvuDob0pUshCXAxtLXfiN9SUnA19JIt9XOZPp97btekuWXLJO8ePAY2XzLQtHjVOspCmJerpI3Rh9qFWtijAdoh8FpIb/5PEJWEw4nKyoqZIPdbkoZrNwSYA5sBDrVohMrVchO+FLMXiJ9xzI84EDcT/rE2KNqG1ezf+nLByC2/Y19UnPPLOWWXN7PRQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDKuCTiE7fkmQ/7LtKQFxYDL7n9PI8C2DeGYjQBp7aBOCQKBzX9ARLg6DPtHRIu4cAGfhT/W1dlUyfK5O0nS24vg0OmtpwSPgdlI7RdUxXPq0jhw/v9XMdvrkKqc/y8s5v9OQqxzRYAbzS9eJ4O7GgGpHDOfLcIwcfGMzWVXz9gGQ+840Z3z8XQgz0R8vIqbJmc/7YEMbxwc5u1s1Tk6DNqoflVllbT050I4DRGLgXmKgCDJ9gY0Jlzftd4hXhKBGu996cn3kKVuy6pg1r/jKJOEchbRpLI8LQkrr3OlYdmWZN+GhB8fCbySIf0Db/tZJkwSMIfR7KcaQxSY0Tr2H8v</X509Certificate> 
        </X509Data> 
      </KeyInfo> 
    </KeyDescriptor>  
    <KeyDescriptor use="signing"> 
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  
        <X509Data> 
          <X509Certificate>MIIC6jCCAdKgAwIBAgIQQjxWDhuaDJBKjtlkcvHaZzANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JBJ/XlM2moN9CELgLnS2OCvYfUeRoauhr7jFS/BjTkMxE5YXCq5fu8DYHrkxxaf81nHDbVTotGjvpUS4w/K8Pn3AXToTAVFlU7M9EcwqV5Q8Gu3V484pyn8dMGqZ60bFh84PHyBxpBZSV3KU6V6mVE10vqkhdQP/tcU50ZsNWNLd3AR06ra9OfnNGPNdkZkYKwmRqorkz9ssVGCEerZ53TTWfWCjnOj5X2spzNNdROqtNgSEEUYFkSFT3oUtJMooadX+e3WZZBnb/1zKaT+rZwBhoMIW//eUntOHUKobZTMXkLTrKPYXZyXgsZ66OMShlBVwCXrDoPPXUwMJaKluwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAF5ex4WzzfPF+Y9mjEGBhcR5QJSgnn2+2C2J/0NJ3BuHP/FPnHiyzEC1+ujTB6x1sTug+IW/kFUuIAMUnhPrJwm+uTXTIULlhfEgf5d3dnzvM3lAL/AQfJC9v2PxrgHhVEtgMd0WCnHLTUoXDKCDWcGA7OXx1f23srrZLc9P+/4ShXPkwLyudo6h1yfuJpFZ0g4txu4+2/Xln3c2+R0+hcXV/CJuMqN7i3faZKpY+oMiq4gvvWAjn6d7NpcY/oYt6lhbLsnpXTKQgq7zDe7ikLeHiP3ISonv4rPR6UZkDWZiZ4FpC1lN04lXE3tfexrb98TmLkSdnrABHDwbbhmmtX</X509Certificate> 
        </X509Data> 
      </KeyInfo> 
    </KeyDescriptor>  
    <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://mycomputer.onalipay.xyz/adfs/services/trust/artifactresolution" index="0"/>  
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mycomputer.onalipay.xyz/adfs/ls/"/>  
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mycomputer.onalipay.xyz/adfs/ls/"/>  
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>  
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>  
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>  
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mycomputer.onalipay.xyz/adfs/ls/"/>  
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mycomputer.onalipay.xyz/adfs/ls/"/>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="E-Mail Address"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Given Name"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="UPN"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/claims/CommonName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Common Name"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/claims/EmailAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="AD FS 1.x E-Mail Address"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/claims/Group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Group"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/claims/UPN" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="AD FS 1.x UPN"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Role"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Surname"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="PPID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name ID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Authentication time stamp"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Authentication method"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Deny only group SID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Deny only primary SID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Deny only primary group SID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Group SID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Primary group SID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Primary SID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Windows account name"></Attribute> 
  </IDPSSODescriptor> 
</EntityDescriptor>

这个xml里内容很多阿里云只需要里面的一些内容:
证书公钥,signInUrl,signOutUrl以及entityId
阿里云解析到的信息如下

{
    "requestId": "requestId",
    "samlSsoProperties": {
        "ssoEnabled": true,
        "entityId": "http://myComputer.onalipay.xyz/adfs/services/trust",
        "signInUrl": "https://mycomputer.onalipay.xyz/adfs/ls/",
        "signOutUrl": "https://mycomputer.onalipay.xyz/adfs/ls/",
        "certificate": "MIIC6jCCAdKgAwIBAgIQQjxWDhuaDJBKjtlkcvHaZzANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JBJ/XlM2moN9CELgLnS2OCvYfUeRoauhr7jFS/BjTkMxE5YXCq5fu8DYHrkxxaf81nHDbVTotGjvpUS4w/K8Pn3AXToTAVFlU7M9EcwqV5Q8Gu3V484pyn8dMGqZ60bFh84PHyBxpBZSV3KU6V6mVE10vqkhdQP/tcU50ZsNWNLd3AR06ra9OfnNGPNdkZkYKwmRqorkz9ssVGCEerZ53TTWfWCjnOj5X2spzNNdROqtNgSEEUYFkSFT3oUtJMooadX+e3WZZBnb/1zKaT+rZwBhoMIW//eUntOHUKobZTMXkLTrKPYXZyXgsZ66OMShlBVwCXrDoPPXUwMJaKluwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAF5ex4WzzfPF+Y9mjEGBhcR5QJSgnn2+2C2J/0NJ3BuHP/FPnHiyzEC1+ujTB6x1sTug+IW/kFUuIAMUnhPrJwm+uTXTIULlhfEgf5d3dnzvM3lAL/AQfJC9v2PxrgHhVEtgMd0WCnHLTUoXDKCDWcGA7OXx1f23srrZLc9P+/4ShXPkwLyudo6h1yfuJpFZ0g4txu4+2/Xln3c2+R0+hcXV/CJuMqN7i3faZKpY+oMiq4gvvWAjn6d7NpcY/oYt6lhbLsnpXTKQgq7zDe7ikLeHiP3ISonv4rPR6UZkDWZiZ4FpC1lN04lXE3tfexrb98TmLkSdnrABHDwbbhmmtX",
        "validUntil": "2018-11-01T07:18:36.000UTC"
    },
    "success": true
}

我们将onalpay.xyz的metadata.xml在enterprise.console.aliyun.com企业控制台的人员管理的目录设置->SSO设置中上传并开启sso.并且在域名管理中绑定了一个onalipay.xyz的域名

2.阿里云Saml协议解析

2.1 samlRequest

登录signin.aliyun.com输入账号名 administrator@onalipay.xyz会跳转到地址
https://mycomputer.onalipay.xyz/adfs/ls/?SAMLRequest=hZFPb4IwGMbv%2BxSkdygwFWwE42bMTFxGBHfYrasVaqBlfYuRffqhaOYu7vgmz583v2cyPValdeAahJIR8hwXWVwytRUyj9AmW9ghmsYPE6BV6ddk1phCrvlXw8FYMwCuTed7VhKaiuuU64NgfLNeRagwpgaCMYhcCunQUrSNdJiq8CkKp%2BkbsuZdipDUnKuvhqrtRHVjuHaU7Gw1bZ1j%2B43pdge4BIyshdKMnz%2BJ0I6WwJG1nEeI7oJ9MMrH%2BwELgiL0huO8oNzfe4yGXthpIKEA4sB%2FXQANX0owVJoI%2Ba4X2J5vP7qZOyDekPgjZ%2BB6H8hKtDKKqfJJyJ5LoyVRFAQQSSsOxDCSzl5XxHdc8tmLgLxkWWInb2mGrPcrX%2F%2FEtyMugfRE72fVl2IU9wOQ88f6NuF%2BAL1OhOL%2FB5ng25L4cv4dPf4B&RelayState=https%3A%2F%2Fhome.console.aliyun.com%2F
其中 https://mycomputer.onalipay.xyz/adfs/ls/ 为metadata.xml中配置的signinUrl

SamlRequest是经过了deflated压缩和urlencode的xml数据,解析后的内容如下
SamlRequest解析 https://idp.ssocircle.com/sso/toolbox/samlDecode.jsp

<?xml version="1.0" encoding="utf-8"?>

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://signin.aliyun.com/saml/SSO" Destination="https://mycomputer.onalipay.xyz/adfs/ls/" ForceAuthn="false" ID="af7j76g9j4c77h8159ghae2j1ca818" IsPassive="false" IssueInstant="2017-12-30T04:15:26.401Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://signin.aliyun.com/saml/SSO</saml2:Issuer>
</saml2p:AuthnRequest>

SamlRequest标记了ID,Issuer,IssueInstant,Destination等信息
RelayState说明了认证结束后跳转到的地址:RelayState=home.console.aliyun.com

2.2 SamlResponse

https://mycomputer.onalipay.xyz/adfs/ls/ 接收到samlRequest后会获取当前的用户信息跳转到统一登录中心的登录页登录,登录成功后回给Issuer(https://signin.aliyun.com/saml/SSO)一个SamlResponse包,内容如下:
https://signin.aliyun.com/saml/SSO
Post:
SAMLResponse:
PHNhbWxwOlJlc3BvbnNlIElEPSJfM2I4MTQ2YjAtZWFhOC00NjdjLThmYzctM2RhYjE4YmIwYzI3IiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNy0xMi0zMFQwNDoxNTo0MC44NjJaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9zaWduaW4uYWxpeXVuLmNvbS9zYW1sL1NTTyIgQ29uc2VudD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNvbnNlbnQ6dW5zcGVjaWZpZWQiIEluUmVzcG9uc2VUbz0iYWY3ajc2ZzlqNGM3N2g4MTU5Z2hhZTJqMWNhODE4IiB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj48SXNzdWVyIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwOi8vbXlDb21wdXRlci5vbmFsaXBheS54eXovYWRmcy9zZXJ2aWNlcy90cnVzdDwvSXNzdWVyPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIgLz48L3NhbWxwOlN0YXR1cz48QXNzZXJ0aW9uIElEPSJfNmE5NTRhYjUtOGU0Ni00NzgzLWEyNzAtZjBkZmIxNTI4M2Y4IiBJc3N1ZUluc3RhbnQ9IjIwMTctMTItMzBUMDQ6MTU6NDAuODYyWiIgVmVyc2lvbj0iMi4wIiB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+PElzc3Vlcj5odHRwOi8vbXlDb21wdXRlci5vbmFsaXBheS54eXovYWRmcy9zZXJ2aWNlcy90cnVzdDwvSXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiAvPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNyc2Etc2hhMjU2IiAvPjxkczpSZWZlcmVuY2UgVVJJPSIjXzZhOTU0YWI1LThlNDYtNDc4My1hMjcwLWYwZGZiMTUyODNmOCI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIiAvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiIC8+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiIC8+PGRzOkRpZ2VzdFZhbHVlPjVsUnp2ZndrZ3BjRjlndVpUV2kxeGkzS25rTUVJRytESjFOOUw5TnBVOFE9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+PGRzOlNpZ25hdHVyZVZhbHVlPldGM2pkOE1LNm5iL3RtVTJGcUFlZ0QrT2lNUldKbWNoMGJ6MlVGSTlNZVdJYzIyQTQyNmFvYlM3YXpTOS9qK3Q0ODFUS3pkNzFiNHBpTXM1U25jTmM1dy9SZDhNL3lJNUdPQ0psMklXQVVlSlpUb1FycUlkQS9UV0h3Wi85bkVrUU1rYXkrRWt6M293SmhWZ3RZVlJLc2V3SHdDQWpXSWRPdEQ5a041RGxRZmExQTlSenhISVlxMWYxVzlXVTkyRnpWaDN3aEl4MzFpZ3R5K1hid1BtQjZQQnNNS1pFZnB3ckR2ZEcwdE91R1RKOWdtdUVwYVo4QWJxV0RhMENLYkx4a2xwZzV6enVDTTV0ejRRWEJMcEUxWWplb0tkR3BKdVZycS9kaEtENHJzOERXZlFtUG5KL2ZGNlNqV0Z1WVBYUUp1NWFDZU5xMlY4T1dkZTFnUDZPdz09PC9kczpTaWduYXR1cmVWYWx1ZT48S2V5SW5mbyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQzZqQ0NBZEtnQXdJQkFnSVFRanhXRGh1YURKQktqdGxrY3ZIYVp6QU5CZ2txaGtpRzl3MEJBUXNGQURBeE1TOHdMUVlEVlFRREV5WkJSRVpUSUZOcFoyNXBibWNnTFNCdGVVTnZiWEIxZEdWeUxtOXVZV3hwY0dGNUxuaDVlakFlRncweE56RXhNREV3TnpFNE16WmFGdzB4T0RFeE1ERXdOekU0TXpaYU1ERXhMekF0QmdOVkJBTVRKa0ZFUmxNZ1UybG5ibWx1WnlBdElHMTVRMjl0Y0hWMFpYSXViMjVoYkdsd1lYa3VlSGw2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE1SkJKL1hsTTJtb045Q0VMZ0xuUzJPQ3ZZZlVlUm9hdWhyN2pGUy9CalRrTXhFNVlYQ3E1ZnU4RFlIcmt4eGFmODFuSERiVlRvdEdqdnBVUzR3L0s4UG4zQVhUb1RBVkZsVTdNOUVjd3FWNVE4R3UzVjQ4NHB5bjhkTUdxWjYwYkZoODRQSHlCeHBCWlNWM0tVNlY2bVZFMTB2cWtoZFFQL3RjVTUwWnNOV05MZDNBUjA2cmE5T2ZuTkdQTmRrWmtZS3dtUnFvcmt6OXNzVkdDRWVyWjUzVFRXZldDam5PajVYMnNwek5OZFJPcXROZ1NFRVVZRmtTRlQzb1V0Sk1vb2FkWCtlM1daWkJuYi8xekthVCtyWndCaG9NSVcvL2VVbnRPSFVLb2JaVE1Ya0xUcktQWVhaeVhnc1o2Nk9NU2hsQlZ3Q1hyRG9QUFhVd01KYUtsdXdJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFGNWV4NFd6emZQRitZOW1qRUdCaGNSNVFKU2dubjIrMkMySi8wTkozQnVIUC9GUG5IaXl6RUMxK3VqVEI2eDFzVHVnK0lXL2tGVXVJQU1VbmhQckp3bSt1VFhUSVVMbGhmRWdmNWQzZG56dk0zbEFML0FRZkpDOXYyUHhyZ0hoVkV0Z01kMFdDbkhMVFVvWERLQ0RXY0dBN09YeDFmMjNzcnJaTGM5UCsvNFNoWFBrd0x5dWRvNmgxeWZ1SnBGWjBnNHR4dTQrMi9YbG4zYzIrUjAraGNYVi9DSnVNcU43aTNmYVpLcFkrb01pcTRndnZXQWpuNmQ3TnBjWS9vWXQ2bGhiTHNucFhUS1FncTd6RGU3aWtMZUhpUDNJU29udjRyUFI2VVprRFdaaVo0RnBDMWxOMDRsWEUzdGZleHJiOThUbUxrU2RuckFCSER3YmJobW10WDwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9LZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxTdWJqZWN0PjxOYW1lSUQ+QWRtaW5pc3RyYXRvckBvbmFsaXBheS54eXo8L05hbWVJRD48U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBJblJlc3BvbnNlVG89ImFmN2o3Nmc5ajRjNzdoODE1OWdoYWUyajFjYTgxOCIgTm90T25PckFmdGVyPSIyMDE3LTEyLTMwVDA0OjIwOjQwLjg2MloiIFJlY2lwaWVudD0iaHR0cHM6Ly9zaWduaW4uYWxpeXVuLmNvbS9zYW1sL1NTTyIgLz48L1N1YmplY3RDb25maXJtYXRpb24+PC9TdWJqZWN0PjxDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNy0xMi0zMFQwNDoxNTo0MC44NTVaIiBOb3RPbk9yQWZ0ZXI9IjIwMTctMTItMzBUMDU6MTU6NDAuODU1WiI+PEF1ZGllbmNlUmVzdHJpY3Rpb24+PEF1ZGllbmNlPmh0dHBzOi8vc2lnbmluLmFsaXl1bi5jb20vc2FtbC9TU088L0F1ZGllbmNlPjwvQXVkaWVuY2VSZXN0cmljdGlvbj48L0NvbmRpdGlvbnM+PEF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNy0xMi0zMFQwNDoxNTo0MC43NTdaIiBTZXNzaW9uSW5kZXg9Il82YTk1NGFiNS04ZTQ2LTQ3ODMtYTI3MC1mMGRmYjE1MjgzZjgiPjxBdXRobkNvbnRleHQ+PEF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpmZWRlcmF0aW9uOmF1dGhlbnRpY2F0aW9uOndpbmRvd3M8L0F1dGhuQ29udGV4dENsYXNzUmVmPjwvQXV0aG5Db250ZXh0PjwvQXV0aG5TdGF0ZW1lbnQ+PC9Bc3NlcnRpb24+PC9zYW1scDpSZXNwb25zZT4=
RelayState:
https://home.console.aliyun.com/

SamlResponse base64解码后:

<?xml version="1.0" encoding="utf-8"?>

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_3b8146b0-eaa8-467c-8fc7-3dab18bb0c27" Version="2.0" IssueInstant="2017-12-30T04:15:40.862Z" Destination="https://signin.aliyun.com/saml/SSO" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="af7j76g9j4c77h8159ghae2j1ca818">
  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://myComputer.onalipay.xyz/adfs/services/trust</Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_6a954ab5-8e46-4783-a270-f0dfb15283f8" IssueInstant="2017-12-30T04:15:40.862Z" Version="2.0">
    <Issuer>http://myComputer.onalipay.xyz/adfs/services/trust</Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
        <ds:Reference URI="#_6a954ab5-8e46-4783-a270-f0dfb15283f8">
          <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          </ds:Transforms>
          <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
          <ds:DigestValue>5lRzvfwkgpcF9guZTWi1xi3KnkMEIG+DJ1N9L9NpU8Q=</ds:DigestValue>
        </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>WF3jd8MK6nb/tmU2FqAegD+OiMRWJmch0bz2UFI9MeWIc22A426aobS7azS9/j+t481TKzd71b4piMs5SncNc5w/Rd8M/yI5GOCJl2IWAUeJZToQrqIdA/TWHwZ/9nEkQMkay+Ekz3owJhVgtYVRKsewHwCAjWIdOtD9kN5DlQfa1A9RzxHIYq1f1W9WU92FzVh3whIx31igty+XbwPmB6PBsMKZEfpwrDvdG0tOuGTJ9gmuEpaZ8AbqWDa0CKbLxklpg5zzuCM5tz4QXBLpE1YjeoKdGpJuVrq/dhKD4rs8DWfQmPnJ/fF6SjWFuYPXQJu5aCeNq2V8OWde1gP6Ow==</ds:SignatureValue>
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIC6jCCAdKgAwIBAgIQQjxWDhuaDJBKjtlkcvHaZzANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JBJ/XlM2moN9CELgLnS2OCvYfUeRoauhr7jFS/BjTkMxE5YXCq5fu8DYHrkxxaf81nHDbVTotGjvpUS4w/K8Pn3AXToTAVFlU7M9EcwqV5Q8Gu3V484pyn8dMGqZ60bFh84PHyBxpBZSV3KU6V6mVE10vqkhdQP/tcU50ZsNWNLd3AR06ra9OfnNGPNdkZkYKwmRqorkz9ssVGCEerZ53TTWfWCjnOj5X2spzNNdROqtNgSEEUYFkSFT3oUtJMooadX+e3WZZBnb/1zKaT+rZwBhoMIW//eUntOHUKobZTMXkLTrKPYXZyXgsZ66OMShlBVwCXrDoPPXUwMJaKluwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAF5ex4WzzfPF+Y9mjEGBhcR5QJSgnn2+2C2J/0NJ3BuHP/FPnHiyzEC1+ujTB6x1sTug+IW/kFUuIAMUnhPrJwm+uTXTIULlhfEgf5d3dnzvM3lAL/AQfJC9v2PxrgHhVEtgMd0WCnHLTUoXDKCDWcGA7OXx1f23srrZLc9P+/4ShXPkwLyudo6h1yfuJpFZ0g4txu4+2/Xln3c2+R0+hcXV/CJuMqN7i3faZKpY+oMiq4gvvWAjn6d7NpcY/oYt6lhbLsnpXTKQgq7zDe7ikLeHiP3ISonv4rPR6UZkDWZiZ4FpC1lN04lXE3tfexrb98TmLkSdnrABHDwbbhmmtX</ds:X509Certificate>
        </ds:X509Data>
      </KeyInfo>
    </ds:Signature>
    <Subject>
      <NameID>Administrator@onalipay.xyz</NameID>
      <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <SubjectConfirmationData InResponseTo="af7j76g9j4c77h8159ghae2j1ca818" NotOnOrAfter="2017-12-30T04:20:40.862Z" Recipient="https://signin.aliyun.com/saml/SSO"/>
      </SubjectConfirmation>
    </Subject>
    <Conditions NotBefore="2017-12-30T04:15:40.855Z" NotOnOrAfter="2017-12-30T05:15:40.855Z">
      <AudienceRestriction>
        <Audience>https://signin.aliyun.com/saml/SSO</Audience>
      </AudienceRestriction>
    </Conditions>
    <AuthnStatement AuthnInstant="2017-12-30T04:15:40.757Z" SessionIndex="_6a954ab5-8e46-4783-a270-f0dfb15283f8">
      <AuthnContext>
        <AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>
      </AuthnContext>
    </AuthnStatement>
  </Assertion>
</samlp:Response>

最重要的就是Subject里的NameID属性,阿里云会根据这个信息获取登录成功的账号是谁。
阿里云会以NameID中指定的账号登录成功。
RelayState告诉阿里云方登录成功后跳转到的页面,本例子为home.console.aliyun.com

3.结语

至此我们完成了阿里云Saml SSO登录的流程的分析,后续我们还会介绍阿里云SAML和Shibboleth IDP+LDAP如何打通。

版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。

分享:
大数据
使用钉钉扫一扫加入圈子
+ 订阅

大数据计算实践乐园,近距离学习前沿技术

其他文章