阿里云子账号SAML SSO流程分析

本文涉及的产品
云解析 DNS,旗舰版 1个月
全局流量管理 GTM,标准版 1个月
公共DNS(含HTTPDNS解析),每月1000万次HTTP解析
简介: 0.Saml术语和流程 统一认证中心(Indentity Provider) 此处指客户的统一认证中心服务提供者(Service Provider) 此处指阿里云 此图片说明了以下步骤。1.用户尝试访问WebApp1。

0.Saml术语和流程

统一认证中心(Indentity Provider) 此处指客户的统一认证中心
服务提供者(Service Provider) 此处指阿里云

201111192044014292.gif
此图片说明了以下步骤。
1.用户尝试访问WebApp1。
2.WebApp1 生成一个 SAML 身份验证请求。SAML 请求将进行编码并嵌入到SSO 服务的网址中。包含用户尝试访问的 WebApp1 应用程序的编码网址的 RelayState 参数也会嵌入到 SSO 网址中。该 RelayState 参数作为不透明标识符,将直接传回该标识符而不进行任何修改或检查。
3.WebApp1将重定向发送到用户的浏览器。重定向网址包含应向SSO 服务提交的编码 SAML 身份验证请求。
4.SSO(统一认证中心或叫Identity Provider)解码 SAML 请求,并提取 WebApp1的 ACS(声明客户服务)网址以及用户的目标网址(RelayState 参数)。然后,统一认证中心对用户进行身份验证。统一认证中心可能会要求提供有效登录凭据或检查有效会话 Cookie 以验证用户身份。
5.统一认证中心生成一个 SAML 响应,其中包含经过验证的用户的用户名。按照 SAML 2.0 规范,此响应将使用统一认证中心的 DSA/RSA 公钥和私钥进行数字签名。
6.统一认证中心对 SAML 响应和 RelayState 参数进行编码,并将该信息返回到用户的浏览器。统一认证中心提供了一种机制,以便浏览器可以将该信息转发到 WebApp1 ACS。
WebApp1使用统一认证中心的公钥验证 SAML 响应。如果成功验证该响应,ACS 则会将用户重定向到目标网址。
7.用户将重定向到目标网址并登录到 WebApp1。

1.准备工作

获取AliyunMetadata
aliyun saml metadata.xml中指定了阿里云方的证书公钥,数据交换格式NameIDFormat,以及endpoint地址https://signin.aliyun.com/saml/SSO

<?xml version="1.0" encoding="utf-8"?>

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="https___signin.aliyun.com_saml_SSO" entityID="https://signin.aliyun.com/saml/SSO">  
  <md:SPSSODescriptor WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> 
    <md:KeyDescriptor use="signing"> 
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">  
        <ds:X509Data> 
          <ds:X509Certificate>MIIDUTCCAjmgAwIBAgIEIv2v9DANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJDTjERMA8GA1UE BxMISGFuZ3pob3UxFDASBgNVBAoTC0FsaWJhYmEgSW5jMQ8wDQYDVQQLEwZBcHNhcmExEDAOBgNV BAMTB0FsaWJhYmEwHhcNMTcwMzE0MTc1OTE5WhcNMjcwMzEyMTc1OTE5WjBZMQswCQYDVQQGEwJD TjERMA8GA1UEBxMISGFuZ3pob3UxFDASBgNVBAoTC0FsaWJhYmEgSW5jMQ8wDQYDVQQLEwZBcHNh cmExEDAOBgNVBAMTB0FsaWJhYmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqK2HR tf4smv9pCQtPenFE1w6lvxsHiv0J/knvpC1BU4iAWcS8LxAElKb49QbKHuUxcwEGJfm0+zZpqS+J I3jmGc4aHYACyL2WxtKNx/5EK1Qs5ugCipn7g+ySOqXxc/Rv2S7muw6LTrGVTT7vo09EUDkZM34s TupuU7tzX0ktYhimxwskG9o7bvZuQKQf66gN8l/DUzyUl59/0wA1+x5A5B3pvaABCA6dq4mi8mtJ fTXcqWm06+FgVNPgKo59uP6y08rQJXjKDwLIf0owuoiRrPLR5JKC1vQ6PSz0cGv8tGUts5dr/0zG FHy4h3aufQiXCSi44WUB3FejQQfgEiBdAgMBAAGjITAfMB0GA1UdDgQWBBShWN61nZsWz9MYnSrV kCkJnSdFtDANBgkqhkiG9w0BAQsFAAOCAQEAMMAl+C3oyI6kZNmvX05Sb0q6UAM8wqjFKbPhSSiy srjVZwjEjiZnOSnoX8vO07fsZpcVmByHzGXWuBxxKCviCpQCS9hyOTF6bvAoXwe37h02Uhv3tKI0 7FRkXJA7HeB0HEuHPCBxxWVWJfgtkeUETnGV06CrUlGON7Du3h37EUzfTqmKhlsqKeK8uqw3gLYq Bp6ULrP1PbNo2AaHMYaZhFL1dSUtNYvekZppregZKMIDqtEm6Pwpw2lj8gjTC40PQ0GuXEeTsfE5 dhw42xc9RkyUg1Go04k9Z/UMxTX0KVMiRZ9DF2FWjWp1AAQJ3TvZ2Ao/XOhmk4GWRehUoHr7Hw==</ds:X509Certificate> 
        </ds:X509Data> 
      </ds:KeyInfo> 
    </md:KeyDescriptor>  
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>  
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>  
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>  
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>  
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://signin.aliyun.com/saml/SSO" index="0" isDefault="true"/> 
  </md:SPSSODescriptor> 
</md:EntityDescriptor>

获取onalipay.xyz metadata.xml


<?xml version="1.0" encoding="utf-8"?>

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="_3f71fd07-84e5-4343-915a-9e74ab6108b9" entityID="http://myComputer.onalipay.xyz/adfs/services/trust">  
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">  
    <ds:SignedInfo> 
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>  
      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>  
      <ds:Reference URI="#_3f71fd07-84e5-4343-915a-9e74ab6108b9"> 
        <ds:Transforms> 
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>  
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
        </ds:Transforms>  
        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>  
        <ds:DigestValue>V5OSnZNev7S2DYV4MDJ4aiFDXBg5PPYZQ9Q3New34Pk=</ds:DigestValue> 
      </ds:Reference> 
    </ds:SignedInfo>  
    <ds:SignatureValue>DQOdDymLabJtJkBE5RRWc7f1Fla99mkEjSadAW5pLnAxES8Lee8olVNzpa4hEbh0WA5DpTM9f8hgTdCiaMkb7l7I9Woeye2gZLBV1CIXFojuVfrgXSCtJ3CPFpxYDIp+0/uHzh9H/GbAwmsYER4TZ820ieq8hFPZFgU/yc1vNZcfm2ZCGMRDbSHq1XlpIokAmX0YOALaTTj9yhxkSz7uSvyQHHLkBZ98CqutklutXYtl7WT44TGOF7TVenKzWKTrKCG1SApO9BcDoI4ZZ4DEzfQHzVrCpLIuRFx+BlDuzf/1wwmgNdC5ay5TUzvOTyAO/85Efawb1k4K++tCZVjHRA==</ds:SignatureValue>  
    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  
      <X509Data> 
        <X509Certificate>MIIC6jCCAdKgAwIBAgIQQjxWDhuaDJBKjtlkcvHaZzANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JBJ/XlM2moN9CELgLnS2OCvYfUeRoauhr7jFS/BjTkMxE5YXCq5fu8DYHrkxxaf81nHDbVTotGjvpUS4w/K8Pn3AXToTAVFlU7M9EcwqV5Q8Gu3V484pyn8dMGqZ60bFh84PHyBxpBZSV3KU6V6mVE10vqkhdQP/tcU50ZsNWNLd3AR06ra9OfnNGPNdkZkYKwmRqorkz9ssVGCEerZ53TTWfWCjnOj5X2spzNNdROqtNgSEEUYFkSFT3oUtJMooadX+e3WZZBnb/1zKaT+rZwBhoMIW//eUntOHUKobZTMXkLTrKPYXZyXgsZ66OMShlBVwCXrDoPPXUwMJaKluwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAF5ex4WzzfPF+Y9mjEGBhcR5QJSgnn2+2C2J/0NJ3BuHP/FPnHiyzEC1+ujTB6x1sTug+IW/kFUuIAMUnhPrJwm+uTXTIULlhfEgf5d3dnzvM3lAL/AQfJC9v2PxrgHhVEtgMd0WCnHLTUoXDKCDWcGA7OXx1f23srrZLc9P+/4ShXPkwLyudo6h1yfuJpFZ0g4txu4+2/Xln3c2+R0+hcXV/CJuMqN7i3faZKpY+oMiq4gvvWAjn6d7NpcY/oYt6lhbLsnpXTKQgq7zDe7ikLeHiP3ISonv4rPR6UZkDWZiZ4FpC1lN04lXE3tfexrb98TmLkSdnrABHDwbbhmmtX</X509Certificate> 
      </X509Data> 
    </KeyInfo> 
  </ds:Signature>  
  <RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" xsi:type="fed:ApplicationServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/ws-sx/ws-trust/200512 http://schemas.xmlsoap.org/ws/2005/02/trust http://docs.oasis-open.org/wsfed/federation/200706" ServiceDisplayName="myComputer.onalipay.xyz">  
    <KeyDescriptor use="encryption"> 
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  
        <X509Data> 
          <X509Certificate>MIIC8DCCAdigAwIBAgIQPI1g9KgllrtFXb9zx50BvTANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylBREZTIEVuY3J5cHRpb24gLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDQxMjAwBgNVBAMTKUFERlMgRW5jcnlwdGlvbiAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1QDXR4rpuSj7hkSyLuWTT/JeN7TTsYDsf+IHLRRq94Q43Xkytz1NM/XF/Xy3vO2Ae5UYGvEqKyfwUJv7+xTsNc+7a5DMXnnk8cvjP0mjiOBuLVNEnQ3Sf07c2ae7zMYIiYa/A+La7Qhr3cPTswb+35U9t+uvuDob0pUshCXAxtLXfiN9SUnA19JIt9XOZPp97btekuWXLJO8ePAY2XzLQtHjVOspCmJerpI3Rh9qFWtijAdoh8FpIb/5PEJWEw4nKyoqZIPdbkoZrNwSYA5sBDrVohMrVchO+FLMXiJ9xzI84EDcT/rE2KNqG1ezf+nLByC2/Y19UnPPLOWWXN7PRQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDKuCTiE7fkmQ/7LtKQFxYDL7n9PI8C2DeGYjQBp7aBOCQKBzX9ARLg6DPtHRIu4cAGfhT/W1dlUyfK5O0nS24vg0OmtpwSPgdlI7RdUxXPq0jhw/v9XMdvrkKqc/y8s5v9OQqxzRYAbzS9eJ4O7GgGpHDOfLcIwcfGMzWVXz9gGQ+840Z3z8XQgz0R8vIqbJmc/7YEMbxwc5u1s1Tk6DNqoflVllbT050I4DRGLgXmKgCDJ9gY0Jlzftd4hXhKBGu996cn3kKVuy6pg1r/jKJOEchbRpLI8LQkrr3OlYdmWZN+GhB8fCbySIf0Db/tZJkwSMIfR7KcaQxSY0Tr2H8v</X509Certificate> 
        </X509Data> 
      </KeyInfo> 
    </KeyDescriptor>  
    <fed:ClaimTypesRequested> 
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" Optional="true">  
        <auth:DisplayName>E-Mail Address</auth:DisplayName>  
        <auth:Description>The e-mail address of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" Optional="true">  
        <auth:DisplayName>Given Name</auth:DisplayName>  
        <auth:Description>The given name of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" Optional="true">  
        <auth:DisplayName>Name</auth:DisplayName>  
        <auth:Description>The unique name of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" Optional="true">  
        <auth:DisplayName>UPN</auth:DisplayName>  
        <auth:Description>The user principal name (UPN) of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/CommonName" Optional="true">  
        <auth:DisplayName>Common Name</auth:DisplayName>  
        <auth:Description>The common name of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/EmailAddress" Optional="true">  
        <auth:DisplayName>AD FS 1.x E-Mail Address</auth:DisplayName>  
        <auth:Description>The e-mail address of the user when interoperating with AD FS 1.1 or ADFS 1.0</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/Group" Optional="true">  
        <auth:DisplayName>Group</auth:DisplayName>  
        <auth:Description>A group that the user is a member of</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/UPN" Optional="true">  
        <auth:DisplayName>AD FS 1.x UPN</auth:DisplayName>  
        <auth:Description>The UPN of the user when interoperating with AD FS 1.1 or ADFS 1.0</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" Optional="true">  
        <auth:DisplayName>Role</auth:DisplayName>  
        <auth:Description>A role that the user has</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" Optional="true">  
        <auth:DisplayName>Surname</auth:DisplayName>  
        <auth:Description>The surname of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" Optional="true">  
        <auth:DisplayName>PPID</auth:DisplayName>  
        <auth:Description>The private identifier of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" Optional="true">  
        <auth:DisplayName>Name ID</auth:DisplayName>  
        <auth:Description>The SAML name identifier of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant" Optional="true">  
        <auth:DisplayName>Authentication time stamp</auth:DisplayName>  
        <auth:Description>Used to display the time and date that the user was authenticated</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" Optional="true">  
        <auth:DisplayName>Authentication method</auth:DisplayName>  
        <auth:Description>The method used to authenticate the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid" Optional="true">  
        <auth:DisplayName>Deny only group SID</auth:DisplayName>  
        <auth:Description>The deny-only group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid" Optional="true">  
        <auth:DisplayName>Deny only primary SID</auth:DisplayName>  
        <auth:Description>The deny-only primary SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid" Optional="true">  
        <auth:DisplayName>Deny only primary group SID</auth:DisplayName>  
        <auth:Description>The deny-only primary group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" Optional="true">  
        <auth:DisplayName>Group SID</auth:DisplayName>  
        <auth:Description>The group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid" Optional="true">  
        <auth:DisplayName>Primary group SID</auth:DisplayName>  
        <auth:Description>The primary group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" Optional="true">  
        <auth:DisplayName>Primary SID</auth:DisplayName>  
        <auth:Description>The primary SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" Optional="true">  
        <auth:DisplayName>Windows account name</auth:DisplayName>  
        <auth:Description>The domain account name of the user in the form of &lt;domain&gt;\&lt;user&gt;</auth:Description> 
      </auth:ClaimType> 
    </fed:ClaimTypesRequested>  
    <fed:TargetScopes> 
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256</Address> 
      </EndpointReference>  
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/services/trust/2005/issuedtokenmixedsymmetricbasic256</Address> 
      </EndpointReference>  
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/services/trust/13/issuedtokenmixedasymmetricbasic256</Address> 
      </EndpointReference>  
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256</Address> 
      </EndpointReference>  
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/ls/</Address> 
      </EndpointReference>  
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>http://mycomputer.onalipay.xyz/adfs/services/trust</Address> 
      </EndpointReference> 
    </fed:TargetScopes>  
    <fed:ApplicationServiceEndpoint> 
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256</Address> 
      </EndpointReference> 
    </fed:ApplicationServiceEndpoint>  
    <fed:PassiveRequestorEndpoint> 
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/ls/</Address> 
      </EndpointReference> 
    </fed:PassiveRequestorEndpoint> 
  </RoleDescriptor>  
  <RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" xsi:type="fed:SecurityTokenServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/ws-sx/ws-trust/200512 http://schemas.xmlsoap.org/ws/2005/02/trust http://docs.oasis-open.org/wsfed/federation/200706" ServiceDisplayName="myComputer.onalipay.xyz">  
    <KeyDescriptor use="signing"> 
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  
        <X509Data> 
          <X509Certificate>MIIC6jCCAdKgAwIBAgIQQjxWDhuaDJBKjtlkcvHaZzANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JBJ/XlM2moN9CELgLnS2OCvYfUeRoauhr7jFS/BjTkMxE5YXCq5fu8DYHrkxxaf81nHDbVTotGjvpUS4w/K8Pn3AXToTAVFlU7M9EcwqV5Q8Gu3V484pyn8dMGqZ60bFh84PHyBxpBZSV3KU6V6mVE10vqkhdQP/tcU50ZsNWNLd3AR06ra9OfnNGPNdkZkYKwmRqorkz9ssVGCEerZ53TTWfWCjnOj5X2spzNNdROqtNgSEEUYFkSFT3oUtJMooadX+e3WZZBnb/1zKaT+rZwBhoMIW//eUntOHUKobZTMXkLTrKPYXZyXgsZ66OMShlBVwCXrDoPPXUwMJaKluwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAF5ex4WzzfPF+Y9mjEGBhcR5QJSgnn2+2C2J/0NJ3BuHP/FPnHiyzEC1+ujTB6x1sTug+IW/kFUuIAMUnhPrJwm+uTXTIULlhfEgf5d3dnzvM3lAL/AQfJC9v2PxrgHhVEtgMd0WCnHLTUoXDKCDWcGA7OXx1f23srrZLc9P+/4ShXPkwLyudo6h1yfuJpFZ0g4txu4+2/Xln3c2+R0+hcXV/CJuMqN7i3faZKpY+oMiq4gvvWAjn6d7NpcY/oYt6lhbLsnpXTKQgq7zDe7ikLeHiP3ISonv4rPR6UZkDWZiZ4FpC1lN04lXE3tfexrb98TmLkSdnrABHDwbbhmmtX</X509Certificate> 
        </X509Data> 
      </KeyInfo> 
    </KeyDescriptor>  
    <fed:TokenTypesOffered> 
      <fed:TokenType Uri="urn:oasis:names:tc:SAML:2.0:assertion"/>  
      <fed:TokenType Uri="urn:oasis:names:tc:SAML:1.0:assertion"/> 
    </fed:TokenTypesOffered>  
    <fed:ClaimTypesOffered> 
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" Optional="true">  
        <auth:DisplayName>E-Mail Address</auth:DisplayName>  
        <auth:Description>The e-mail address of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" Optional="true">  
        <auth:DisplayName>Given Name</auth:DisplayName>  
        <auth:Description>The given name of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" Optional="true">  
        <auth:DisplayName>Name</auth:DisplayName>  
        <auth:Description>The unique name of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" Optional="true">  
        <auth:DisplayName>UPN</auth:DisplayName>  
        <auth:Description>The user principal name (UPN) of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/CommonName" Optional="true">  
        <auth:DisplayName>Common Name</auth:DisplayName>  
        <auth:Description>The common name of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/EmailAddress" Optional="true">  
        <auth:DisplayName>AD FS 1.x E-Mail Address</auth:DisplayName>  
        <auth:Description>The e-mail address of the user when interoperating with AD FS 1.1 or ADFS 1.0</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/Group" Optional="true">  
        <auth:DisplayName>Group</auth:DisplayName>  
        <auth:Description>A group that the user is a member of</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/UPN" Optional="true">  
        <auth:DisplayName>AD FS 1.x UPN</auth:DisplayName>  
        <auth:Description>The UPN of the user when interoperating with AD FS 1.1 or ADFS 1.0</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" Optional="true">  
        <auth:DisplayName>Role</auth:DisplayName>  
        <auth:Description>A role that the user has</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" Optional="true">  
        <auth:DisplayName>Surname</auth:DisplayName>  
        <auth:Description>The surname of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" Optional="true">  
        <auth:DisplayName>PPID</auth:DisplayName>  
        <auth:Description>The private identifier of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" Optional="true">  
        <auth:DisplayName>Name ID</auth:DisplayName>  
        <auth:Description>The SAML name identifier of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant" Optional="true">  
        <auth:DisplayName>Authentication time stamp</auth:DisplayName>  
        <auth:Description>Used to display the time and date that the user was authenticated</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" Optional="true">  
        <auth:DisplayName>Authentication method</auth:DisplayName>  
        <auth:Description>The method used to authenticate the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid" Optional="true">  
        <auth:DisplayName>Deny only group SID</auth:DisplayName>  
        <auth:Description>The deny-only group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid" Optional="true">  
        <auth:DisplayName>Deny only primary SID</auth:DisplayName>  
        <auth:Description>The deny-only primary SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid" Optional="true">  
        <auth:DisplayName>Deny only primary group SID</auth:DisplayName>  
        <auth:Description>The deny-only primary group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" Optional="true">  
        <auth:DisplayName>Group SID</auth:DisplayName>  
        <auth:Description>The group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid" Optional="true">  
        <auth:DisplayName>Primary group SID</auth:DisplayName>  
        <auth:Description>The primary group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" Optional="true">  
        <auth:DisplayName>Primary SID</auth:DisplayName>  
        <auth:Description>The primary SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" Optional="true">  
        <auth:DisplayName>Windows account name</auth:DisplayName>  
        <auth:Description>The domain account name of the user in the form of &lt;domain&gt;\&lt;user&gt;</auth:Description> 
      </auth:ClaimType> 
    </fed:ClaimTypesOffered>  
    <fed:SecurityTokenServiceEndpoint> 
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/services/trust/2005/certificatemixed</Address>  
        <Metadata> 
          <Metadata xmlns="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex">  
            <wsx:MetadataSection xmlns="" Dialect="http://schemas.xmlsoap.org/ws/2004/09/mex">  
              <wsx:MetadataReference> 
                <Address xmlns="http://www.w3.org/2005/08/addressing">https://mycomputer.onalipay.xyz/adfs/services/trust/mex</Address> 
              </wsx:MetadataReference> 
            </wsx:MetadataSection> 
          </Metadata> 
        </Metadata> 
      </EndpointReference> 
    </fed:SecurityTokenServiceEndpoint>  
    <fed:PassiveRequestorEndpoint> 
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/ls/</Address> 
      </EndpointReference> 
    </fed:PassiveRequestorEndpoint> 
  </RoleDescriptor>  
  <SPSSODescriptor WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> 
    <KeyDescriptor use="encryption"> 
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  
        <X509Data> 
          <X509Certificate>MIIC8DCCAdigAwIBAgIQPI1g9KgllrtFXb9zx50BvTANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylBREZTIEVuY3J5cHRpb24gLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDQxMjAwBgNVBAMTKUFERlMgRW5jcnlwdGlvbiAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1QDXR4rpuSj7hkSyLuWTT/JeN7TTsYDsf+IHLRRq94Q43Xkytz1NM/XF/Xy3vO2Ae5UYGvEqKyfwUJv7+xTsNc+7a5DMXnnk8cvjP0mjiOBuLVNEnQ3Sf07c2ae7zMYIiYa/A+La7Qhr3cPTswb+35U9t+uvuDob0pUshCXAxtLXfiN9SUnA19JIt9XOZPp97btekuWXLJO8ePAY2XzLQtHjVOspCmJerpI3Rh9qFWtijAdoh8FpIb/5PEJWEw4nKyoqZIPdbkoZrNwSYA5sBDrVohMrVchO+FLMXiJ9xzI84EDcT/rE2KNqG1ezf+nLByC2/Y19UnPPLOWWXN7PRQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDKuCTiE7fkmQ/7LtKQFxYDL7n9PI8C2DeGYjQBp7aBOCQKBzX9ARLg6DPtHRIu4cAGfhT/W1dlUyfK5O0nS24vg0OmtpwSPgdlI7RdUxXPq0jhw/v9XMdvrkKqc/y8s5v9OQqxzRYAbzS9eJ4O7GgGpHDOfLcIwcfGMzWVXz9gGQ+840Z3z8XQgz0R8vIqbJmc/7YEMbxwc5u1s1Tk6DNqoflVllbT050I4DRGLgXmKgCDJ9gY0Jlzftd4hXhKBGu996cn3kKVuy6pg1r/jKJOEchbRpLI8LQkrr3OlYdmWZN+GhB8fCbySIf0Db/tZJkwSMIfR7KcaQxSY0Tr2H8v</X509Certificate> 
        </X509Data> 
      </KeyInfo> 
    </KeyDescriptor>  
    <KeyDescriptor use="signing"> 
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  
        <X509Data> 
          <X509Certificate>MIIC6jCCAdKgAwIBAgIQQjxWDhuaDJBKjtlkcvHaZzANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JBJ/XlM2moN9CELgLnS2OCvYfUeRoauhr7jFS/BjTkMxE5YXCq5fu8DYHrkxxaf81nHDbVTotGjvpUS4w/K8Pn3AXToTAVFlU7M9EcwqV5Q8Gu3V484pyn8dMGqZ60bFh84PHyBxpBZSV3KU6V6mVE10vqkhdQP/tcU50ZsNWNLd3AR06ra9OfnNGPNdkZkYKwmRqorkz9ssVGCEerZ53TTWfWCjnOj5X2spzNNdROqtNgSEEUYFkSFT3oUtJMooadX+e3WZZBnb/1zKaT+rZwBhoMIW//eUntOHUKobZTMXkLTrKPYXZyXgsZ66OMShlBVwCXrDoPPXUwMJaKluwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAF5ex4WzzfPF+Y9mjEGBhcR5QJSgnn2+2C2J/0NJ3BuHP/FPnHiyzEC1+ujTB6x1sTug+IW/kFUuIAMUnhPrJwm+uTXTIULlhfEgf5d3dnzvM3lAL/AQfJC9v2PxrgHhVEtgMd0WCnHLTUoXDKCDWcGA7OXx1f23srrZLc9P+/4ShXPkwLyudo6h1yfuJpFZ0g4txu4+2/Xln3c2+R0+hcXV/CJuMqN7i3faZKpY+oMiq4gvvWAjn6d7NpcY/oYt6lhbLsnpXTKQgq7zDe7ikLeHiP3ISonv4rPR6UZkDWZiZ4FpC1lN04lXE3tfexrb98TmLkSdnrABHDwbbhmmtX</X509Certificate> 
        </X509Data> 
      </KeyInfo> 
    </KeyDescriptor>  
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mycomputer.onalipay.xyz/adfs/ls/"/>  
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mycomputer.onalipay.xyz/adfs/ls/"/>  
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>  
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>  
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>  
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mycomputer.onalipay.xyz/adfs/ls/" index="0" isDefault="true"/>  
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://mycomputer.onalipay.xyz/adfs/ls/" index="1"/>  
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mycomputer.onalipay.xyz/adfs/ls/" index="2"/> 
  </SPSSODescriptor>  
  <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> 
    <KeyDescriptor use="encryption"> 
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  
        <X509Data> 
          <X509Certificate>MIIC8DCCAdigAwIBAgIQPI1g9KgllrtFXb9zx50BvTANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylBREZTIEVuY3J5cHRpb24gLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDQxMjAwBgNVBAMTKUFERlMgRW5jcnlwdGlvbiAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1QDXR4rpuSj7hkSyLuWTT/JeN7TTsYDsf+IHLRRq94Q43Xkytz1NM/XF/Xy3vO2Ae5UYGvEqKyfwUJv7+xTsNc+7a5DMXnnk8cvjP0mjiOBuLVNEnQ3Sf07c2ae7zMYIiYa/A+La7Qhr3cPTswb+35U9t+uvuDob0pUshCXAxtLXfiN9SUnA19JIt9XOZPp97btekuWXLJO8ePAY2XzLQtHjVOspCmJerpI3Rh9qFWtijAdoh8FpIb/5PEJWEw4nKyoqZIPdbkoZrNwSYA5sBDrVohMrVchO+FLMXiJ9xzI84EDcT/rE2KNqG1ezf+nLByC2/Y19UnPPLOWWXN7PRQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDKuCTiE7fkmQ/7LtKQFxYDL7n9PI8C2DeGYjQBp7aBOCQKBzX9ARLg6DPtHRIu4cAGfhT/W1dlUyfK5O0nS24vg0OmtpwSPgdlI7RdUxXPq0jhw/v9XMdvrkKqc/y8s5v9OQqxzRYAbzS9eJ4O7GgGpHDOfLcIwcfGMzWVXz9gGQ+840Z3z8XQgz0R8vIqbJmc/7YEMbxwc5u1s1Tk6DNqoflVllbT050I4DRGLgXmKgCDJ9gY0Jlzftd4hXhKBGu996cn3kKVuy6pg1r/jKJOEchbRpLI8LQkrr3OlYdmWZN+GhB8fCbySIf0Db/tZJkwSMIfR7KcaQxSY0Tr2H8v</X509Certificate> 
        </X509Data> 
      </KeyInfo> 
    </KeyDescriptor>  
    <KeyDescriptor use="signing"> 
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  
        <X509Data> 
          <X509Certificate>MIIC6jCCAdKgAwIBAgIQQjxWDhuaDJBKjtlkcvHaZzANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JBJ/XlM2moN9CELgLnS2OCvYfUeRoauhr7jFS/BjTkMxE5YXCq5fu8DYHrkxxaf81nHDbVTotGjvpUS4w/K8Pn3AXToTAVFlU7M9EcwqV5Q8Gu3V484pyn8dMGqZ60bFh84PHyBxpBZSV3KU6V6mVE10vqkhdQP/tcU50ZsNWNLd3AR06ra9OfnNGPNdkZkYKwmRqorkz9ssVGCEerZ53TTWfWCjnOj5X2spzNNdROqtNgSEEUYFkSFT3oUtJMooadX+e3WZZBnb/1zKaT+rZwBhoMIW//eUntOHUKobZTMXkLTrKPYXZyXgsZ66OMShlBVwCXrDoPPXUwMJaKluwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAF5ex4WzzfPF+Y9mjEGBhcR5QJSgnn2+2C2J/0NJ3BuHP/FPnHiyzEC1+ujTB6x1sTug+IW/kFUuIAMUnhPrJwm+uTXTIULlhfEgf5d3dnzvM3lAL/AQfJC9v2PxrgHhVEtgMd0WCnHLTUoXDKCDWcGA7OXx1f23srrZLc9P+/4ShXPkwLyudo6h1yfuJpFZ0g4txu4+2/Xln3c2+R0+hcXV/CJuMqN7i3faZKpY+oMiq4gvvWAjn6d7NpcY/oYt6lhbLsnpXTKQgq7zDe7ikLeHiP3ISonv4rPR6UZkDWZiZ4FpC1lN04lXE3tfexrb98TmLkSdnrABHDwbbhmmtX</X509Certificate> 
        </X509Data> 
      </KeyInfo> 
    </KeyDescriptor>  
    <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://mycomputer.onalipay.xyz/adfs/services/trust/artifactresolution" index="0"/>  
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mycomputer.onalipay.xyz/adfs/ls/"/>  
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mycomputer.onalipay.xyz/adfs/ls/"/>  
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>  
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>  
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>  
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mycomputer.onalipay.xyz/adfs/ls/"/>  
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mycomputer.onalipay.xyz/adfs/ls/"/>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="E-Mail Address"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Given Name"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="UPN"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/claims/CommonName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Common Name"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/claims/EmailAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="AD FS 1.x E-Mail Address"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/claims/Group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Group"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/claims/UPN" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="AD FS 1.x UPN"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Role"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Surname"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="PPID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name ID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Authentication time stamp"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Authentication method"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Deny only group SID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Deny only primary SID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Deny only primary group SID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Group SID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Primary group SID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Primary SID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Windows account name"></Attribute> 
  </IDPSSODescriptor> 
</EntityDescriptor>

这个xml里内容很多阿里云只需要里面的一些内容:
证书公钥,signInUrl,signOutUrl以及entityId
阿里云解析到的信息如下

{
    "requestId": "requestId",
    "samlSsoProperties": {
        "ssoEnabled": true,
        "entityId": "http://myComputer.onalipay.xyz/adfs/services/trust",
        "signInUrl": "https://mycomputer.onalipay.xyz/adfs/ls/",
        "signOutUrl": "https://mycomputer.onalipay.xyz/adfs/ls/",
        "certificate": "MIIC6jCCAdKgAwIBAgIQQjxWDhuaDJBKjtlkcvHaZzANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JBJ/XlM2moN9CELgLnS2OCvYfUeRoauhr7jFS/BjTkMxE5YXCq5fu8DYHrkxxaf81nHDbVTotGjvpUS4w/K8Pn3AXToTAVFlU7M9EcwqV5Q8Gu3V484pyn8dMGqZ60bFh84PHyBxpBZSV3KU6V6mVE10vqkhdQP/tcU50ZsNWNLd3AR06ra9OfnNGPNdkZkYKwmRqorkz9ssVGCEerZ53TTWfWCjnOj5X2spzNNdROqtNgSEEUYFkSFT3oUtJMooadX+e3WZZBnb/1zKaT+rZwBhoMIW//eUntOHUKobZTMXkLTrKPYXZyXgsZ66OMShlBVwCXrDoPPXUwMJaKluwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAF5ex4WzzfPF+Y9mjEGBhcR5QJSgnn2+2C2J/0NJ3BuHP/FPnHiyzEC1+ujTB6x1sTug+IW/kFUuIAMUnhPrJwm+uTXTIULlhfEgf5d3dnzvM3lAL/AQfJC9v2PxrgHhVEtgMd0WCnHLTUoXDKCDWcGA7OXx1f23srrZLc9P+/4ShXPkwLyudo6h1yfuJpFZ0g4txu4+2/Xln3c2+R0+hcXV/CJuMqN7i3faZKpY+oMiq4gvvWAjn6d7NpcY/oYt6lhbLsnpXTKQgq7zDe7ikLeHiP3ISonv4rPR6UZkDWZiZ4FpC1lN04lXE3tfexrb98TmLkSdnrABHDwbbhmmtX",
        "validUntil": "2018-11-01T07:18:36.000UTC"
    },
    "success": true
}

我们将onalpay.xyz的metadata.xml在enterprise.console.aliyun.com企业控制台的人员管理的目录设置->SSO设置中上传并开启sso.并且在域名管理中绑定了一个onalipay.xyz的域名

2.阿里云Saml协议解析

2.1 samlRequest

登录signin.aliyun.com输入账号名 administrator@onalipay.xyz会跳转到地址
https://mycomputer.onalipay.xyz/adfs/ls/?SAMLRequest=hZFPb4IwGMbv%2BxSkdygwFWwE42bMTFxGBHfYrasVaqBlfYuRffqhaOYu7vgmz583v2cyPValdeAahJIR8hwXWVwytRUyj9AmW9ghmsYPE6BV6ddk1phCrvlXw8FYMwCuTed7VhKaiuuU64NgfLNeRagwpgaCMYhcCunQUrSNdJiq8CkKp%2BkbsuZdipDUnKuvhqrtRHVjuHaU7Gw1bZ1j%2B43pdge4BIyshdKMnz%2BJ0I6WwJG1nEeI7oJ9MMrH%2BwELgiL0huO8oNzfe4yGXthpIKEA4sB%2FXQANX0owVJoI%2Ba4X2J5vP7qZOyDekPgjZ%2BB6H8hKtDKKqfJJyJ5LoyVRFAQQSSsOxDCSzl5XxHdc8tmLgLxkWWInb2mGrPcrX%2F%2FEtyMugfRE72fVl2IU9wOQ88f6NuF%2BAL1OhOL%2FB5ng25L4cv4dPf4B&RelayState=https%3A%2F%2Fhome.console.aliyun.com%2F
其中 https://mycomputer.onalipay.xyz/adfs/ls/ 为metadata.xml中配置的signinUrl

SamlRequest是经过了deflated压缩和urlencode的xml数据,解析后的内容如下
SamlRequest解析 https://idp.ssocircle.com/sso/toolbox/samlDecode.jsp

<?xml version="1.0" encoding="utf-8"?>

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://signin.aliyun.com/saml/SSO" Destination="https://mycomputer.onalipay.xyz/adfs/ls/" ForceAuthn="false" ID="af7j76g9j4c77h8159ghae2j1ca818" IsPassive="false" IssueInstant="2017-12-30T04:15:26.401Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://signin.aliyun.com/saml/SSO</saml2:Issuer>
</saml2p:AuthnRequest>

SamlRequest标记了ID,Issuer,IssueInstant,Destination等信息
RelayState说明了认证结束后跳转到的地址:RelayState=home.console.aliyun.com

2.2 SamlResponse

https://mycomputer.onalipay.xyz/adfs/ls/ 接收到samlRequest后会获取当前的用户信息跳转到统一登录中心的登录页登录,登录成功后回给Issuer(https://signin.aliyun.com/saml/SSO)一个SamlResponse包,内容如下:
https://signin.aliyun.com/saml/SSO
Post:
SAMLResponse:
PHNhbWxwOlJlc3BvbnNlIElEPSJfM2I4MTQ2YjAtZWFhOC00NjdjLThmYzctM2RhYjE4YmIwYzI3IiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNy0xMi0zMFQwNDoxNTo0MC44NjJaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9zaWduaW4uYWxpeXVuLmNvbS9zYW1sL1NTTyIgQ29uc2VudD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNvbnNlbnQ6dW5zcGVjaWZpZWQiIEluUmVzcG9uc2VUbz0iYWY3ajc2ZzlqNGM3N2g4MTU5Z2hhZTJqMWNhODE4IiB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj48SXNzdWVyIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwOi8vbXlDb21wdXRlci5vbmFsaXBheS54eXovYWRmcy9zZXJ2aWNlcy90cnVzdDwvSXNzdWVyPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIgLz48L3NhbWxwOlN0YXR1cz48QXNzZXJ0aW9uIElEPSJfNmE5NTRhYjUtOGU0Ni00NzgzLWEyNzAtZjBkZmIxNTI4M2Y4IiBJc3N1ZUluc3RhbnQ9IjIwMTctMTItMzBUMDQ6MTU6NDAuODYyWiIgVmVyc2lvbj0iMi4wIiB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+PElzc3Vlcj5odHRwOi8vbXlDb21wdXRlci5vbmFsaXBheS54eXovYWRmcy9zZXJ2aWNlcy90cnVzdDwvSXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiAvPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNyc2Etc2hhMjU2IiAvPjxkczpSZWZlcmVuY2UgVVJJPSIjXzZhOTU0YWI1LThlNDYtNDc4My1hMjcwLWYwZGZiMTUyODNmOCI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIiAvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiIC8+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiIC8+PGRzOkRpZ2VzdFZhbHVlPjVsUnp2ZndrZ3BjRjlndVpUV2kxeGkzS25rTUVJRytESjFOOUw5TnBVOFE9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+PGRzOlNpZ25hdHVyZVZhbHVlPldGM2pkOE1LNm5iL3RtVTJGcUFlZ0QrT2lNUldKbWNoMGJ6MlVGSTlNZVdJYzIyQTQyNmFvYlM3YXpTOS9qK3Q0ODFUS3pkNzFiNHBpTXM1U25jTmM1dy9SZDhNL3lJNUdPQ0psMklXQVVlSlpUb1FycUlkQS9UV0h3Wi85bkVrUU1rYXkrRWt6M293SmhWZ3RZVlJLc2V3SHdDQWpXSWRPdEQ5a041RGxRZmExQTlSenhISVlxMWYxVzlXVTkyRnpWaDN3aEl4MzFpZ3R5K1hid1BtQjZQQnNNS1pFZnB3ckR2ZEcwdE91R1RKOWdtdUVwYVo4QWJxV0RhMENLYkx4a2xwZzV6enVDTTV0ejRRWEJMcEUxWWplb0tkR3BKdVZycS9kaEtENHJzOERXZlFtUG5KL2ZGNlNqV0Z1WVBYUUp1NWFDZU5xMlY4T1dkZTFnUDZPdz09PC9kczpTaWduYXR1cmVWYWx1ZT48S2V5SW5mbyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQzZqQ0NBZEtnQXdJQkFnSVFRanhXRGh1YURKQktqdGxrY3ZIYVp6QU5CZ2txaGtpRzl3MEJBUXNGQURBeE1TOHdMUVlEVlFRREV5WkJSRVpUSUZOcFoyNXBibWNnTFNCdGVVTnZiWEIxZEdWeUxtOXVZV3hwY0dGNUxuaDVlakFlRncweE56RXhNREV3TnpFNE16WmFGdzB4T0RFeE1ERXdOekU0TXpaYU1ERXhMekF0QmdOVkJBTVRKa0ZFUmxNZ1UybG5ibWx1WnlBdElHMTVRMjl0Y0hWMFpYSXViMjVoYkdsd1lYa3VlSGw2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE1SkJKL1hsTTJtb045Q0VMZ0xuUzJPQ3ZZZlVlUm9hdWhyN2pGUy9CalRrTXhFNVlYQ3E1ZnU4RFlIcmt4eGFmODFuSERiVlRvdEdqdnBVUzR3L0s4UG4zQVhUb1RBVkZsVTdNOUVjd3FWNVE4R3UzVjQ4NHB5bjhkTUdxWjYwYkZoODRQSHlCeHBCWlNWM0tVNlY2bVZFMTB2cWtoZFFQL3RjVTUwWnNOV05MZDNBUjA2cmE5T2ZuTkdQTmRrWmtZS3dtUnFvcmt6OXNzVkdDRWVyWjUzVFRXZldDam5PajVYMnNwek5OZFJPcXROZ1NFRVVZRmtTRlQzb1V0Sk1vb2FkWCtlM1daWkJuYi8xekthVCtyWndCaG9NSVcvL2VVbnRPSFVLb2JaVE1Ya0xUcktQWVhaeVhnc1o2Nk9NU2hsQlZ3Q1hyRG9QUFhVd01KYUtsdXdJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFGNWV4NFd6emZQRitZOW1qRUdCaGNSNVFKU2dubjIrMkMySi8wTkozQnVIUC9GUG5IaXl6RUMxK3VqVEI2eDFzVHVnK0lXL2tGVXVJQU1VbmhQckp3bSt1VFhUSVVMbGhmRWdmNWQzZG56dk0zbEFML0FRZkpDOXYyUHhyZ0hoVkV0Z01kMFdDbkhMVFVvWERLQ0RXY0dBN09YeDFmMjNzcnJaTGM5UCsvNFNoWFBrd0x5dWRvNmgxeWZ1SnBGWjBnNHR4dTQrMi9YbG4zYzIrUjAraGNYVi9DSnVNcU43aTNmYVpLcFkrb01pcTRndnZXQWpuNmQ3TnBjWS9vWXQ2bGhiTHNucFhUS1FncTd6RGU3aWtMZUhpUDNJU29udjRyUFI2VVprRFdaaVo0RnBDMWxOMDRsWEUzdGZleHJiOThUbUxrU2RuckFCSER3YmJobW10WDwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9LZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxTdWJqZWN0PjxOYW1lSUQ+QWRtaW5pc3RyYXRvckBvbmFsaXBheS54eXo8L05hbWVJRD48U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBJblJlc3BvbnNlVG89ImFmN2o3Nmc5ajRjNzdoODE1OWdoYWUyajFjYTgxOCIgTm90T25PckFmdGVyPSIyMDE3LTEyLTMwVDA0OjIwOjQwLjg2MloiIFJlY2lwaWVudD0iaHR0cHM6Ly9zaWduaW4uYWxpeXVuLmNvbS9zYW1sL1NTTyIgLz48L1N1YmplY3RDb25maXJtYXRpb24+PC9TdWJqZWN0PjxDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNy0xMi0zMFQwNDoxNTo0MC44NTVaIiBOb3RPbk9yQWZ0ZXI9IjIwMTctMTItMzBUMDU6MTU6NDAuODU1WiI+PEF1ZGllbmNlUmVzdHJpY3Rpb24+PEF1ZGllbmNlPmh0dHBzOi8vc2lnbmluLmFsaXl1bi5jb20vc2FtbC9TU088L0F1ZGllbmNlPjwvQXVkaWVuY2VSZXN0cmljdGlvbj48L0NvbmRpdGlvbnM+PEF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNy0xMi0zMFQwNDoxNTo0MC43NTdaIiBTZXNzaW9uSW5kZXg9Il82YTk1NGFiNS04ZTQ2LTQ3ODMtYTI3MC1mMGRmYjE1MjgzZjgiPjxBdXRobkNvbnRleHQ+PEF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpmZWRlcmF0aW9uOmF1dGhlbnRpY2F0aW9uOndpbmRvd3M8L0F1dGhuQ29udGV4dENsYXNzUmVmPjwvQXV0aG5Db250ZXh0PjwvQXV0aG5TdGF0ZW1lbnQ+PC9Bc3NlcnRpb24+PC9zYW1scDpSZXNwb25zZT4=
RelayState:
https://home.console.aliyun.com/

SamlResponse base64解码后:

<?xml version="1.0" encoding="utf-8"?>

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_3b8146b0-eaa8-467c-8fc7-3dab18bb0c27" Version="2.0" IssueInstant="2017-12-30T04:15:40.862Z" Destination="https://signin.aliyun.com/saml/SSO" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="af7j76g9j4c77h8159ghae2j1ca818">
  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://myComputer.onalipay.xyz/adfs/services/trust</Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_6a954ab5-8e46-4783-a270-f0dfb15283f8" IssueInstant="2017-12-30T04:15:40.862Z" Version="2.0">
    <Issuer>http://myComputer.onalipay.xyz/adfs/services/trust</Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
        <ds:Reference URI="#_6a954ab5-8e46-4783-a270-f0dfb15283f8">
          <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          </ds:Transforms>
          <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
          <ds:DigestValue>5lRzvfwkgpcF9guZTWi1xi3KnkMEIG+DJ1N9L9NpU8Q=</ds:DigestValue>
        </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>WF3jd8MK6nb/tmU2FqAegD+OiMRWJmch0bz2UFI9MeWIc22A426aobS7azS9/j+t481TKzd71b4piMs5SncNc5w/Rd8M/yI5GOCJl2IWAUeJZToQrqIdA/TWHwZ/9nEkQMkay+Ekz3owJhVgtYVRKsewHwCAjWIdOtD9kN5DlQfa1A9RzxHIYq1f1W9WU92FzVh3whIx31igty+XbwPmB6PBsMKZEfpwrDvdG0tOuGTJ9gmuEpaZ8AbqWDa0CKbLxklpg5zzuCM5tz4QXBLpE1YjeoKdGpJuVrq/dhKD4rs8DWfQmPnJ/fF6SjWFuYPXQJu5aCeNq2V8OWde1gP6Ow==</ds:SignatureValue>
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIC6jCCAdKgAwIBAgIQQjxWDhuaDJBKjtlkcvHaZzANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JBJ/XlM2moN9CELgLnS2OCvYfUeRoauhr7jFS/BjTkMxE5YXCq5fu8DYHrkxxaf81nHDbVTotGjvpUS4w/K8Pn3AXToTAVFlU7M9EcwqV5Q8Gu3V484pyn8dMGqZ60bFh84PHyBxpBZSV3KU6V6mVE10vqkhdQP/tcU50ZsNWNLd3AR06ra9OfnNGPNdkZkYKwmRqorkz9ssVGCEerZ53TTWfWCjnOj5X2spzNNdROqtNgSEEUYFkSFT3oUtJMooadX+e3WZZBnb/1zKaT+rZwBhoMIW//eUntOHUKobZTMXkLTrKPYXZyXgsZ66OMShlBVwCXrDoPPXUwMJaKluwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAF5ex4WzzfPF+Y9mjEGBhcR5QJSgnn2+2C2J/0NJ3BuHP/FPnHiyzEC1+ujTB6x1sTug+IW/kFUuIAMUnhPrJwm+uTXTIULlhfEgf5d3dnzvM3lAL/AQfJC9v2PxrgHhVEtgMd0WCnHLTUoXDKCDWcGA7OXx1f23srrZLc9P+/4ShXPkwLyudo6h1yfuJpFZ0g4txu4+2/Xln3c2+R0+hcXV/CJuMqN7i3faZKpY+oMiq4gvvWAjn6d7NpcY/oYt6lhbLsnpXTKQgq7zDe7ikLeHiP3ISonv4rPR6UZkDWZiZ4FpC1lN04lXE3tfexrb98TmLkSdnrABHDwbbhmmtX</ds:X509Certificate>
        </ds:X509Data>
      </KeyInfo>
    </ds:Signature>
    <Subject>
      <NameID>Administrator@onalipay.xyz</NameID>
      <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <SubjectConfirmationData InResponseTo="af7j76g9j4c77h8159ghae2j1ca818" NotOnOrAfter="2017-12-30T04:20:40.862Z" Recipient="https://signin.aliyun.com/saml/SSO"/>
      </SubjectConfirmation>
    </Subject>
    <Conditions NotBefore="2017-12-30T04:15:40.855Z" NotOnOrAfter="2017-12-30T05:15:40.855Z">
      <AudienceRestriction>
        <Audience>https://signin.aliyun.com/saml/SSO</Audience>
      </AudienceRestriction>
    </Conditions>
    <AuthnStatement AuthnInstant="2017-12-30T04:15:40.757Z" SessionIndex="_6a954ab5-8e46-4783-a270-f0dfb15283f8">
      <AuthnContext>
        <AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>
      </AuthnContext>
    </AuthnStatement>
  </Assertion>
</samlp:Response>

最重要的就是Subject里的NameID属性,阿里云会根据这个信息获取登录成功的账号是谁。
阿里云会以NameID中指定的账号登录成功。
RelayState告诉阿里云方登录成功后跳转到的页面,本例子为home.console.aliyun.com

3.结语

至此我们完成了阿里云Saml SSO登录的流程的分析,后续我们还会介绍阿里云SAML和Shibboleth IDP+LDAP如何打通。

目录
相关文章
|
7月前
|
云安全 安全 开发工具
如何有效管理你的阿里云凭证?
如何有效管理你的阿里云凭证?
123 3
|
数据安全/隐私保护
关于 OAuth 2.0 统一认证授权
随着互联网的巨头大佬逐渐积累了海量的用户与数据,用户的需求越来越多样化,为了满足用户在不同平台活动的需求,平台级的厂商则需要以接口的形式开放给第三方开发者,这样满足了用户的多样性需求,也可以让自己获得利益,让数据流动起来,形成给一个良性的生态环境,最终达到用户、平台商、第三方开发者共赢。
2976 0
|
移动开发 算法 编译器
OAUTH之 钉钉第三方授权登录
OAUTH之 钉钉第三方授权登录
522 0
|
存储 NoSQL 应用服务中间件
SSO(单点登陆)
SSO(单点登陆)
|
7月前
|
弹性计算 Cloud Native 数据库
OpenLDAP+IDAAS+云SSO集成场景
上周拜访两家客户,有一家是IDAAS的重度用户,在使用Flink产品时发现不支持RAM Role,只能使用RAM User来管理用户,客户问在这种场景下IDaaS如何支持;另外一家用户使用了OpenLDAP来做企业的IDP,现在想使用云SSO来做多账号统一用户身份管理。本篇文章介绍一下这三个产品集成...
157 2
OpenLDAP+IDAAS+云SSO集成场景
|
存储 NoSQL Redis
登录业务介绍(单点登录) | 学习笔记
快速学习登录业务介绍(单点登录)
登录业务介绍(单点登录) | 学习笔记
企业支付宝授权认证操作步骤
本文档介绍企业支付宝授权认证操作步骤。
543 0
|
存储 安全 前端开发
OIDC SSO - OAuth2.0的授权模式选择
## 背景信息 &gt; OIDC SSO相关文档总共4篇,主要内容为对OIDC实现SSO登录流程时的各个细节和相关技术的阐述:1. 《OIDC SSO - OAuth2.0的授权模式选择》 2. 《[OIDC SSO - 相关SSO流程和注意事项](https://ata.alibaba-inc.com/articles/218495)》 3. 《[OIDC SSO - Discovery Mech
1118 0
OIDC SSO - OAuth2.0的授权模式选择
|
数据安全/隐私保护
OIDC SSO - 相关SSO流程和注意事项
## 背景信息 &gt; OIDC SSO相关文档总共4篇,主要内容为对OIDC实现SSO登录流程时的各个细节和相关技术的阐述:1. 《[OIDC SSO - OAuth2.0的授权模式选择](https://ata.alibaba-inc.com/articles/218489)》 2. 《OIDC SSO - 相关SSO流程和注意事项》 3. 《[OIDC SSO - Discovery Mech
572 0
|
数据安全/隐私保护
企业身份管理实战---RAM角色单点登录(SSO)
在上篇文章《企业身份管理--RAM用户SSO(单点登录)实战》中,我们介绍了企业账号到阿里云RAM账号SSO的原理和实战:企业员工在自己的员工系统认证完成后,可以通过SAML协议,按照自定的映射规则,通过浏览器免登到云端控制台。本文将介绍另外一种SSO方式:基于RAM角色的SSO。通过角色扮演的方式,访问云端控制台。
2385 0
企业身份管理实战---RAM角色单点登录(SSO)