阿里云子账号SAML SSO流程分析

简介: 0.Saml术语和流程 统一认证中心(Indentity Provider) 此处指客户的统一认证中心服务提供者(Service Provider) 此处指阿里云 此图片说明了以下步骤。1.用户尝试访问WebApp1。

0.Saml术语和流程

统一认证中心(Indentity Provider) 此处指客户的统一认证中心
服务提供者(Service Provider) 此处指阿里云

201111192044014292.gif
此图片说明了以下步骤。
1.用户尝试访问WebApp1。
2.WebApp1 生成一个 SAML 身份验证请求。SAML 请求将进行编码并嵌入到SSO 服务的网址中。包含用户尝试访问的 WebApp1 应用程序的编码网址的 RelayState 参数也会嵌入到 SSO 网址中。该 RelayState 参数作为不透明标识符,将直接传回该标识符而不进行任何修改或检查。
3.WebApp1将重定向发送到用户的浏览器。重定向网址包含应向SSO 服务提交的编码 SAML 身份验证请求。
4.SSO(统一认证中心或叫Identity Provider)解码 SAML 请求,并提取 WebApp1的 ACS(声明客户服务)网址以及用户的目标网址(RelayState 参数)。然后,统一认证中心对用户进行身份验证。统一认证中心可能会要求提供有效登录凭据或检查有效会话 Cookie 以验证用户身份。
5.统一认证中心生成一个 SAML 响应,其中包含经过验证的用户的用户名。按照 SAML 2.0 规范,此响应将使用统一认证中心的 DSA/RSA 公钥和私钥进行数字签名。
6.统一认证中心对 SAML 响应和 RelayState 参数进行编码,并将该信息返回到用户的浏览器。统一认证中心提供了一种机制,以便浏览器可以将该信息转发到 WebApp1 ACS。
WebApp1使用统一认证中心的公钥验证 SAML 响应。如果成功验证该响应,ACS 则会将用户重定向到目标网址。
7.用户将重定向到目标网址并登录到 WebApp1。

1.准备工作

获取AliyunMetadata
aliyun saml metadata.xml中指定了阿里云方的证书公钥,数据交换格式NameIDFormat,以及endpoint地址https://signin.aliyun.com/saml/SSO

<?xml version="1.0" encoding="utf-8"?>

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="https___signin.aliyun.com_saml_SSO" entityID="https://signin.aliyun.com/saml/SSO">  
  <md:SPSSODescriptor WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> 
    <md:KeyDescriptor use="signing"> 
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">  
        <ds:X509Data> 
          <ds:X509Certificate>MIIDUTCCAjmgAwIBAgIEIv2v9DANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJDTjERMA8GA1UE BxMISGFuZ3pob3UxFDASBgNVBAoTC0FsaWJhYmEgSW5jMQ8wDQYDVQQLEwZBcHNhcmExEDAOBgNV BAMTB0FsaWJhYmEwHhcNMTcwMzE0MTc1OTE5WhcNMjcwMzEyMTc1OTE5WjBZMQswCQYDVQQGEwJD TjERMA8GA1UEBxMISGFuZ3pob3UxFDASBgNVBAoTC0FsaWJhYmEgSW5jMQ8wDQYDVQQLEwZBcHNh cmExEDAOBgNVBAMTB0FsaWJhYmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqK2HR tf4smv9pCQtPenFE1w6lvxsHiv0J/knvpC1BU4iAWcS8LxAElKb49QbKHuUxcwEGJfm0+zZpqS+J I3jmGc4aHYACyL2WxtKNx/5EK1Qs5ugCipn7g+ySOqXxc/Rv2S7muw6LTrGVTT7vo09EUDkZM34s TupuU7tzX0ktYhimxwskG9o7bvZuQKQf66gN8l/DUzyUl59/0wA1+x5A5B3pvaABCA6dq4mi8mtJ fTXcqWm06+FgVNPgKo59uP6y08rQJXjKDwLIf0owuoiRrPLR5JKC1vQ6PSz0cGv8tGUts5dr/0zG FHy4h3aufQiXCSi44WUB3FejQQfgEiBdAgMBAAGjITAfMB0GA1UdDgQWBBShWN61nZsWz9MYnSrV kCkJnSdFtDANBgkqhkiG9w0BAQsFAAOCAQEAMMAl+C3oyI6kZNmvX05Sb0q6UAM8wqjFKbPhSSiy srjVZwjEjiZnOSnoX8vO07fsZpcVmByHzGXWuBxxKCviCpQCS9hyOTF6bvAoXwe37h02Uhv3tKI0 7FRkXJA7HeB0HEuHPCBxxWVWJfgtkeUETnGV06CrUlGON7Du3h37EUzfTqmKhlsqKeK8uqw3gLYq Bp6ULrP1PbNo2AaHMYaZhFL1dSUtNYvekZppregZKMIDqtEm6Pwpw2lj8gjTC40PQ0GuXEeTsfE5 dhw42xc9RkyUg1Go04k9Z/UMxTX0KVMiRZ9DF2FWjWp1AAQJ3TvZ2Ao/XOhmk4GWRehUoHr7Hw==</ds:X509Certificate> 
        </ds:X509Data> 
      </ds:KeyInfo> 
    </md:KeyDescriptor>  
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>  
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>  
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>  
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>  
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://signin.aliyun.com/saml/SSO" index="0" isDefault="true"/> 
  </md:SPSSODescriptor> 
</md:EntityDescriptor>

获取onalipay.xyz metadata.xml


<?xml version="1.0" encoding="utf-8"?>

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="_3f71fd07-84e5-4343-915a-9e74ab6108b9" entityID="http://myComputer.onalipay.xyz/adfs/services/trust">  
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">  
    <ds:SignedInfo> 
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>  
      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>  
      <ds:Reference URI="#_3f71fd07-84e5-4343-915a-9e74ab6108b9"> 
        <ds:Transforms> 
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>  
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
        </ds:Transforms>  
        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>  
        <ds:DigestValue>V5OSnZNev7S2DYV4MDJ4aiFDXBg5PPYZQ9Q3New34Pk=</ds:DigestValue> 
      </ds:Reference> 
    </ds:SignedInfo>  
    <ds:SignatureValue>DQOdDymLabJtJkBE5RRWc7f1Fla99mkEjSadAW5pLnAxES8Lee8olVNzpa4hEbh0WA5DpTM9f8hgTdCiaMkb7l7I9Woeye2gZLBV1CIXFojuVfrgXSCtJ3CPFpxYDIp+0/uHzh9H/GbAwmsYER4TZ820ieq8hFPZFgU/yc1vNZcfm2ZCGMRDbSHq1XlpIokAmX0YOALaTTj9yhxkSz7uSvyQHHLkBZ98CqutklutXYtl7WT44TGOF7TVenKzWKTrKCG1SApO9BcDoI4ZZ4DEzfQHzVrCpLIuRFx+BlDuzf/1wwmgNdC5ay5TUzvOTyAO/85Efawb1k4K++tCZVjHRA==</ds:SignatureValue>  
    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  
      <X509Data> 
        <X509Certificate>MIIC6jCCAdKgAwIBAgIQQjxWDhuaDJBKjtlkcvHaZzANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JBJ/XlM2moN9CELgLnS2OCvYfUeRoauhr7jFS/BjTkMxE5YXCq5fu8DYHrkxxaf81nHDbVTotGjvpUS4w/K8Pn3AXToTAVFlU7M9EcwqV5Q8Gu3V484pyn8dMGqZ60bFh84PHyBxpBZSV3KU6V6mVE10vqkhdQP/tcU50ZsNWNLd3AR06ra9OfnNGPNdkZkYKwmRqorkz9ssVGCEerZ53TTWfWCjnOj5X2spzNNdROqtNgSEEUYFkSFT3oUtJMooadX+e3WZZBnb/1zKaT+rZwBhoMIW//eUntOHUKobZTMXkLTrKPYXZyXgsZ66OMShlBVwCXrDoPPXUwMJaKluwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAF5ex4WzzfPF+Y9mjEGBhcR5QJSgnn2+2C2J/0NJ3BuHP/FPnHiyzEC1+ujTB6x1sTug+IW/kFUuIAMUnhPrJwm+uTXTIULlhfEgf5d3dnzvM3lAL/AQfJC9v2PxrgHhVEtgMd0WCnHLTUoXDKCDWcGA7OXx1f23srrZLc9P+/4ShXPkwLyudo6h1yfuJpFZ0g4txu4+2/Xln3c2+R0+hcXV/CJuMqN7i3faZKpY+oMiq4gvvWAjn6d7NpcY/oYt6lhbLsnpXTKQgq7zDe7ikLeHiP3ISonv4rPR6UZkDWZiZ4FpC1lN04lXE3tfexrb98TmLkSdnrABHDwbbhmmtX</X509Certificate> 
      </X509Data> 
    </KeyInfo> 
  </ds:Signature>  
  <RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" xsi:type="fed:ApplicationServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/ws-sx/ws-trust/200512 http://schemas.xmlsoap.org/ws/2005/02/trust http://docs.oasis-open.org/wsfed/federation/200706" ServiceDisplayName="myComputer.onalipay.xyz">  
    <KeyDescriptor use="encryption"> 
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  
        <X509Data> 
          <X509Certificate>MIIC8DCCAdigAwIBAgIQPI1g9KgllrtFXb9zx50BvTANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylBREZTIEVuY3J5cHRpb24gLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDQxMjAwBgNVBAMTKUFERlMgRW5jcnlwdGlvbiAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1QDXR4rpuSj7hkSyLuWTT/JeN7TTsYDsf+IHLRRq94Q43Xkytz1NM/XF/Xy3vO2Ae5UYGvEqKyfwUJv7+xTsNc+7a5DMXnnk8cvjP0mjiOBuLVNEnQ3Sf07c2ae7zMYIiYa/A+La7Qhr3cPTswb+35U9t+uvuDob0pUshCXAxtLXfiN9SUnA19JIt9XOZPp97btekuWXLJO8ePAY2XzLQtHjVOspCmJerpI3Rh9qFWtijAdoh8FpIb/5PEJWEw4nKyoqZIPdbkoZrNwSYA5sBDrVohMrVchO+FLMXiJ9xzI84EDcT/rE2KNqG1ezf+nLByC2/Y19UnPPLOWWXN7PRQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDKuCTiE7fkmQ/7LtKQFxYDL7n9PI8C2DeGYjQBp7aBOCQKBzX9ARLg6DPtHRIu4cAGfhT/W1dlUyfK5O0nS24vg0OmtpwSPgdlI7RdUxXPq0jhw/v9XMdvrkKqc/y8s5v9OQqxzRYAbzS9eJ4O7GgGpHDOfLcIwcfGMzWVXz9gGQ+840Z3z8XQgz0R8vIqbJmc/7YEMbxwc5u1s1Tk6DNqoflVllbT050I4DRGLgXmKgCDJ9gY0Jlzftd4hXhKBGu996cn3kKVuy6pg1r/jKJOEchbRpLI8LQkrr3OlYdmWZN+GhB8fCbySIf0Db/tZJkwSMIfR7KcaQxSY0Tr2H8v</X509Certificate> 
        </X509Data> 
      </KeyInfo> 
    </KeyDescriptor>  
    <fed:ClaimTypesRequested> 
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" Optional="true">  
        <auth:DisplayName>E-Mail Address</auth:DisplayName>  
        <auth:Description>The e-mail address of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" Optional="true">  
        <auth:DisplayName>Given Name</auth:DisplayName>  
        <auth:Description>The given name of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" Optional="true">  
        <auth:DisplayName>Name</auth:DisplayName>  
        <auth:Description>The unique name of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" Optional="true">  
        <auth:DisplayName>UPN</auth:DisplayName>  
        <auth:Description>The user principal name (UPN) of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/CommonName" Optional="true">  
        <auth:DisplayName>Common Name</auth:DisplayName>  
        <auth:Description>The common name of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/EmailAddress" Optional="true">  
        <auth:DisplayName>AD FS 1.x E-Mail Address</auth:DisplayName>  
        <auth:Description>The e-mail address of the user when interoperating with AD FS 1.1 or ADFS 1.0</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/Group" Optional="true">  
        <auth:DisplayName>Group</auth:DisplayName>  
        <auth:Description>A group that the user is a member of</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/UPN" Optional="true">  
        <auth:DisplayName>AD FS 1.x UPN</auth:DisplayName>  
        <auth:Description>The UPN of the user when interoperating with AD FS 1.1 or ADFS 1.0</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" Optional="true">  
        <auth:DisplayName>Role</auth:DisplayName>  
        <auth:Description>A role that the user has</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" Optional="true">  
        <auth:DisplayName>Surname</auth:DisplayName>  
        <auth:Description>The surname of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" Optional="true">  
        <auth:DisplayName>PPID</auth:DisplayName>  
        <auth:Description>The private identifier of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" Optional="true">  
        <auth:DisplayName>Name ID</auth:DisplayName>  
        <auth:Description>The SAML name identifier of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant" Optional="true">  
        <auth:DisplayName>Authentication time stamp</auth:DisplayName>  
        <auth:Description>Used to display the time and date that the user was authenticated</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" Optional="true">  
        <auth:DisplayName>Authentication method</auth:DisplayName>  
        <auth:Description>The method used to authenticate the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid" Optional="true">  
        <auth:DisplayName>Deny only group SID</auth:DisplayName>  
        <auth:Description>The deny-only group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid" Optional="true">  
        <auth:DisplayName>Deny only primary SID</auth:DisplayName>  
        <auth:Description>The deny-only primary SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid" Optional="true">  
        <auth:DisplayName>Deny only primary group SID</auth:DisplayName>  
        <auth:Description>The deny-only primary group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" Optional="true">  
        <auth:DisplayName>Group SID</auth:DisplayName>  
        <auth:Description>The group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid" Optional="true">  
        <auth:DisplayName>Primary group SID</auth:DisplayName>  
        <auth:Description>The primary group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" Optional="true">  
        <auth:DisplayName>Primary SID</auth:DisplayName>  
        <auth:Description>The primary SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" Optional="true">  
        <auth:DisplayName>Windows account name</auth:DisplayName>  
        <auth:Description>The domain account name of the user in the form of &lt;domain&gt;\&lt;user&gt;</auth:Description> 
      </auth:ClaimType> 
    </fed:ClaimTypesRequested>  
    <fed:TargetScopes> 
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256</Address> 
      </EndpointReference>  
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/services/trust/2005/issuedtokenmixedsymmetricbasic256</Address> 
      </EndpointReference>  
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/services/trust/13/issuedtokenmixedasymmetricbasic256</Address> 
      </EndpointReference>  
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256</Address> 
      </EndpointReference>  
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/ls/</Address> 
      </EndpointReference>  
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>http://mycomputer.onalipay.xyz/adfs/services/trust</Address> 
      </EndpointReference> 
    </fed:TargetScopes>  
    <fed:ApplicationServiceEndpoint> 
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256</Address> 
      </EndpointReference> 
    </fed:ApplicationServiceEndpoint>  
    <fed:PassiveRequestorEndpoint> 
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/ls/</Address> 
      </EndpointReference> 
    </fed:PassiveRequestorEndpoint> 
  </RoleDescriptor>  
  <RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" xsi:type="fed:SecurityTokenServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/ws-sx/ws-trust/200512 http://schemas.xmlsoap.org/ws/2005/02/trust http://docs.oasis-open.org/wsfed/federation/200706" ServiceDisplayName="myComputer.onalipay.xyz">  
    <KeyDescriptor use="signing"> 
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  
        <X509Data> 
          <X509Certificate>MIIC6jCCAdKgAwIBAgIQQjxWDhuaDJBKjtlkcvHaZzANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JBJ/XlM2moN9CELgLnS2OCvYfUeRoauhr7jFS/BjTkMxE5YXCq5fu8DYHrkxxaf81nHDbVTotGjvpUS4w/K8Pn3AXToTAVFlU7M9EcwqV5Q8Gu3V484pyn8dMGqZ60bFh84PHyBxpBZSV3KU6V6mVE10vqkhdQP/tcU50ZsNWNLd3AR06ra9OfnNGPNdkZkYKwmRqorkz9ssVGCEerZ53TTWfWCjnOj5X2spzNNdROqtNgSEEUYFkSFT3oUtJMooadX+e3WZZBnb/1zKaT+rZwBhoMIW//eUntOHUKobZTMXkLTrKPYXZyXgsZ66OMShlBVwCXrDoPPXUwMJaKluwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAF5ex4WzzfPF+Y9mjEGBhcR5QJSgnn2+2C2J/0NJ3BuHP/FPnHiyzEC1+ujTB6x1sTug+IW/kFUuIAMUnhPrJwm+uTXTIULlhfEgf5d3dnzvM3lAL/AQfJC9v2PxrgHhVEtgMd0WCnHLTUoXDKCDWcGA7OXx1f23srrZLc9P+/4ShXPkwLyudo6h1yfuJpFZ0g4txu4+2/Xln3c2+R0+hcXV/CJuMqN7i3faZKpY+oMiq4gvvWAjn6d7NpcY/oYt6lhbLsnpXTKQgq7zDe7ikLeHiP3ISonv4rPR6UZkDWZiZ4FpC1lN04lXE3tfexrb98TmLkSdnrABHDwbbhmmtX</X509Certificate> 
        </X509Data> 
      </KeyInfo> 
    </KeyDescriptor>  
    <fed:TokenTypesOffered> 
      <fed:TokenType Uri="urn:oasis:names:tc:SAML:2.0:assertion"/>  
      <fed:TokenType Uri="urn:oasis:names:tc:SAML:1.0:assertion"/> 
    </fed:TokenTypesOffered>  
    <fed:ClaimTypesOffered> 
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" Optional="true">  
        <auth:DisplayName>E-Mail Address</auth:DisplayName>  
        <auth:Description>The e-mail address of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" Optional="true">  
        <auth:DisplayName>Given Name</auth:DisplayName>  
        <auth:Description>The given name of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" Optional="true">  
        <auth:DisplayName>Name</auth:DisplayName>  
        <auth:Description>The unique name of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" Optional="true">  
        <auth:DisplayName>UPN</auth:DisplayName>  
        <auth:Description>The user principal name (UPN) of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/CommonName" Optional="true">  
        <auth:DisplayName>Common Name</auth:DisplayName>  
        <auth:Description>The common name of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/EmailAddress" Optional="true">  
        <auth:DisplayName>AD FS 1.x E-Mail Address</auth:DisplayName>  
        <auth:Description>The e-mail address of the user when interoperating with AD FS 1.1 or ADFS 1.0</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/Group" Optional="true">  
        <auth:DisplayName>Group</auth:DisplayName>  
        <auth:Description>A group that the user is a member of</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/UPN" Optional="true">  
        <auth:DisplayName>AD FS 1.x UPN</auth:DisplayName>  
        <auth:Description>The UPN of the user when interoperating with AD FS 1.1 or ADFS 1.0</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" Optional="true">  
        <auth:DisplayName>Role</auth:DisplayName>  
        <auth:Description>A role that the user has</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" Optional="true">  
        <auth:DisplayName>Surname</auth:DisplayName>  
        <auth:Description>The surname of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" Optional="true">  
        <auth:DisplayName>PPID</auth:DisplayName>  
        <auth:Description>The private identifier of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" Optional="true">  
        <auth:DisplayName>Name ID</auth:DisplayName>  
        <auth:Description>The SAML name identifier of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant" Optional="true">  
        <auth:DisplayName>Authentication time stamp</auth:DisplayName>  
        <auth:Description>Used to display the time and date that the user was authenticated</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" Optional="true">  
        <auth:DisplayName>Authentication method</auth:DisplayName>  
        <auth:Description>The method used to authenticate the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid" Optional="true">  
        <auth:DisplayName>Deny only group SID</auth:DisplayName>  
        <auth:Description>The deny-only group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid" Optional="true">  
        <auth:DisplayName>Deny only primary SID</auth:DisplayName>  
        <auth:Description>The deny-only primary SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid" Optional="true">  
        <auth:DisplayName>Deny only primary group SID</auth:DisplayName>  
        <auth:Description>The deny-only primary group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" Optional="true">  
        <auth:DisplayName>Group SID</auth:DisplayName>  
        <auth:Description>The group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid" Optional="true">  
        <auth:DisplayName>Primary group SID</auth:DisplayName>  
        <auth:Description>The primary group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" Optional="true">  
        <auth:DisplayName>Primary SID</auth:DisplayName>  
        <auth:Description>The primary SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" Optional="true">  
        <auth:DisplayName>Windows account name</auth:DisplayName>  
        <auth:Description>The domain account name of the user in the form of &lt;domain&gt;\&lt;user&gt;</auth:Description> 
      </auth:ClaimType> 
    </fed:ClaimTypesOffered>  
    <fed:SecurityTokenServiceEndpoint> 
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/services/trust/2005/certificatemixed</Address>  
        <Metadata> 
          <Metadata xmlns="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex">  
            <wsx:MetadataSection xmlns="" Dialect="http://schemas.xmlsoap.org/ws/2004/09/mex">  
              <wsx:MetadataReference> 
                <Address xmlns="http://www.w3.org/2005/08/addressing">https://mycomputer.onalipay.xyz/adfs/services/trust/mex</Address> 
              </wsx:MetadataReference> 
            </wsx:MetadataSection> 
          </Metadata> 
        </Metadata> 
      </EndpointReference> 
    </fed:SecurityTokenServiceEndpoint>  
    <fed:PassiveRequestorEndpoint> 
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/ls/</Address> 
      </EndpointReference> 
    </fed:PassiveRequestorEndpoint> 
  </RoleDescriptor>  
  <SPSSODescriptor WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> 
    <KeyDescriptor use="encryption"> 
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  
        <X509Data> 
          <X509Certificate>MIIC8DCCAdigAwIBAgIQPI1g9KgllrtFXb9zx50BvTANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylBREZTIEVuY3J5cHRpb24gLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDQxMjAwBgNVBAMTKUFERlMgRW5jcnlwdGlvbiAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1QDXR4rpuSj7hkSyLuWTT/JeN7TTsYDsf+IHLRRq94Q43Xkytz1NM/XF/Xy3vO2Ae5UYGvEqKyfwUJv7+xTsNc+7a5DMXnnk8cvjP0mjiOBuLVNEnQ3Sf07c2ae7zMYIiYa/A+La7Qhr3cPTswb+35U9t+uvuDob0pUshCXAxtLXfiN9SUnA19JIt9XOZPp97btekuWXLJO8ePAY2XzLQtHjVOspCmJerpI3Rh9qFWtijAdoh8FpIb/5PEJWEw4nKyoqZIPdbkoZrNwSYA5sBDrVohMrVchO+FLMXiJ9xzI84EDcT/rE2KNqG1ezf+nLByC2/Y19UnPPLOWWXN7PRQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDKuCTiE7fkmQ/7LtKQFxYDL7n9PI8C2DeGYjQBp7aBOCQKBzX9ARLg6DPtHRIu4cAGfhT/W1dlUyfK5O0nS24vg0OmtpwSPgdlI7RdUxXPq0jhw/v9XMdvrkKqc/y8s5v9OQqxzRYAbzS9eJ4O7GgGpHDOfLcIwcfGMzWVXz9gGQ+840Z3z8XQgz0R8vIqbJmc/7YEMbxwc5u1s1Tk6DNqoflVllbT050I4DRGLgXmKgCDJ9gY0Jlzftd4hXhKBGu996cn3kKVuy6pg1r/jKJOEchbRpLI8LQkrr3OlYdmWZN+GhB8fCbySIf0Db/tZJkwSMIfR7KcaQxSY0Tr2H8v</X509Certificate> 
        </X509Data> 
      </KeyInfo> 
    </KeyDescriptor>  
    <KeyDescriptor use="signing"> 
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  
        <X509Data> 
          <X509Certificate>MIIC6jCCAdKgAwIBAgIQQjxWDhuaDJBKjtlkcvHaZzANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JBJ/XlM2moN9CELgLnS2OCvYfUeRoauhr7jFS/BjTkMxE5YXCq5fu8DYHrkxxaf81nHDbVTotGjvpUS4w/K8Pn3AXToTAVFlU7M9EcwqV5Q8Gu3V484pyn8dMGqZ60bFh84PHyBxpBZSV3KU6V6mVE10vqkhdQP/tcU50ZsNWNLd3AR06ra9OfnNGPNdkZkYKwmRqorkz9ssVGCEerZ53TTWfWCjnOj5X2spzNNdROqtNgSEEUYFkSFT3oUtJMooadX+e3WZZBnb/1zKaT+rZwBhoMIW//eUntOHUKobZTMXkLTrKPYXZyXgsZ66OMShlBVwCXrDoPPXUwMJaKluwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAF5ex4WzzfPF+Y9mjEGBhcR5QJSgnn2+2C2J/0NJ3BuHP/FPnHiyzEC1+ujTB6x1sTug+IW/kFUuIAMUnhPrJwm+uTXTIULlhfEgf5d3dnzvM3lAL/AQfJC9v2PxrgHhVEtgMd0WCnHLTUoXDKCDWcGA7OXx1f23srrZLc9P+/4ShXPkwLyudo6h1yfuJpFZ0g4txu4+2/Xln3c2+R0+hcXV/CJuMqN7i3faZKpY+oMiq4gvvWAjn6d7NpcY/oYt6lhbLsnpXTKQgq7zDe7ikLeHiP3ISonv4rPR6UZkDWZiZ4FpC1lN04lXE3tfexrb98TmLkSdnrABHDwbbhmmtX</X509Certificate> 
        </X509Data> 
      </KeyInfo> 
    </KeyDescriptor>  
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mycomputer.onalipay.xyz/adfs/ls/"/>  
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mycomputer.onalipay.xyz/adfs/ls/"/>  
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>  
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>  
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>  
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mycomputer.onalipay.xyz/adfs/ls/" index="0" isDefault="true"/>  
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://mycomputer.onalipay.xyz/adfs/ls/" index="1"/>  
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mycomputer.onalipay.xyz/adfs/ls/" index="2"/> 
  </SPSSODescriptor>  
  <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> 
    <KeyDescriptor use="encryption"> 
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  
        <X509Data> 
          <X509Certificate>MIIC8DCCAdigAwIBAgIQPI1g9KgllrtFXb9zx50BvTANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylBREZTIEVuY3J5cHRpb24gLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDQxMjAwBgNVBAMTKUFERlMgRW5jcnlwdGlvbiAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1QDXR4rpuSj7hkSyLuWTT/JeN7TTsYDsf+IHLRRq94Q43Xkytz1NM/XF/Xy3vO2Ae5UYGvEqKyfwUJv7+xTsNc+7a5DMXnnk8cvjP0mjiOBuLVNEnQ3Sf07c2ae7zMYIiYa/A+La7Qhr3cPTswb+35U9t+uvuDob0pUshCXAxtLXfiN9SUnA19JIt9XOZPp97btekuWXLJO8ePAY2XzLQtHjVOspCmJerpI3Rh9qFWtijAdoh8FpIb/5PEJWEw4nKyoqZIPdbkoZrNwSYA5sBDrVohMrVchO+FLMXiJ9xzI84EDcT/rE2KNqG1ezf+nLByC2/Y19UnPPLOWWXN7PRQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDKuCTiE7fkmQ/7LtKQFxYDL7n9PI8C2DeGYjQBp7aBOCQKBzX9ARLg6DPtHRIu4cAGfhT/W1dlUyfK5O0nS24vg0OmtpwSPgdlI7RdUxXPq0jhw/v9XMdvrkKqc/y8s5v9OQqxzRYAbzS9eJ4O7GgGpHDOfLcIwcfGMzWVXz9gGQ+840Z3z8XQgz0R8vIqbJmc/7YEMbxwc5u1s1Tk6DNqoflVllbT050I4DRGLgXmKgCDJ9gY0Jlzftd4hXhKBGu996cn3kKVuy6pg1r/jKJOEchbRpLI8LQkrr3OlYdmWZN+GhB8fCbySIf0Db/tZJkwSMIfR7KcaQxSY0Tr2H8v</X509Certificate> 
        </X509Data> 
      </KeyInfo> 
    </KeyDescriptor>  
    <KeyDescriptor use="signing"> 
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  
        <X509Data> 
          <X509Certificate>MIIC6jCCAdKgAwIBAgIQQjxWDhuaDJBKjtlkcvHaZzANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JBJ/XlM2moN9CELgLnS2OCvYfUeRoauhr7jFS/BjTkMxE5YXCq5fu8DYHrkxxaf81nHDbVTotGjvpUS4w/K8Pn3AXToTAVFlU7M9EcwqV5Q8Gu3V484pyn8dMGqZ60bFh84PHyBxpBZSV3KU6V6mVE10vqkhdQP/tcU50ZsNWNLd3AR06ra9OfnNGPNdkZkYKwmRqorkz9ssVGCEerZ53TTWfWCjnOj5X2spzNNdROqtNgSEEUYFkSFT3oUtJMooadX+e3WZZBnb/1zKaT+rZwBhoMIW//eUntOHUKobZTMXkLTrKPYXZyXgsZ66OMShlBVwCXrDoPPXUwMJaKluwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAF5ex4WzzfPF+Y9mjEGBhcR5QJSgnn2+2C2J/0NJ3BuHP/FPnHiyzEC1+ujTB6x1sTug+IW/kFUuIAMUnhPrJwm+uTXTIULlhfEgf5d3dnzvM3lAL/AQfJC9v2PxrgHhVEtgMd0WCnHLTUoXDKCDWcGA7OXx1f23srrZLc9P+/4ShXPkwLyudo6h1yfuJpFZ0g4txu4+2/Xln3c2+R0+hcXV/CJuMqN7i3faZKpY+oMiq4gvvWAjn6d7NpcY/oYt6lhbLsnpXTKQgq7zDe7ikLeHiP3ISonv4rPR6UZkDWZiZ4FpC1lN04lXE3tfexrb98TmLkSdnrABHDwbbhmmtX</X509Certificate> 
        </X509Data> 
      </KeyInfo> 
    </KeyDescriptor>  
    <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://mycomputer.onalipay.xyz/adfs/services/trust/artifactresolution" index="0"/>  
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mycomputer.onalipay.xyz/adfs/ls/"/>  
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mycomputer.onalipay.xyz/adfs/ls/"/>  
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>  
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>  
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>  
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mycomputer.onalipay.xyz/adfs/ls/"/>  
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mycomputer.onalipay.xyz/adfs/ls/"/>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="E-Mail Address"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Given Name"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="UPN"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/claims/CommonName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Common Name"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/claims/EmailAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="AD FS 1.x E-Mail Address"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/claims/Group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Group"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/claims/UPN" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="AD FS 1.x UPN"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Role"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Surname"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="PPID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name ID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Authentication time stamp"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Authentication method"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Deny only group SID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Deny only primary SID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Deny only primary group SID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Group SID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Primary group SID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Primary SID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Windows account name"></Attribute> 
  </IDPSSODescriptor> 
</EntityDescriptor>

这个xml里内容很多阿里云只需要里面的一些内容:
证书公钥,signInUrl,signOutUrl以及entityId
阿里云解析到的信息如下

{
    "requestId": "requestId",
    "samlSsoProperties": {
        "ssoEnabled": true,
        "entityId": "http://myComputer.onalipay.xyz/adfs/services/trust",
        "signInUrl": "https://mycomputer.onalipay.xyz/adfs/ls/",
        "signOutUrl": "https://mycomputer.onalipay.xyz/adfs/ls/",
        "certificate": "MIIC6jCCAdKgAwIBAgIQQjxWDhuaDJBKjtlkcvHaZzANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JBJ/XlM2moN9CELgLnS2OCvYfUeRoauhr7jFS/BjTkMxE5YXCq5fu8DYHrkxxaf81nHDbVTotGjvpUS4w/K8Pn3AXToTAVFlU7M9EcwqV5Q8Gu3V484pyn8dMGqZ60bFh84PHyBxpBZSV3KU6V6mVE10vqkhdQP/tcU50ZsNWNLd3AR06ra9OfnNGPNdkZkYKwmRqorkz9ssVGCEerZ53TTWfWCjnOj5X2spzNNdROqtNgSEEUYFkSFT3oUtJMooadX+e3WZZBnb/1zKaT+rZwBhoMIW//eUntOHUKobZTMXkLTrKPYXZyXgsZ66OMShlBVwCXrDoPPXUwMJaKluwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAF5ex4WzzfPF+Y9mjEGBhcR5QJSgnn2+2C2J/0NJ3BuHP/FPnHiyzEC1+ujTB6x1sTug+IW/kFUuIAMUnhPrJwm+uTXTIULlhfEgf5d3dnzvM3lAL/AQfJC9v2PxrgHhVEtgMd0WCnHLTUoXDKCDWcGA7OXx1f23srrZLc9P+/4ShXPkwLyudo6h1yfuJpFZ0g4txu4+2/Xln3c2+R0+hcXV/CJuMqN7i3faZKpY+oMiq4gvvWAjn6d7NpcY/oYt6lhbLsnpXTKQgq7zDe7ikLeHiP3ISonv4rPR6UZkDWZiZ4FpC1lN04lXE3tfexrb98TmLkSdnrABHDwbbhmmtX",
        "validUntil": "2018-11-01T07:18:36.000UTC"
    },
    "success": true
}

我们将onalpay.xyz的metadata.xml在enterprise.console.aliyun.com企业控制台的人员管理的目录设置->SSO设置中上传并开启sso.并且在域名管理中绑定了一个onalipay.xyz的域名

2.阿里云Saml协议解析

2.1 samlRequest

登录signin.aliyun.com输入账号名 administrator@onalipay.xyz会跳转到地址
https://mycomputer.onalipay.xyz/adfs/ls/?SAMLRequest=hZFPb4IwGMbv%2BxSkdygwFWwE42bMTFxGBHfYrasVaqBlfYuRffqhaOYu7vgmz583v2cyPValdeAahJIR8hwXWVwytRUyj9AmW9ghmsYPE6BV6ddk1phCrvlXw8FYMwCuTed7VhKaiuuU64NgfLNeRagwpgaCMYhcCunQUrSNdJiq8CkKp%2BkbsuZdipDUnKuvhqrtRHVjuHaU7Gw1bZ1j%2B43pdge4BIyshdKMnz%2BJ0I6WwJG1nEeI7oJ9MMrH%2BwELgiL0huO8oNzfe4yGXthpIKEA4sB%2FXQANX0owVJoI%2Ba4X2J5vP7qZOyDekPgjZ%2BB6H8hKtDKKqfJJyJ5LoyVRFAQQSSsOxDCSzl5XxHdc8tmLgLxkWWInb2mGrPcrX%2F%2FEtyMugfRE72fVl2IU9wOQ88f6NuF%2BAL1OhOL%2FB5ng25L4cv4dPf4B&RelayState=https%3A%2F%2Fhome.console.aliyun.com%2F
其中 https://mycomputer.onalipay.xyz/adfs/ls/ 为metadata.xml中配置的signinUrl

SamlRequest是经过了deflated压缩和urlencode的xml数据,解析后的内容如下
SamlRequest解析 https://idp.ssocircle.com/sso/toolbox/samlDecode.jsp

<?xml version="1.0" encoding="utf-8"?>

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://signin.aliyun.com/saml/SSO" Destination="https://mycomputer.onalipay.xyz/adfs/ls/" ForceAuthn="false" ID="af7j76g9j4c77h8159ghae2j1ca818" IsPassive="false" IssueInstant="2017-12-30T04:15:26.401Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://signin.aliyun.com/saml/SSO</saml2:Issuer>
</saml2p:AuthnRequest>

SamlRequest标记了ID,Issuer,IssueInstant,Destination等信息
RelayState说明了认证结束后跳转到的地址:RelayState=home.console.aliyun.com

2.2 SamlResponse

https://mycomputer.onalipay.xyz/adfs/ls/ 接收到samlRequest后会获取当前的用户信息跳转到统一登录中心的登录页登录,登录成功后回给Issuer(https://signin.aliyun.com/saml/SSO)一个SamlResponse包,内容如下:
https://signin.aliyun.com/saml/SSO
Post:
SAMLResponse:
PHNhbWxwOlJlc3BvbnNlIElEPSJfM2I4MTQ2YjAtZWFhOC00NjdjLThmYzctM2RhYjE4YmIwYzI3IiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNy0xMi0zMFQwNDoxNTo0MC44NjJaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9zaWduaW4uYWxpeXVuLmNvbS9zYW1sL1NTTyIgQ29uc2VudD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNvbnNlbnQ6dW5zcGVjaWZpZWQiIEluUmVzcG9uc2VUbz0iYWY3ajc2ZzlqNGM3N2g4MTU5Z2hhZTJqMWNhODE4IiB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj48SXNzdWVyIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwOi8vbXlDb21wdXRlci5vbmFsaXBheS54eXovYWRmcy9zZXJ2aWNlcy90cnVzdDwvSXNzdWVyPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIgLz48L3NhbWxwOlN0YXR1cz48QXNzZXJ0aW9uIElEPSJfNmE5NTRhYjUtOGU0Ni00NzgzLWEyNzAtZjBkZmIxNTI4M2Y4IiBJc3N1ZUluc3RhbnQ9IjIwMTctMTItMzBUMDQ6MTU6NDAuODYyWiIgVmVyc2lvbj0iMi4wIiB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+PElzc3Vlcj5odHRwOi8vbXlDb21wdXRlci5vbmFsaXBheS54eXovYWRmcy9zZXJ2aWNlcy90cnVzdDwvSXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiAvPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNyc2Etc2hhMjU2IiAvPjxkczpSZWZlcmVuY2UgVVJJPSIjXzZhOTU0YWI1LThlNDYtNDc4My1hMjcwLWYwZGZiMTUyODNmOCI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIiAvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiIC8+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiIC8+PGRzOkRpZ2VzdFZhbHVlPjVsUnp2ZndrZ3BjRjlndVpUV2kxeGkzS25rTUVJRytESjFOOUw5TnBVOFE9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+PGRzOlNpZ25hdHVyZVZhbHVlPldGM2pkOE1LNm5iL3RtVTJGcUFlZ0QrT2lNUldKbWNoMGJ6MlVGSTlNZVdJYzIyQTQyNmFvYlM3YXpTOS9qK3Q0ODFUS3pkNzFiNHBpTXM1U25jTmM1dy9SZDhNL3lJNUdPQ0psMklXQVVlSlpUb1FycUlkQS9UV0h3Wi85bkVrUU1rYXkrRWt6M293SmhWZ3RZVlJLc2V3SHdDQWpXSWRPdEQ5a041RGxRZmExQTlSenhISVlxMWYxVzlXVTkyRnpWaDN3aEl4MzFpZ3R5K1hid1BtQjZQQnNNS1pFZnB3ckR2ZEcwdE91R1RKOWdtdUVwYVo4QWJxV0RhMENLYkx4a2xwZzV6enVDTTV0ejRRWEJMcEUxWWplb0tkR3BKdVZycS9kaEtENHJzOERXZlFtUG5KL2ZGNlNqV0Z1WVBYUUp1NWFDZU5xMlY4T1dkZTFnUDZPdz09PC9kczpTaWduYXR1cmVWYWx1ZT48S2V5SW5mbyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQzZqQ0NBZEtnQXdJQkFnSVFRanhXRGh1YURKQktqdGxrY3ZIYVp6QU5CZ2txaGtpRzl3MEJBUXNGQURBeE1TOHdMUVlEVlFRREV5WkJSRVpUSUZOcFoyNXBibWNnTFNCdGVVTnZiWEIxZEdWeUxtOXVZV3hwY0dGNUxuaDVlakFlRncweE56RXhNREV3TnpFNE16WmFGdzB4T0RFeE1ERXdOekU0TXpaYU1ERXhMekF0QmdOVkJBTVRKa0ZFUmxNZ1UybG5ibWx1WnlBdElHMTVRMjl0Y0hWMFpYSXViMjVoYkdsd1lYa3VlSGw2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE1SkJKL1hsTTJtb045Q0VMZ0xuUzJPQ3ZZZlVlUm9hdWhyN2pGUy9CalRrTXhFNVlYQ3E1ZnU4RFlIcmt4eGFmODFuSERiVlRvdEdqdnBVUzR3L0s4UG4zQVhUb1RBVkZsVTdNOUVjd3FWNVE4R3UzVjQ4NHB5bjhkTUdxWjYwYkZoODRQSHlCeHBCWlNWM0tVNlY2bVZFMTB2cWtoZFFQL3RjVTUwWnNOV05MZDNBUjA2cmE5T2ZuTkdQTmRrWmtZS3dtUnFvcmt6OXNzVkdDRWVyWjUzVFRXZldDam5PajVYMnNwek5OZFJPcXROZ1NFRVVZRmtTRlQzb1V0Sk1vb2FkWCtlM1daWkJuYi8xekthVCtyWndCaG9NSVcvL2VVbnRPSFVLb2JaVE1Ya0xUcktQWVhaeVhnc1o2Nk9NU2hsQlZ3Q1hyRG9QUFhVd01KYUtsdXdJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFGNWV4NFd6emZQRitZOW1qRUdCaGNSNVFKU2dubjIrMkMySi8wTkozQnVIUC9GUG5IaXl6RUMxK3VqVEI2eDFzVHVnK0lXL2tGVXVJQU1VbmhQckp3bSt1VFhUSVVMbGhmRWdmNWQzZG56dk0zbEFML0FRZkpDOXYyUHhyZ0hoVkV0Z01kMFdDbkhMVFVvWERLQ0RXY0dBN09YeDFmMjNzcnJaTGM5UCsvNFNoWFBrd0x5dWRvNmgxeWZ1SnBGWjBnNHR4dTQrMi9YbG4zYzIrUjAraGNYVi9DSnVNcU43aTNmYVpLcFkrb01pcTRndnZXQWpuNmQ3TnBjWS9vWXQ2bGhiTHNucFhUS1FncTd6RGU3aWtMZUhpUDNJU29udjRyUFI2VVprRFdaaVo0RnBDMWxOMDRsWEUzdGZleHJiOThUbUxrU2RuckFCSER3YmJobW10WDwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9LZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxTdWJqZWN0PjxOYW1lSUQ+QWRtaW5pc3RyYXRvckBvbmFsaXBheS54eXo8L05hbWVJRD48U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBJblJlc3BvbnNlVG89ImFmN2o3Nmc5ajRjNzdoODE1OWdoYWUyajFjYTgxOCIgTm90T25PckFmdGVyPSIyMDE3LTEyLTMwVDA0OjIwOjQwLjg2MloiIFJlY2lwaWVudD0iaHR0cHM6Ly9zaWduaW4uYWxpeXVuLmNvbS9zYW1sL1NTTyIgLz48L1N1YmplY3RDb25maXJtYXRpb24+PC9TdWJqZWN0PjxDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNy0xMi0zMFQwNDoxNTo0MC44NTVaIiBOb3RPbk9yQWZ0ZXI9IjIwMTctMTItMzBUMDU6MTU6NDAuODU1WiI+PEF1ZGllbmNlUmVzdHJpY3Rpb24+PEF1ZGllbmNlPmh0dHBzOi8vc2lnbmluLmFsaXl1bi5jb20vc2FtbC9TU088L0F1ZGllbmNlPjwvQXVkaWVuY2VSZXN0cmljdGlvbj48L0NvbmRpdGlvbnM+PEF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNy0xMi0zMFQwNDoxNTo0MC43NTdaIiBTZXNzaW9uSW5kZXg9Il82YTk1NGFiNS04ZTQ2LTQ3ODMtYTI3MC1mMGRmYjE1MjgzZjgiPjxBdXRobkNvbnRleHQ+PEF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpmZWRlcmF0aW9uOmF1dGhlbnRpY2F0aW9uOndpbmRvd3M8L0F1dGhuQ29udGV4dENsYXNzUmVmPjwvQXV0aG5Db250ZXh0PjwvQXV0aG5TdGF0ZW1lbnQ+PC9Bc3NlcnRpb24+PC9zYW1scDpSZXNwb25zZT4=
RelayState:
https://home.console.aliyun.com/

SamlResponse base64解码后:

<?xml version="1.0" encoding="utf-8"?>

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_3b8146b0-eaa8-467c-8fc7-3dab18bb0c27" Version="2.0" IssueInstant="2017-12-30T04:15:40.862Z" Destination="https://signin.aliyun.com/saml/SSO" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="af7j76g9j4c77h8159ghae2j1ca818">
  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://myComputer.onalipay.xyz/adfs/services/trust</Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_6a954ab5-8e46-4783-a270-f0dfb15283f8" IssueInstant="2017-12-30T04:15:40.862Z" Version="2.0">
    <Issuer>http://myComputer.onalipay.xyz/adfs/services/trust</Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
        <ds:Reference URI="#_6a954ab5-8e46-4783-a270-f0dfb15283f8">
          <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          </ds:Transforms>
          <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
          <ds:DigestValue>5lRzvfwkgpcF9guZTWi1xi3KnkMEIG+DJ1N9L9NpU8Q=</ds:DigestValue>
        </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>WF3jd8MK6nb/tmU2FqAegD+OiMRWJmch0bz2UFI9MeWIc22A426aobS7azS9/j+t481TKzd71b4piMs5SncNc5w/Rd8M/yI5GOCJl2IWAUeJZToQrqIdA/TWHwZ/9nEkQMkay+Ekz3owJhVgtYVRKsewHwCAjWIdOtD9kN5DlQfa1A9RzxHIYq1f1W9WU92FzVh3whIx31igty+XbwPmB6PBsMKZEfpwrDvdG0tOuGTJ9gmuEpaZ8AbqWDa0CKbLxklpg5zzuCM5tz4QXBLpE1YjeoKdGpJuVrq/dhKD4rs8DWfQmPnJ/fF6SjWFuYPXQJu5aCeNq2V8OWde1gP6Ow==</ds:SignatureValue>
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIC6jCCAdKgAwIBAgIQQjxWDhuaDJBKjtlkcvHaZzANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JBJ/XlM2moN9CELgLnS2OCvYfUeRoauhr7jFS/BjTkMxE5YXCq5fu8DYHrkxxaf81nHDbVTotGjvpUS4w/K8Pn3AXToTAVFlU7M9EcwqV5Q8Gu3V484pyn8dMGqZ60bFh84PHyBxpBZSV3KU6V6mVE10vqkhdQP/tcU50ZsNWNLd3AR06ra9OfnNGPNdkZkYKwmRqorkz9ssVGCEerZ53TTWfWCjnOj5X2spzNNdROqtNgSEEUYFkSFT3oUtJMooadX+e3WZZBnb/1zKaT+rZwBhoMIW//eUntOHUKobZTMXkLTrKPYXZyXgsZ66OMShlBVwCXrDoPPXUwMJaKluwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAF5ex4WzzfPF+Y9mjEGBhcR5QJSgnn2+2C2J/0NJ3BuHP/FPnHiyzEC1+ujTB6x1sTug+IW/kFUuIAMUnhPrJwm+uTXTIULlhfEgf5d3dnzvM3lAL/AQfJC9v2PxrgHhVEtgMd0WCnHLTUoXDKCDWcGA7OXx1f23srrZLc9P+/4ShXPkwLyudo6h1yfuJpFZ0g4txu4+2/Xln3c2+R0+hcXV/CJuMqN7i3faZKpY+oMiq4gvvWAjn6d7NpcY/oYt6lhbLsnpXTKQgq7zDe7ikLeHiP3ISonv4rPR6UZkDWZiZ4FpC1lN04lXE3tfexrb98TmLkSdnrABHDwbbhmmtX</ds:X509Certificate>
        </ds:X509Data>
      </KeyInfo>
    </ds:Signature>
    <Subject>
      <NameID>Administrator@onalipay.xyz</NameID>
      <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <SubjectConfirmationData InResponseTo="af7j76g9j4c77h8159ghae2j1ca818" NotOnOrAfter="2017-12-30T04:20:40.862Z" Recipient="https://signin.aliyun.com/saml/SSO"/>
      </SubjectConfirmation>
    </Subject>
    <Conditions NotBefore="2017-12-30T04:15:40.855Z" NotOnOrAfter="2017-12-30T05:15:40.855Z">
      <AudienceRestriction>
        <Audience>https://signin.aliyun.com/saml/SSO</Audience>
      </AudienceRestriction>
    </Conditions>
    <AuthnStatement AuthnInstant="2017-12-30T04:15:40.757Z" SessionIndex="_6a954ab5-8e46-4783-a270-f0dfb15283f8">
      <AuthnContext>
        <AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>
      </AuthnContext>
    </AuthnStatement>
  </Assertion>
</samlp:Response>

最重要的就是Subject里的NameID属性,阿里云会根据这个信息获取登录成功的账号是谁。
阿里云会以NameID中指定的账号登录成功。
RelayState告诉阿里云方登录成功后跳转到的页面,本例子为home.console.aliyun.com

3.结语

至此我们完成了阿里云Saml SSO登录的流程的分析,后续我们还会介绍阿里云SAML和Shibboleth IDP+LDAP如何打通。

目录
相关文章
|
4天前
|
存储 弹性计算 Linux
阿里云账号注册、完成实名认证、试用云服务器和购买云服务器流程参考
本文为大家介绍新手用户从注册阿里云账号,完成实名认证,然后试用云服务器和购买云服务器的主要流程,适合初次购买和试用阿里云服务器的新手用户参考。
阿里云账号注册、完成实名认证、试用云服务器和购买云服务器流程参考
阿里云域名购买注册流程_创建信息模板_域名实名认证全流程
阿里云域名注册指南:访问[阿里云域名注册入口,查询并注册心仪域名,选择后缀,加入清单后结算。价格因后缀而异,如.com首年78元。创建域名信息模板完成实名认证,首次需上传资料。获取优惠口令并使用可享折扣
软著干货:阿里云软件著作权申请流程及费用(快速下证)
阿里云软件著作权申请涉及账号注册、实名认证和选择服务。在阿里云官网注册账号,通过实名认证后,选择计算机软件著作权登记服务,如普通359元/件或加急1080元/件。在线填写申请表单,经过阿里云初审、授权提交、打印申请表并邮寄材料。版权中心审查后,20个工作日内可领取证书。详细流程见阿里云百科相关指南。
|
26天前
|
人工智能 前端开发 JavaScript
阿里云安全类云产品,验证码使用时滑动验证流程及线上问题排查
阿里云验证码产品,使用业界先进的风控引擎结合“规则+AI”模型,有效区分真实用户和机器自动化脚本攻击,避免机器请求造成业务损失。主要适用于垃圾注册、刷库撞库,薅羊毛,短信被刷等风险场景。为您提供安全可靠的业务环境。本文为大家介绍验证码使用时滑动验证流程及验证不通过的问题排查。
64809 5
阿里云安全类云产品,验证码使用时滑动验证流程及线上问题排查
|
25天前
|
云安全 算法 数据建模
阿里云SSL证书免费版申请流程,收费版证书收费标准及证书类型选择参考
SSL证书是实现网站https访问必须购买的云安全类产品,现在很多用户在网站做好之后,下一步通常都是给网站域名购买SSL证书实现网站的https访问,阿里云提供申请SSL证书服务,现在每个阿里云个人或企业用户(以实名认证为准)每年可以一次性申请20张免费Digicert DV单域名试用证书(以下简称免费证书),本文为大家介绍具体的申请流程和收费证书的最新收费标准以及不同种类的证书选择参考。
阿里云SSL证书免费版申请流程,收费版证书收费标准及证书类型选择参考
|
1月前
|
数据处理 云计算
阿里云中小企业专享上云权益与上云抵扣金申请流程参考
阿里云针对企业用户推出上云权益和上云抵扣金福利。中小企业如未在阿里云活动页找到适合的产品或解决方案,可通过专门通道申请上云权益,阿里云将派专人提供解决方案和优惠。此外,阿里云为初创企业推出了创业者计划,成功加入该计划后,阿里云为初创企业提供最低3500元、最高100万元的上云抵扣金,助其零成本享受云资源和技术服务。这些措施简化申请流程,为中小企业提供实质性经济支持,让其更轻松享受云技术的便利。
阿里云中小企业专享上云权益与上云抵扣金申请流程参考
|
1月前
|
存储 弹性计算 安全
阿里云创业者计划解读,创业者计划主要内容、申请流程及常见问题解答
目前越来越多的初创企业开始意识到云计算在提升业务效率和降低成本方面的重要性。但是对于许多初创企业来说,由于缺乏技术资源和资金,上云之路并不平坦。为了解决这一问题,阿里云推出了创业者计划,旨在为初创企业提供全方位的赋能与服务,助力其在阿里云上快速构建自己的业务,开启智能时代创业新范式。
阿里云创业者计划解读,创业者计划主要内容、申请流程及常见问题解答
|
1月前
|
存储 小程序 数据库
阿里云学生服务器申请流程_学生党免费领7个月学生机
阿里云2024年推出学生优惠,大陆在籍学生可免费申领7个月学生服务器,配置为2核2G,无限流量,含独立IP。学生需注册账号、完成实名及学生认证,首月免费,完成任务可续费6个月。此外,还有300元无门槛优惠券可在阿里云高校计划中领取,适用于多种云产品。申请及优惠详情见官方链接。
1483 3
阿里云学生服务器申请流程_学生党免费领7个月学生机
|
1月前
|
域名解析 网络协议 CDN
网站接入阿里云CDN实现域名加速全流程
阿小云网站已通过ICP备案在广州节点上线,但为提升全国用户访问速度,计划接入CDN。以下是4步CDN接入教程:1) 开通阿里云CDN服务;2) 添加加速域名;3) 使用DNS解析验证域名归属权;4) 配置CNAME实现域名与CDN节点关联。详细指南见阿里云CDN官方文档。
|
1月前
|
人工智能 安全 云计算
阿里云服务器购买之后发票如何申请?申请发票流程及常见问题参考
申请发票是很多用户尤其是企业级用户在购买完阿里云服务器之后非常关注的问题,对于初次购买阿里云服务器的用户来说,往往并不清楚如何找阿里云申请发票,本文以图文形式为大家介绍阿里云服务器购买完成之后申请发票的详细流程以及常见问题。
阿里云服务器购买之后发票如何申请?申请发票流程及常见问题参考

热门文章

最新文章