Skip to main content

SAML 加密断言

什么是 SAML 断言?

SAML assertions are structured messages exchanged between an Identity Provider (IdP) and a Service Provider (SP) to convey user authentication details. They securely confirm the user’s identity, include relevant attributes (such as name or email), and define the user’s permissions or entitlements. The Service Provider’s Assertion Consumer Service (ACS) endpoint receives the SAML response from the IdP and validates it, ensuring the assertion’s authenticity and integrity before granting the user access to the requested resource.

服务提供商的断言使用者服务 (ACS) 接收并验证来自 IdP 的 SAML 响应。此验证可确保在授予用户访问所请求服务之前,断言的完整性和真实性。

断言示例

SAML 断言通常包含以下元素:

  • 属性:有关用户的信息,如名字、姓氏和电子邮件地址。

  • X509 证书:用于数字签名和加密,以确保断言的安全性。

  • 条件:SAML 响应的有效期,例如开始和到期时间。

Using a Certificate Authority (CA)–signed certificate allows us to encrypt and sign these values, safeguard sensitive data from exposure in diagnostic tools (such as Fiddler or SAML Tracer), and provide an additional layer of security.

公钥/私钥对用于:

  • 加密 IdP 端的断言内容。

  • 在 SP 端由断言使用者服务 (ACS) 解析并用于身份验证和授权之前,先解密该断言。

以下是 Azure SAML 响应(包括所有断言值)的典型示例。注意代表断言和用户属性的突出显示元素。

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                ID="_b3056067-2c4e-4986-a339-f3e72f7561f7"
                Version="2.0"
                IssueInstant="2025-05-20T11:19:16.579Z"
                Destination="https://win-8a4sosipqnt.ayx.ayx/webapi/Saml2/Acs"
                InResponseTo="ide3c324bff3394b07b01bb3b05a72ef4f">
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Sign in to your account 
    samlp:Status
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
               ID="_d0455c45-8e67-4251-bcdb-a28a3d980100"
               IssueInstant="2025-05-20T11:19:16.575Z"
               Version="2.0">
        <Issuer><Sign in to your account 
        <Signature xmlns="XML-Signature Syntax and Processing ">
            <SignedInfo>
                <CanonicalizationMethod Algorithm="Exclusive XML Canonicalization Version 1.0 " />
                <SignatureMethod Algorithm="xmldsig-more namespace " />
                <Reference URI="#_d0455c45-8e67-4251-bcdb-a28a3d980100">
                    <Transforms>
                        <Transform Algorithm="XML-Signature Syntax and Processing " />
                        <Transform Algorithm="Exclusive XML Canonicalization Version 1.0 " />
                    </Transforms>
                    <DigestMethod Algorithm="XML Encryption Syntax and Processing " />
                    <DigestValue>nifYJfcwJS9/12BHIQIRTkxYfiacs0VuFCKse3BB8/o=</DigestValue>
                </Reference>
            </SignedInfo>
            <SignatureValue>G91wI5pAmYfDmPgiJXsgHIyZBnZu11g6MM4cBUs/FsI...DA==</SignatureValue>										   
            <KeyInfo>
                <X509Data>
                    <X509Certificate>MIIC8DCCAdigAwIBAgIQd2yxlloAdYxGgD7846TzgTANBgkqhkiG9w0BAQsFAD0MTIwDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aW...</X509Certificate>
                </X509Data>					
            </KeyInfo>
        </Signature>
        <Subject>
            <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">john.doe@alteryx.com</NameID>
            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <SubjectConfirmationData InResponseTo="ide3c324bff3394b07b01bb3b05a72ef4f"
                                         NotOnOrAfter="2025-05-20T12:19:16.288Z"
                                         Recipient="https://win-8a4sosipqnt.ayx.ayx/webapi/Saml2/Acs"/>
            </SubjectConfirmation>
        </Subject>
        <Conditions NotBefore="2025-05-20T11:14:16.288Z"
                    NotOnOrAfter="2025-05-20T12:19:16.288Z">
            <AudienceRestriction>
                <Audience><https://win-8a4sosipqnt.ayx.ayx/webapi/Saml2</Audience>>
            </AudienceRestriction>
        </Conditions>
        <AttributeStatement>
            <Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
                <AttributeValue>30f6e3b6-e2ba-458d-bc44-60528bee0bd0</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
                <AttributeValue>b64ff4ee-5aef-43be-b767-34a5916d8c03</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
                <AttributeValue><Sign in to your account </AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
                <AttributeValue><http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>>
            </Attribute>
            <Attribute Name="firstName">
                <AttributeValue>John</AttributeValue>
            </Attribute>
            <Attribute Name="lastName">
                <AttributeValue>Doe</AttributeValue>
            </Attribute>
            <Attribute Name="email">
                <AttributeValue>john.doe@alteryx.com</AttributeValue>
            </Attribute>
        </AttributeStatement>
        <AuthnStatement AuthnInstant="2025-05-20T11:15:44.607Z"
                        SessionIndex="_d0455c45-8e67-4251-bcdb-a28a3d980100">
            <AuthnContext>
                <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
            </AuthnContext>
        </AuthnStatement>
    </Assertion>
</samlp:Response>

以下示例显示了应用加密后 SAML 响应的结构如何发生变化。

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                ID="_1d0164cc-d888-4bbe-a592-9691d593ef51"
                Version="2.0"
                IssueInstant="2025-05-20T11:46:54.689Z"
                Destination="https://win-8a4sosipqnt.ayx.ayx/webapi/Saml2/Acs"
                InResponseTo="id0f8b097a777c4000b671df3a24735c2b">
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Sign in to your account 
    samlp:Status
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <xenc:EncryptedData xmlns:xenc="XML Encryption Syntax and Processing "
                            Type="XML Encryption Syntax and Processing ">
            <xenc:EncryptionMethod Algorithm="<XML Encryption Syntax and Processing >" />
            <KeyInfo xmlns="<XML-Signature Syntax and Processing >">
                <e:EncryptedKey xmlns:e="<<XML Encryption Syntax and Processing >>">
                    <e:EncryptionMethod Algorithm="<<XML Encryption Syntax and Processing >>">
                        <DigestMethod Algorithm="<<<XML-Signature Syntax and Processing >>>" />
                    </e:EncryptionMethod>
                    <KeyInfo>
                        <o:SecurityTokenReference xmlns:o="<<<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd>>>">
                            <X509Data>
                                <X509IssuerSerial>
                                    <X509IssuerName>E=john.doe@alteryx.com, CN=WIN-8A4SOSIPQNT.ayx.ayx, OU=Alteryx, O=Alteryx, L=London, S=uk, C=UK</X509IssuerName>
                                    <X509SerialNumber>705589322655184988706920421358426712185360904869</X509SerialNumber>
                                </X509IssuerSerial>
                            </X509Data>
                        </o:SecurityTokenReference>
                    </KeyInfo>
                    <e:CipherData>
                        <e:CipherValue>LjVyAs89Cw+beqHwM3FxpReIw2cJNIhtBDw0td80Bms8LzzJkW3fc9jg7EQXzfnY0zDOxqpQ6kqxWDV12ypE6v8QnuE0XBaoteQ5XUJfhVAZHlOVRUYdgBVQE10V9uWS+l08lekKVsE8VxGjcSHv8tHiYBiL/EPY2zGSsN9Z8TjHdgLX3uwc0yS1ALAPNK0anvw2yTAvqGEiGrzEy+hvJnxcLHG2paDVJKS5vg7sq1559Tys3oOJOTFSbQNPsHLgXuR/17jcYjT/o8JUcMi8sbjTI/+qs78s6Qar+vVpamHaK15X7Tzq+oegYllJnnxEMeLsEP/7yvcLg0si/D3Z9A==</e:CipherValue>
                    </e:CipherData>
                </e:EncryptedKey>
            </KeyInfo>
            xenc:CipherData
                xenc:CipherValue7ZEiVBzl8oJG65n5v+13NgxYEGcA6h9mXN3trIfYaabWhdEMA3/syn3tHaSIpTwBMK5fJNvdx2A2wDLpimYyL62E5ZUv6TM9M940ZZhVNxoJMw4jq44Gi2FFP31m6eGx7VdvnNUEkS4KqUXUfEpJ0xU4FvacNL0xjqHHyzymZKDEE2HOx7HfumXyBrTDCvhNS4LsuyvGfWzI347VFfYY5AeQoecjl7iz86yYQEJy1v4hkKQM8cW7B73XSXtQ==</xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
    </EncryptedAssertion>
</samlp:Response>

The following is a typical example of an Okta SAML response.

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                 xmlns:xs="http://www.w3.org/2001/XMLSchema"
                 Destination="https://pod-7257817.ayxayx.com/webapi/Saml2/acs"
                 ID="id50965160074357029521100546197"
                 InResponseTo="idc87287cb7e35455ebf9489f80841519b"
                 IssueInstant="2025-06-20T09:52:54.867Z"
                 Version="2.0"
                 >
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
                  >http://www.okta.com/trk2ecrfpfp987hz50h8</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#id50965160074357029521100546197">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                                                PrefixList="xs"
                                                />
                    </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <ds:DigestValue>BMc14bBldK4P1iAqLtP56Bot7P0E2S0VHup3HzrtsYM=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>Fy0VgnTxgCEen8Sg492m6DRC...FYg==</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAZbqA94nMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ...</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </saml2p:Status>
    <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                     xmlns:xs="http://www.w3.org/2001/XMLSchema"
                     ID="id44750929955808200281100824502"
                     IssueInstant="2025-06-20T09:52:54.867Z"
                     Version="2.0"
                     >
        <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                      Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
                      >http://www.okta.com/exk2ecrfpfpXRPhz50h8</saml2:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                <ds:Reference URI="#id44750929955808200281100824502">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                                                    PrefixList="xs"
                                                    />
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <ds:DigestValue>nGexU5jGle1QoI05VtK5166L/+MGOStNLYvzE6+DDOQ=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>s1edTWDthoPsd3GW40sYg/q5fekNt+O...Ag==</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIIDpDCCAoygAwAgIGAZbqA94nMA0GCSqGSIb3DQEBAMIGSMQswCQYDVQQGEwJVUzETMBEG
AUECAwKQ...</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">john.doe@alteryx.com</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData InResponseTo="idc87287cb7e35455ebf9489f80841519b"
                                               NotOnOrAfter="2025-06-20T09:57:54.867Z"
                                               Recipient="https://pod-7257817.ayxayx.com/webapi/Saml2/acs"
                                               />
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                          NotBefore="2025-06-20T09:47:54.867Z"
                          NotOnOrAfter="2025-06-20T09:57:54.867Z"
                          >
            <saml2:AudienceRestriction>
                <saml2:Audience>https://pod-7257817.ayxayx.com/webapi/Saml2</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                              AuthnInstant="2025-06-20T09:36:02.556Z"
                              SessionIndex="idc87287cb7e35455ebf9489f80841519b"
                              >
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
        <saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml2:Attribute Name="email"
                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                             >
                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xs:string"
                                      >john.doe@alteryx.com</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="firstName"
                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                             >
                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xs:string"
                                      >John</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="lastName"
                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                             >
                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xs:string"
                                      >Doe</saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>
    </saml2:Assertion>
</saml2p:Response>

The following example shows how the structure of a SAML response changes when encryption is applied.

https://pod-7257817.ayxayx.com/gallery/api/apps/packages/?location=myFiles&offset=0&limit=10&search=&sortField=WorkflowName&direction=asc&packageType=&engineType=&v=1750412946383
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                 Destination="https://pod-7257817.ayxayx.com/webapi/Saml2/acs"
                 ID="id-9097293882340198061719617948"
                 InResponseTo="idc2aa4cac47b94800ac3c828ebe932b6e"
                 IssueInstant="2025-06-20T09:48:57.609Z"
                 Version="2.0"
                 >
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
                  >http://www.okta.com/trk2ecrfpff33RPhz50h8</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#id-9097293882340198061719617948">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <ds:DigestValue>NPm+7AusftaL5NkgOiqZLM2zD6WttP+chxxcJsTjdAU=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>vPn1UPpRFAFV1x/f0J1KHQCrf1hT08CO5mCbC...h7w==</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAZbqA94nMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5...</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </saml2p:Status>
    <saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                            Id="_3baec3e9550a5a64750429fa91b8c573"
                            Type="http://www.w3.org/2001/04/xmlenc#Element"
                            >
            <xenc:EncryptionMethod xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                                   Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"
                                   />
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:RetrievalMethod Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey"
                                    URI="#_e1e7d46469c3dd081df5dfd8b6533708"
                                    />
            </ds:KeyInfo>
            <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                <xenc:CipherValue>CDruFnE+82tzQjgeNrYwDNQsio8/mH/1ASiZlOpRbxe25ZWTZaJ7ieVOgmf4lrdy1gmLo9DP2kvTOfQNxX79FoJo6c1TAHIuiqGNuHOIK5PQry...z67cng=</xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
        <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                           Id="_e1e7d46469c3dd081df5dfd8b6533708"
                           >
            <xenc:EncryptionMethod xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                                   Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"
                                   >
                <ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
                                 Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
                                 />
            </xenc:EncryptionMethod>
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>MIIEYzCCA0ugAwIBAgIUeM2hjmWesJsjW7w9cBgchlyAfDcwDQYJKoZIhvcNAQELBQAwgaQxCzAJ
BgNVBAYTAnVrMQswCQYDVQQIDAJ1azE...</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
            <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                <xenc:CipherValue>TsauMNORZBMHoAt5PxQVfK6d6hc+WLrvxWvzzhVWhJWvKjwWFMYXMJpe1B9VkSD0pnHZ4d7xK2rGQHTqIXhBPOK6lhLbWhtHQ0nLONiIR2/TgaxIA6RGlxBs65jt3B/6J8o4dPWdr9dx5On/HZ/l8LQz7mv0tmlnTb7KnNucDurEb2RlNeTWDTBR77YZzZTav9nyUexyXW/cN1TTQJNcfPTJrwq0zyG/Cwryg3NDJiAdEBnS2ubc8p3xuvEYRK8G/wJz7Xe2NfmzHZeKk8EEIDK/O2DXwil6fnSRHCDCiDb9tYDdYhZAVUbRYPjU15MO/GbmNm8CG2O+o1Uh3GPEXQ==</xenc:CipherValue>
            </xenc:CipherData>
            <xenc:ReferenceList>
                <xenc:DataReference URI="#_3baec3e9550a5a64750429fa91b8c573" />
            </xenc:ReferenceList>
        </xenc:EncryptedKey>
    </saml2:EncryptedAssertion>
</saml2p:Response>

为 Azure 中的加密断言设置 SAML 令牌加密

注意

本节假定已具备以下先决条件:

  • 在 Azure 和 Alteryx 系统设置中已完成基本 SAML 配置。

  • 具有私钥的预配置证书已可用,由有效的证书颁发机构 (CA) 颁发。

为 Azure 中的加密断言设置 SAML 令牌加密...

  1. 登录 Azure 门户

  2. 转至 Microsoft Entra ID > 企业应用

  3. 搜索并选择您的 SAML 应用程序。

  4. 选择令牌加密

  5. 要导入证书,请选择导入证书。然后将您的公共证书 (CRT) 文件上传到 Azure。

  6. 上传后,选择证书旁边的三点菜单,然后选择激活令牌加密证书

  7. 确保关联的私钥安装在 Alteryx Server 上的 Windows 证书存储中。同时确认证书链和依赖项是否正确位于您的计算机上。

  8. 打开 Server 上的 Alteryx 系统设置。

  9. 转至 Server UI > Authentication(身份验证)

  10. 要启用加密,请选择 Encrypt Assertions(加密断言)

  11. Decryption Certificate Hash(解密证书哈希)字段中,输入已安装证书私钥的指纹。

  12. 要完成设置,请在其余提示中依次选择 Next(下一步),然后选择 Finish(完成)

  13. 如果成功,AlteryxService 将自动重启。当触发 SAML 身份验证时,SAML 断言和属性将在 SAML 跟踪工具中以加密形式显示。

在 Okta 中为加密断言设置 SAML 令牌加密

注意

本节假定已具备以下先决条件:

  • 在 Okta 和 Alteryx 系统设置中已完成基本 SAML 配置。

  • 具有私钥的预配置证书已可用,由有效的证书颁发机构 (CA) 颁发。

要在 Okta 中为加密断言设置 SAML 令牌加密...

  1. 登录 Okta 门户。

  2. 从左侧导航窗格中,选择应用程序

  3. 使用搜索栏查找并选择您的 SAML 应用程序。

  4. 选择常规。在SAML 设置下,选择编辑。要继续,请选择下一步

  5. 在 SAML 设置下,选择显示高级设置

  6. 断言加密下,将下拉菜单设置为已加密。您可以保持默认算法为选中状态。

  7. 加密证书下,选择浏览并上传您的公共证书 (CRT) 文件。

  8. 要完成配置,请选择下一步,然后选择完成

  9. 确保关联的私钥安装在 Alteryx Server 上的 Windows 证书存储中。同时确认证书链和依赖项是否正确位于您的计算机上。

  10. 打开 Server 上的 Alteryx 系统设置。

  11. 转至 Server UI > Authentication(身份验证)

  12. 要启用加密,请选择 Encrypt Assertions(加密断言)

  13. Decryption Certificate Hash(解密证书哈希)字段中,输入已安装证书私钥的指纹。

故障排除

如果解密证书哈希输入错误,会发生什么情况?

如果在 Alteryx 系统设置中输入的解密证书哈希不正确:

  • AlteryxService 无法启动。

  • SSO 日志包含类似如下的错误:

    ERROR,1,AlteryxServerWebApiHost,ssoLogger,ConfigureSamlIdentityProvider,,,,WIN-8A4SOSIPQNT,,,,,,
    Exception thrown when configuring SSO IdP.,
    "System.Exception: Certificate with thumbprint '76634fd5bc020d515fd8218cc7206c9bcb47c91' not found in LocalMachine/Personal store
       at Alteryx.Server.WebApiHost.Services.Impl.Saml2Service.GetX509Certificate2(String certHash)
       at Alteryx.Server.WebApiHost.Services.Impl.Saml2Service.ConfigureSamlIdentityProvider(ILogger ssoLogger, Saml2AuthenticationOptions saml2options)"

如果 PKI 证书在 Windows 证书存储中不可用,会发生什么情况?

如果 Windows 证书存储中缺少私钥基础架构 (PKI) 证书,则在验证 SAML 配置时可能会出现以下几个问题:

  • 尝试验证身份提供商 (IdP) 时可能会遇到以下错误:

    未能通过 IdP 验证。请再次检查您的设置。

  • 成功登录尝试后,浏览器可能会返回:

    Page Not Found
    The page you are trying to reach does not exist
  • 在某些情况下,AlteryxService 可能无法启动。

    要进行故障排除,请检查 SSO 日志以了解更多详细信息。日志通常位于 C:\ProgramData\Alteryx\logs 中。

    ERROR,1,AlteryxServerWebApiHost,ssoLogger,ConfigureSamlIdentityProvider,,,,WIN-8A4SOSIPQNT,,,,,,
    Exception thrown when configuring SSO IdP.,
    "System.Exception: Certificate with thumbprint '76634fd5bc020d515fd8218cc7206c9bcb47c91' not found in LocalMachine/Personal store
       at Alteryx.Server.WebApiHost.Services.Impl.Saml2Service.GetX509Certificate2(String certHash)
       at Alteryx.Server.WebApiHost.Services.Impl.Saml2Service.ConfigureSamlIdentityProvider(ILogger ssoLogger, Saml2AuthenticationOptions saml2options)"

如果在 IdP 上启用了“加密断言”,但在 Alteryx 中未启用,会发生什么情况?

如果将身份提供商 (IdP) 配置为加密 SAML 断言,但在 Alteryx 系统设置中未启用 Encrypt Assertions(加密断言),Alteryx 将无法验证断言,因为这些断言是使用公钥加密的。

您可能会遇到以下错误消息:

  • 未能通过 IdP 验证。请再次检查您的设置。

  • Page Not Found
    The page you are trying to reach does not exist

已知缺陷

调整 Alteryx 系统设置窗口大小时出现外观 UI 缺陷。

TCPE-1590 (GCSE-3302):当调整 Alteryx 系统设置窗口大小时,SSL/TLS 证书哈希和解密证书哈希出现重叠。