备案控制台
探索云世界
开发者社区 大数据 文章 正文

阿里云子账号SAML SSO流程分析

2018-02-24 7378
版权
版权声明:
本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《 阿里云开发者社区用户服务协议》和 《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写 侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。
简介: 0.Saml术语和流程 统一认证中心(Indentity Provider) 此处指客户的统一认证中心服务提供者(Service Provider) 此处指阿里云 此图片说明了以下步骤。1.用户尝试访问WebApp1。

0.Saml术语和流程

统一认证中心(Indentity Provider) 此处指客户的统一认证中心
服务提供者(Service Provider) 此处指阿里云

201111192044014292.gif
此图片说明了以下步骤。
1.用户尝试访问WebApp1。
2.WebApp1 生成一个 SAML 身份验证请求。SAML 请求将进行编码并嵌入到SSO 服务的网址中。包含用户尝试访问的 WebApp1 应用程序的编码网址的 RelayState 参数也会嵌入到 SSO 网址中。该 RelayState 参数作为不透明标识符,将直接传回该标识符而不进行任何修改或检查。
3.WebApp1将重定向发送到用户的浏览器。重定向网址包含应向SSO 服务提交的编码 SAML 身份验证请求。
4.SSO(统一认证中心或叫Identity Provider)解码 SAML 请求,并提取 WebApp1的 ACS(声明客户服务)网址以及用户的目标网址(RelayState 参数)。然后,统一认证中心对用户进行身份验证。统一认证中心可能会要求提供有效登录凭据或检查有效会话 Cookie 以验证用户身份。
5.统一认证中心生成一个 SAML 响应,其中包含经过验证的用户的用户名。按照 SAML 2.0 规范,此响应将使用统一认证中心的 DSA/RSA 公钥和私钥进行数字签名。
6.统一认证中心对 SAML 响应和 RelayState 参数进行编码,并将该信息返回到用户的浏览器。统一认证中心提供了一种机制,以便浏览器可以将该信息转发到 WebApp1 ACS。
WebApp1使用统一认证中心的公钥验证 SAML 响应。如果成功验证该响应,ACS 则会将用户重定向到目标网址。
7.用户将重定向到目标网址并登录到 WebApp1。

1.准备工作

获取AliyunMetadata
aliyun saml metadata.xml中指定了阿里云方的证书公钥,数据交换格式NameIDFormat,以及endpoint地址https://signin.aliyun.com/saml/SSO

<?xml version="1.0" encoding="utf-8"?>

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="https___signin.aliyun.com_saml_SSO" entityID="https://signin.aliyun.com/saml/SSO">  
  <md:SPSSODescriptor WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> 
    <md:KeyDescriptor use="signing"> 
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">  
        <ds:X509Data> 
          <ds:X509Certificate>MIIDUTCCAjmgAwIBAgIEIv2v9DANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJDTjERMA8GA1UE BxMISGFuZ3pob3UxFDASBgNVBAoTC0FsaWJhYmEgSW5jMQ8wDQYDVQQLEwZBcHNhcmExEDAOBgNV BAMTB0FsaWJhYmEwHhcNMTcwMzE0MTc1OTE5WhcNMjcwMzEyMTc1OTE5WjBZMQswCQYDVQQGEwJD TjERMA8GA1UEBxMISGFuZ3pob3UxFDASBgNVBAoTC0FsaWJhYmEgSW5jMQ8wDQYDVQQLEwZBcHNh cmExEDAOBgNVBAMTB0FsaWJhYmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqK2HR tf4smv9pCQtPenFE1w6lvxsHiv0J/knvpC1BU4iAWcS8LxAElKb49QbKHuUxcwEGJfm0+zZpqS+J I3jmGc4aHYACyL2WxtKNx/5EK1Qs5ugCipn7g+ySOqXxc/Rv2S7muw6LTrGVTT7vo09EUDkZM34s TupuU7tzX0ktYhimxwskG9o7bvZuQKQf66gN8l/DUzyUl59/0wA1+x5A5B3pvaABCA6dq4mi8mtJ fTXcqWm06+FgVNPgKo59uP6y08rQJXjKDwLIf0owuoiRrPLR5JKC1vQ6PSz0cGv8tGUts5dr/0zG FHy4h3aufQiXCSi44WUB3FejQQfgEiBdAgMBAAGjITAfMB0GA1UdDgQWBBShWN61nZsWz9MYnSrV kCkJnSdFtDANBgkqhkiG9w0BAQsFAAOCAQEAMMAl+C3oyI6kZNmvX05Sb0q6UAM8wqjFKbPhSSiy srjVZwjEjiZnOSnoX8vO07fsZpcVmByHzGXWuBxxKCviCpQCS9hyOTF6bvAoXwe37h02Uhv3tKI0 7FRkXJA7HeB0HEuHPCBxxWVWJfgtkeUETnGV06CrUlGON7Du3h37EUzfTqmKhlsqKeK8uqw3gLYq Bp6ULrP1PbNo2AaHMYaZhFL1dSUtNYvekZppregZKMIDqtEm6Pwpw2lj8gjTC40PQ0GuXEeTsfE5 dhw42xc9RkyUg1Go04k9Z/UMxTX0KVMiRZ9DF2FWjWp1AAQJ3TvZ2Ao/XOhmk4GWRehUoHr7Hw==</ds:X509Certificate> 
        </ds:X509Data> 
      </ds:KeyInfo> 
    </md:KeyDescriptor>  
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>  
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>  
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>  
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>  
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://signin.aliyun.com/saml/SSO" index="0" isDefault="true"/> 
  </md:SPSSODescriptor> 
</md:EntityDescriptor>

获取onalipay.xyz metadata.xml


<?xml version="1.0" encoding="utf-8"?>

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="_3f71fd07-84e5-4343-915a-9e74ab6108b9" entityID="http://myComputer.onalipay.xyz/adfs/services/trust">  
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">  
    <ds:SignedInfo> 
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>  
      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>  
      <ds:Reference URI="#_3f71fd07-84e5-4343-915a-9e74ab6108b9"> 
        <ds:Transforms> 
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>  
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
        </ds:Transforms>  
        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>  
        <ds:DigestValue>V5OSnZNev7S2DYV4MDJ4aiFDXBg5PPYZQ9Q3New34Pk=</ds:DigestValue> 
      </ds:Reference> 
    </ds:SignedInfo>  
    <ds:SignatureValue>DQOdDymLabJtJkBE5RRWc7f1Fla99mkEjSadAW5pLnAxES8Lee8olVNzpa4hEbh0WA5DpTM9f8hgTdCiaMkb7l7I9Woeye2gZLBV1CIXFojuVfrgXSCtJ3CPFpxYDIp+0/uHzh9H/GbAwmsYER4TZ820ieq8hFPZFgU/yc1vNZcfm2ZCGMRDbSHq1XlpIokAmX0YOALaTTj9yhxkSz7uSvyQHHLkBZ98CqutklutXYtl7WT44TGOF7TVenKzWKTrKCG1SApO9BcDoI4ZZ4DEzfQHzVrCpLIuRFx+BlDuzf/1wwmgNdC5ay5TUzvOTyAO/85Efawb1k4K++tCZVjHRA==</ds:SignatureValue>  
    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  
      <X509Data> 
        <X509Certificate>MIIC6jCCAdKgAwIBAgIQQjxWDhuaDJBKjtlkcvHaZzANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JBJ/XlM2moN9CELgLnS2OCvYfUeRoauhr7jFS/BjTkMxE5YXCq5fu8DYHrkxxaf81nHDbVTotGjvpUS4w/K8Pn3AXToTAVFlU7M9EcwqV5Q8Gu3V484pyn8dMGqZ60bFh84PHyBxpBZSV3KU6V6mVE10vqkhdQP/tcU50ZsNWNLd3AR06ra9OfnNGPNdkZkYKwmRqorkz9ssVGCEerZ53TTWfWCjnOj5X2spzNNdROqtNgSEEUYFkSFT3oUtJMooadX+e3WZZBnb/1zKaT+rZwBhoMIW//eUntOHUKobZTMXkLTrKPYXZyXgsZ66OMShlBVwCXrDoPPXUwMJaKluwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAF5ex4WzzfPF+Y9mjEGBhcR5QJSgnn2+2C2J/0NJ3BuHP/FPnHiyzEC1+ujTB6x1sTug+IW/kFUuIAMUnhPrJwm+uTXTIULlhfEgf5d3dnzvM3lAL/AQfJC9v2PxrgHhVEtgMd0WCnHLTUoXDKCDWcGA7OXx1f23srrZLc9P+/4ShXPkwLyudo6h1yfuJpFZ0g4txu4+2/Xln3c2+R0+hcXV/CJuMqN7i3faZKpY+oMiq4gvvWAjn6d7NpcY/oYt6lhbLsnpXTKQgq7zDe7ikLeHiP3ISonv4rPR6UZkDWZiZ4FpC1lN04lXE3tfexrb98TmLkSdnrABHDwbbhmmtX</X509Certificate> 
      </X509Data> 
    </KeyInfo> 
  </ds:Signature>  
  <RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" xsi:type="fed:ApplicationServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/ws-sx/ws-trust/200512 http://schemas.xmlsoap.org/ws/2005/02/trust http://docs.oasis-open.org/wsfed/federation/200706" ServiceDisplayName="myComputer.onalipay.xyz">  
    <KeyDescriptor use="encryption"> 
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  
        <X509Data> 
          <X509Certificate>MIIC8DCCAdigAwIBAgIQPI1g9KgllrtFXb9zx50BvTANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylBREZTIEVuY3J5cHRpb24gLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDQxMjAwBgNVBAMTKUFERlMgRW5jcnlwdGlvbiAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1QDXR4rpuSj7hkSyLuWTT/JeN7TTsYDsf+IHLRRq94Q43Xkytz1NM/XF/Xy3vO2Ae5UYGvEqKyfwUJv7+xTsNc+7a5DMXnnk8cvjP0mjiOBuLVNEnQ3Sf07c2ae7zMYIiYa/A+La7Qhr3cPTswb+35U9t+uvuDob0pUshCXAxtLXfiN9SUnA19JIt9XOZPp97btekuWXLJO8ePAY2XzLQtHjVOspCmJerpI3Rh9qFWtijAdoh8FpIb/5PEJWEw4nKyoqZIPdbkoZrNwSYA5sBDrVohMrVchO+FLMXiJ9xzI84EDcT/rE2KNqG1ezf+nLByC2/Y19UnPPLOWWXN7PRQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDKuCTiE7fkmQ/7LtKQFxYDL7n9PI8C2DeGYjQBp7aBOCQKBzX9ARLg6DPtHRIu4cAGfhT/W1dlUyfK5O0nS24vg0OmtpwSPgdlI7RdUxXPq0jhw/v9XMdvrkKqc/y8s5v9OQqxzRYAbzS9eJ4O7GgGpHDOfLcIwcfGMzWVXz9gGQ+840Z3z8XQgz0R8vIqbJmc/7YEMbxwc5u1s1Tk6DNqoflVllbT050I4DRGLgXmKgCDJ9gY0Jlzftd4hXhKBGu996cn3kKVuy6pg1r/jKJOEchbRpLI8LQkrr3OlYdmWZN+GhB8fCbySIf0Db/tZJkwSMIfR7KcaQxSY0Tr2H8v</X509Certificate> 
        </X509Data> 
      </KeyInfo> 
    </KeyDescriptor>  
    <fed:ClaimTypesRequested> 
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" Optional="true">  
        <auth:DisplayName>E-Mail Address</auth:DisplayName>  
        <auth:Description>The e-mail address of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" Optional="true">  
        <auth:DisplayName>Given Name</auth:DisplayName>  
        <auth:Description>The given name of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" Optional="true">  
        <auth:DisplayName>Name</auth:DisplayName>  
        <auth:Description>The unique name of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" Optional="true">  
        <auth:DisplayName>UPN</auth:DisplayName>  
        <auth:Description>The user principal name (UPN) of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/CommonName" Optional="true">  
        <auth:DisplayName>Common Name</auth:DisplayName>  
        <auth:Description>The common name of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/EmailAddress" Optional="true">  
        <auth:DisplayName>AD FS 1.x E-Mail Address</auth:DisplayName>  
        <auth:Description>The e-mail address of the user when interoperating with AD FS 1.1 or ADFS 1.0</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/Group" Optional="true">  
        <auth:DisplayName>Group</auth:DisplayName>  
        <auth:Description>A group that the user is a member of</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/UPN" Optional="true">  
        <auth:DisplayName>AD FS 1.x UPN</auth:DisplayName>  
        <auth:Description>The UPN of the user when interoperating with AD FS 1.1 or ADFS 1.0</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" Optional="true">  
        <auth:DisplayName>Role</auth:DisplayName>  
        <auth:Description>A role that the user has</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" Optional="true">  
        <auth:DisplayName>Surname</auth:DisplayName>  
        <auth:Description>The surname of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" Optional="true">  
        <auth:DisplayName>PPID</auth:DisplayName>  
        <auth:Description>The private identifier of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" Optional="true">  
        <auth:DisplayName>Name ID</auth:DisplayName>  
        <auth:Description>The SAML name identifier of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant" Optional="true">  
        <auth:DisplayName>Authentication time stamp</auth:DisplayName>  
        <auth:Description>Used to display the time and date that the user was authenticated</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" Optional="true">  
        <auth:DisplayName>Authentication method</auth:DisplayName>  
        <auth:Description>The method used to authenticate the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid" Optional="true">  
        <auth:DisplayName>Deny only group SID</auth:DisplayName>  
        <auth:Description>The deny-only group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid" Optional="true">  
        <auth:DisplayName>Deny only primary SID</auth:DisplayName>  
        <auth:Description>The deny-only primary SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid" Optional="true">  
        <auth:DisplayName>Deny only primary group SID</auth:DisplayName>  
        <auth:Description>The deny-only primary group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" Optional="true">  
        <auth:DisplayName>Group SID</auth:DisplayName>  
        <auth:Description>The group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid" Optional="true">  
        <auth:DisplayName>Primary group SID</auth:DisplayName>  
        <auth:Description>The primary group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" Optional="true">  
        <auth:DisplayName>Primary SID</auth:DisplayName>  
        <auth:Description>The primary SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" Optional="true">  
        <auth:DisplayName>Windows account name</auth:DisplayName>  
        <auth:Description>The domain account name of the user in the form of &lt;domain&gt;\&lt;user&gt;</auth:Description> 
      </auth:ClaimType> 
    </fed:ClaimTypesRequested>  
    <fed:TargetScopes> 
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256</Address> 
      </EndpointReference>  
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/services/trust/2005/issuedtokenmixedsymmetricbasic256</Address> 
      </EndpointReference>  
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/services/trust/13/issuedtokenmixedasymmetricbasic256</Address> 
      </EndpointReference>  
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256</Address> 
      </EndpointReference>  
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/ls/</Address> 
      </EndpointReference>  
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>http://mycomputer.onalipay.xyz/adfs/services/trust</Address> 
      </EndpointReference> 
    </fed:TargetScopes>  
    <fed:ApplicationServiceEndpoint> 
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256</Address> 
      </EndpointReference> 
    </fed:ApplicationServiceEndpoint>  
    <fed:PassiveRequestorEndpoint> 
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/ls/</Address> 
      </EndpointReference> 
    </fed:PassiveRequestorEndpoint> 
  </RoleDescriptor>  
  <RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" xsi:type="fed:SecurityTokenServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/ws-sx/ws-trust/200512 http://schemas.xmlsoap.org/ws/2005/02/trust http://docs.oasis-open.org/wsfed/federation/200706" ServiceDisplayName="myComputer.onalipay.xyz">  
    <KeyDescriptor use="signing"> 
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  
        <X509Data> 
          <X509Certificate>MIIC6jCCAdKgAwIBAgIQQjxWDhuaDJBKjtlkcvHaZzANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JBJ/XlM2moN9CELgLnS2OCvYfUeRoauhr7jFS/BjTkMxE5YXCq5fu8DYHrkxxaf81nHDbVTotGjvpUS4w/K8Pn3AXToTAVFlU7M9EcwqV5Q8Gu3V484pyn8dMGqZ60bFh84PHyBxpBZSV3KU6V6mVE10vqkhdQP/tcU50ZsNWNLd3AR06ra9OfnNGPNdkZkYKwmRqorkz9ssVGCEerZ53TTWfWCjnOj5X2spzNNdROqtNgSEEUYFkSFT3oUtJMooadX+e3WZZBnb/1zKaT+rZwBhoMIW//eUntOHUKobZTMXkLTrKPYXZyXgsZ66OMShlBVwCXrDoPPXUwMJaKluwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAF5ex4WzzfPF+Y9mjEGBhcR5QJSgnn2+2C2J/0NJ3BuHP/FPnHiyzEC1+ujTB6x1sTug+IW/kFUuIAMUnhPrJwm+uTXTIULlhfEgf5d3dnzvM3lAL/AQfJC9v2PxrgHhVEtgMd0WCnHLTUoXDKCDWcGA7OXx1f23srrZLc9P+/4ShXPkwLyudo6h1yfuJpFZ0g4txu4+2/Xln3c2+R0+hcXV/CJuMqN7i3faZKpY+oMiq4gvvWAjn6d7NpcY/oYt6lhbLsnpXTKQgq7zDe7ikLeHiP3ISonv4rPR6UZkDWZiZ4FpC1lN04lXE3tfexrb98TmLkSdnrABHDwbbhmmtX</X509Certificate> 
        </X509Data> 
      </KeyInfo> 
    </KeyDescriptor>  
    <fed:TokenTypesOffered> 
      <fed:TokenType Uri="urn:oasis:names:tc:SAML:2.0:assertion"/>  
      <fed:TokenType Uri="urn:oasis:names:tc:SAML:1.0:assertion"/> 
    </fed:TokenTypesOffered>  
    <fed:ClaimTypesOffered> 
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" Optional="true">  
        <auth:DisplayName>E-Mail Address</auth:DisplayName>  
        <auth:Description>The e-mail address of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" Optional="true">  
        <auth:DisplayName>Given Name</auth:DisplayName>  
        <auth:Description>The given name of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" Optional="true">  
        <auth:DisplayName>Name</auth:DisplayName>  
        <auth:Description>The unique name of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" Optional="true">  
        <auth:DisplayName>UPN</auth:DisplayName>  
        <auth:Description>The user principal name (UPN) of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/CommonName" Optional="true">  
        <auth:DisplayName>Common Name</auth:DisplayName>  
        <auth:Description>The common name of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/EmailAddress" Optional="true">  
        <auth:DisplayName>AD FS 1.x E-Mail Address</auth:DisplayName>  
        <auth:Description>The e-mail address of the user when interoperating with AD FS 1.1 or ADFS 1.0</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/Group" Optional="true">  
        <auth:DisplayName>Group</auth:DisplayName>  
        <auth:Description>A group that the user is a member of</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/UPN" Optional="true">  
        <auth:DisplayName>AD FS 1.x UPN</auth:DisplayName>  
        <auth:Description>The UPN of the user when interoperating with AD FS 1.1 or ADFS 1.0</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" Optional="true">  
        <auth:DisplayName>Role</auth:DisplayName>  
        <auth:Description>A role that the user has</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" Optional="true">  
        <auth:DisplayName>Surname</auth:DisplayName>  
        <auth:Description>The surname of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" Optional="true">  
        <auth:DisplayName>PPID</auth:DisplayName>  
        <auth:Description>The private identifier of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" Optional="true">  
        <auth:DisplayName>Name ID</auth:DisplayName>  
        <auth:Description>The SAML name identifier of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant" Optional="true">  
        <auth:DisplayName>Authentication time stamp</auth:DisplayName>  
        <auth:Description>Used to display the time and date that the user was authenticated</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" Optional="true">  
        <auth:DisplayName>Authentication method</auth:DisplayName>  
        <auth:Description>The method used to authenticate the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid" Optional="true">  
        <auth:DisplayName>Deny only group SID</auth:DisplayName>  
        <auth:Description>The deny-only group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid" Optional="true">  
        <auth:DisplayName>Deny only primary SID</auth:DisplayName>  
        <auth:Description>The deny-only primary SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid" Optional="true">  
        <auth:DisplayName>Deny only primary group SID</auth:DisplayName>  
        <auth:Description>The deny-only primary group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" Optional="true">  
        <auth:DisplayName>Group SID</auth:DisplayName>  
        <auth:Description>The group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid" Optional="true">  
        <auth:DisplayName>Primary group SID</auth:DisplayName>  
        <auth:Description>The primary group SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" Optional="true">  
        <auth:DisplayName>Primary SID</auth:DisplayName>  
        <auth:Description>The primary SID of the user</auth:Description> 
      </auth:ClaimType>  
      <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" Optional="true">  
        <auth:DisplayName>Windows account name</auth:DisplayName>  
        <auth:Description>The domain account name of the user in the form of &lt;domain&gt;\&lt;user&gt;</auth:Description> 
      </auth:ClaimType> 
    </fed:ClaimTypesOffered>  
    <fed:SecurityTokenServiceEndpoint> 
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/services/trust/2005/certificatemixed</Address>  
        <Metadata> 
          <Metadata xmlns="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex">  
            <wsx:MetadataSection xmlns="" Dialect="http://schemas.xmlsoap.org/ws/2004/09/mex">  
              <wsx:MetadataReference> 
                <Address xmlns="http://www.w3.org/2005/08/addressing">https://mycomputer.onalipay.xyz/adfs/services/trust/mex</Address> 
              </wsx:MetadataReference> 
            </wsx:MetadataSection> 
          </Metadata> 
        </Metadata> 
      </EndpointReference> 
    </fed:SecurityTokenServiceEndpoint>  
    <fed:PassiveRequestorEndpoint> 
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">  
        <Address>https://mycomputer.onalipay.xyz/adfs/ls/</Address> 
      </EndpointReference> 
    </fed:PassiveRequestorEndpoint> 
  </RoleDescriptor>  
  <SPSSODescriptor WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> 
    <KeyDescriptor use="encryption"> 
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  
        <X509Data> 
          <X509Certificate>MIIC8DCCAdigAwIBAgIQPI1g9KgllrtFXb9zx50BvTANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylBREZTIEVuY3J5cHRpb24gLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDQxMjAwBgNVBAMTKUFERlMgRW5jcnlwdGlvbiAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1QDXR4rpuSj7hkSyLuWTT/JeN7TTsYDsf+IHLRRq94Q43Xkytz1NM/XF/Xy3vO2Ae5UYGvEqKyfwUJv7+xTsNc+7a5DMXnnk8cvjP0mjiOBuLVNEnQ3Sf07c2ae7zMYIiYa/A+La7Qhr3cPTswb+35U9t+uvuDob0pUshCXAxtLXfiN9SUnA19JIt9XOZPp97btekuWXLJO8ePAY2XzLQtHjVOspCmJerpI3Rh9qFWtijAdoh8FpIb/5PEJWEw4nKyoqZIPdbkoZrNwSYA5sBDrVohMrVchO+FLMXiJ9xzI84EDcT/rE2KNqG1ezf+nLByC2/Y19UnPPLOWWXN7PRQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDKuCTiE7fkmQ/7LtKQFxYDL7n9PI8C2DeGYjQBp7aBOCQKBzX9ARLg6DPtHRIu4cAGfhT/W1dlUyfK5O0nS24vg0OmtpwSPgdlI7RdUxXPq0jhw/v9XMdvrkKqc/y8s5v9OQqxzRYAbzS9eJ4O7GgGpHDOfLcIwcfGMzWVXz9gGQ+840Z3z8XQgz0R8vIqbJmc/7YEMbxwc5u1s1Tk6DNqoflVllbT050I4DRGLgXmKgCDJ9gY0Jlzftd4hXhKBGu996cn3kKVuy6pg1r/jKJOEchbRpLI8LQkrr3OlYdmWZN+GhB8fCbySIf0Db/tZJkwSMIfR7KcaQxSY0Tr2H8v</X509Certificate> 
        </X509Data> 
      </KeyInfo> 
    </KeyDescriptor>  
    <KeyDescriptor use="signing"> 
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  
        <X509Data> 
          <X509Certificate>MIIC6jCCAdKgAwIBAgIQQjxWDhuaDJBKjtlkcvHaZzANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JBJ/XlM2moN9CELgLnS2OCvYfUeRoauhr7jFS/BjTkMxE5YXCq5fu8DYHrkxxaf81nHDbVTotGjvpUS4w/K8Pn3AXToTAVFlU7M9EcwqV5Q8Gu3V484pyn8dMGqZ60bFh84PHyBxpBZSV3KU6V6mVE10vqkhdQP/tcU50ZsNWNLd3AR06ra9OfnNGPNdkZkYKwmRqorkz9ssVGCEerZ53TTWfWCjnOj5X2spzNNdROqtNgSEEUYFkSFT3oUtJMooadX+e3WZZBnb/1zKaT+rZwBhoMIW//eUntOHUKobZTMXkLTrKPYXZyXgsZ66OMShlBVwCXrDoPPXUwMJaKluwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAF5ex4WzzfPF+Y9mjEGBhcR5QJSgnn2+2C2J/0NJ3BuHP/FPnHiyzEC1+ujTB6x1sTug+IW/kFUuIAMUnhPrJwm+uTXTIULlhfEgf5d3dnzvM3lAL/AQfJC9v2PxrgHhVEtgMd0WCnHLTUoXDKCDWcGA7OXx1f23srrZLc9P+/4ShXPkwLyudo6h1yfuJpFZ0g4txu4+2/Xln3c2+R0+hcXV/CJuMqN7i3faZKpY+oMiq4gvvWAjn6d7NpcY/oYt6lhbLsnpXTKQgq7zDe7ikLeHiP3ISonv4rPR6UZkDWZiZ4FpC1lN04lXE3tfexrb98TmLkSdnrABHDwbbhmmtX</X509Certificate> 
        </X509Data> 
      </KeyInfo> 
    </KeyDescriptor>  
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mycomputer.onalipay.xyz/adfs/ls/"/>  
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mycomputer.onalipay.xyz/adfs/ls/"/>  
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>  
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>  
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>  
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mycomputer.onalipay.xyz/adfs/ls/" index="0" isDefault="true"/>  
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://mycomputer.onalipay.xyz/adfs/ls/" index="1"/>  
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mycomputer.onalipay.xyz/adfs/ls/" index="2"/> 
  </SPSSODescriptor>  
  <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> 
    <KeyDescriptor use="encryption"> 
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  
        <X509Data> 
          <X509Certificate>MIIC8DCCAdigAwIBAgIQPI1g9KgllrtFXb9zx50BvTANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylBREZTIEVuY3J5cHRpb24gLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDQxMjAwBgNVBAMTKUFERlMgRW5jcnlwdGlvbiAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1QDXR4rpuSj7hkSyLuWTT/JeN7TTsYDsf+IHLRRq94Q43Xkytz1NM/XF/Xy3vO2Ae5UYGvEqKyfwUJv7+xTsNc+7a5DMXnnk8cvjP0mjiOBuLVNEnQ3Sf07c2ae7zMYIiYa/A+La7Qhr3cPTswb+35U9t+uvuDob0pUshCXAxtLXfiN9SUnA19JIt9XOZPp97btekuWXLJO8ePAY2XzLQtHjVOspCmJerpI3Rh9qFWtijAdoh8FpIb/5PEJWEw4nKyoqZIPdbkoZrNwSYA5sBDrVohMrVchO+FLMXiJ9xzI84EDcT/rE2KNqG1ezf+nLByC2/Y19UnPPLOWWXN7PRQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDKuCTiE7fkmQ/7LtKQFxYDL7n9PI8C2DeGYjQBp7aBOCQKBzX9ARLg6DPtHRIu4cAGfhT/W1dlUyfK5O0nS24vg0OmtpwSPgdlI7RdUxXPq0jhw/v9XMdvrkKqc/y8s5v9OQqxzRYAbzS9eJ4O7GgGpHDOfLcIwcfGMzWVXz9gGQ+840Z3z8XQgz0R8vIqbJmc/7YEMbxwc5u1s1Tk6DNqoflVllbT050I4DRGLgXmKgCDJ9gY0Jlzftd4hXhKBGu996cn3kKVuy6pg1r/jKJOEchbRpLI8LQkrr3OlYdmWZN+GhB8fCbySIf0Db/tZJkwSMIfR7KcaQxSY0Tr2H8v</X509Certificate> 
        </X509Data> 
      </KeyInfo> 
    </KeyDescriptor>  
    <KeyDescriptor use="signing"> 
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">  
        <X509Data> 
          <X509Certificate>MIIC6jCCAdKgAwIBAgIQQjxWDhuaDJBKjtlkcvHaZzANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JBJ/XlM2moN9CELgLnS2OCvYfUeRoauhr7jFS/BjTkMxE5YXCq5fu8DYHrkxxaf81nHDbVTotGjvpUS4w/K8Pn3AXToTAVFlU7M9EcwqV5Q8Gu3V484pyn8dMGqZ60bFh84PHyBxpBZSV3KU6V6mVE10vqkhdQP/tcU50ZsNWNLd3AR06ra9OfnNGPNdkZkYKwmRqorkz9ssVGCEerZ53TTWfWCjnOj5X2spzNNdROqtNgSEEUYFkSFT3oUtJMooadX+e3WZZBnb/1zKaT+rZwBhoMIW//eUntOHUKobZTMXkLTrKPYXZyXgsZ66OMShlBVwCXrDoPPXUwMJaKluwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAF5ex4WzzfPF+Y9mjEGBhcR5QJSgnn2+2C2J/0NJ3BuHP/FPnHiyzEC1+ujTB6x1sTug+IW/kFUuIAMUnhPrJwm+uTXTIULlhfEgf5d3dnzvM3lAL/AQfJC9v2PxrgHhVEtgMd0WCnHLTUoXDKCDWcGA7OXx1f23srrZLc9P+/4ShXPkwLyudo6h1yfuJpFZ0g4txu4+2/Xln3c2+R0+hcXV/CJuMqN7i3faZKpY+oMiq4gvvWAjn6d7NpcY/oYt6lhbLsnpXTKQgq7zDe7ikLeHiP3ISonv4rPR6UZkDWZiZ4FpC1lN04lXE3tfexrb98TmLkSdnrABHDwbbhmmtX</X509Certificate> 
        </X509Data> 
      </KeyInfo> 
    </KeyDescriptor>  
    <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://mycomputer.onalipay.xyz/adfs/services/trust/artifactresolution" index="0"/>  
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mycomputer.onalipay.xyz/adfs/ls/"/>  
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mycomputer.onalipay.xyz/adfs/ls/"/>  
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>  
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>  
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>  
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mycomputer.onalipay.xyz/adfs/ls/"/>  
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mycomputer.onalipay.xyz/adfs/ls/"/>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="E-Mail Address"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Given Name"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="UPN"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/claims/CommonName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Common Name"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/claims/EmailAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="AD FS 1.x E-Mail Address"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/claims/Group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Group"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/claims/UPN" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="AD FS 1.x UPN"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Role"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Surname"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="PPID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name ID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Authentication time stamp"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Authentication method"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Deny only group SID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Deny only primary SID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Deny only primary group SID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Group SID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Primary group SID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Primary SID"></Attribute>  
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Windows account name"></Attribute> 
  </IDPSSODescriptor> 
</EntityDescriptor>

这个xml里内容很多阿里云只需要里面的一些内容:
证书公钥,signInUrl,signOutUrl以及entityId
阿里云解析到的信息如下

{
    "requestId": "requestId",
    "samlSsoProperties": {
        "ssoEnabled": true,
        "entityId": "http://myComputer.onalipay.xyz/adfs/services/trust",
        "signInUrl": "https://mycomputer.onalipay.xyz/adfs/ls/",
        "signOutUrl": "https://mycomputer.onalipay.xyz/adfs/ls/",
        "certificate": "MIIC6jCCAdKgAwIBAgIQQjxWDhuaDJBKjtlkcvHaZzANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JBJ/XlM2moN9CELgLnS2OCvYfUeRoauhr7jFS/BjTkMxE5YXCq5fu8DYHrkxxaf81nHDbVTotGjvpUS4w/K8Pn3AXToTAVFlU7M9EcwqV5Q8Gu3V484pyn8dMGqZ60bFh84PHyBxpBZSV3KU6V6mVE10vqkhdQP/tcU50ZsNWNLd3AR06ra9OfnNGPNdkZkYKwmRqorkz9ssVGCEerZ53TTWfWCjnOj5X2spzNNdROqtNgSEEUYFkSFT3oUtJMooadX+e3WZZBnb/1zKaT+rZwBhoMIW//eUntOHUKobZTMXkLTrKPYXZyXgsZ66OMShlBVwCXrDoPPXUwMJaKluwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAF5ex4WzzfPF+Y9mjEGBhcR5QJSgnn2+2C2J/0NJ3BuHP/FPnHiyzEC1+ujTB6x1sTug+IW/kFUuIAMUnhPrJwm+uTXTIULlhfEgf5d3dnzvM3lAL/AQfJC9v2PxrgHhVEtgMd0WCnHLTUoXDKCDWcGA7OXx1f23srrZLc9P+/4ShXPkwLyudo6h1yfuJpFZ0g4txu4+2/Xln3c2+R0+hcXV/CJuMqN7i3faZKpY+oMiq4gvvWAjn6d7NpcY/oYt6lhbLsnpXTKQgq7zDe7ikLeHiP3ISonv4rPR6UZkDWZiZ4FpC1lN04lXE3tfexrb98TmLkSdnrABHDwbbhmmtX",
        "validUntil": "2018-11-01T07:18:36.000UTC"
    },
    "success": true
}

我们将onalpay.xyz的metadata.xml在enterprise.console.aliyun.com企业控制台的人员管理的目录设置->SSO设置中上传并开启sso.并且在域名管理中绑定了一个onalipay.xyz的域名

2.阿里云Saml协议解析

2.1 samlRequest

登录signin.aliyun.com输入账号名 administrator@onalipay.xyz会跳转到地址
https://mycomputer.onalipay.xyz/adfs/ls/?SAMLRequest=hZFPb4IwGMbv%2BxSkdygwFWwE42bMTFxGBHfYrasVaqBlfYuRffqhaOYu7vgmz583v2cyPValdeAahJIR8hwXWVwytRUyj9AmW9ghmsYPE6BV6ddk1phCrvlXw8FYMwCuTed7VhKaiuuU64NgfLNeRagwpgaCMYhcCunQUrSNdJiq8CkKp%2BkbsuZdipDUnKuvhqrtRHVjuHaU7Gw1bZ1j%2B43pdge4BIyshdKMnz%2BJ0I6WwJG1nEeI7oJ9MMrH%2BwELgiL0huO8oNzfe4yGXthpIKEA4sB%2FXQANX0owVJoI%2Ba4X2J5vP7qZOyDekPgjZ%2BB6H8hKtDKKqfJJyJ5LoyVRFAQQSSsOxDCSzl5XxHdc8tmLgLxkWWInb2mGrPcrX%2F%2FEtyMugfRE72fVl2IU9wOQ88f6NuF%2BAL1OhOL%2FB5ng25L4cv4dPf4B&RelayState=https%3A%2F%2Fhome.console.aliyun.com%2F
其中 https://mycomputer.onalipay.xyz/adfs/ls/ 为metadata.xml中配置的signinUrl

SamlRequest是经过了deflated压缩和urlencode的xml数据,解析后的内容如下
SamlRequest解析 https://idp.ssocircle.com/sso/toolbox/samlDecode.jsp

<?xml version="1.0" encoding="utf-8"?>

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://signin.aliyun.com/saml/SSO" Destination="https://mycomputer.onalipay.xyz/adfs/ls/" ForceAuthn="false" ID="af7j76g9j4c77h8159ghae2j1ca818" IsPassive="false" IssueInstant="2017-12-30T04:15:26.401Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://signin.aliyun.com/saml/SSO</saml2:Issuer>
</saml2p:AuthnRequest>

SamlRequest标记了ID,Issuer,IssueInstant,Destination等信息
RelayState说明了认证结束后跳转到的地址:RelayState=home.console.aliyun.com

2.2 SamlResponse

https://mycomputer.onalipay.xyz/adfs/ls/ 接收到samlRequest后会获取当前的用户信息跳转到统一登录中心的登录页登录,登录成功后回给Issuer(https://signin.aliyun.com/saml/SSO)一个SamlResponse包,内容如下:
https://signin.aliyun.com/saml/SSO
Post:
SAMLResponse:
PHNhbWxwOlJlc3BvbnNlIElEPSJfM2I4MTQ2YjAtZWFhOC00NjdjLThmYzctM2RhYjE4YmIwYzI3IiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNy0xMi0zMFQwNDoxNTo0MC44NjJaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9zaWduaW4uYWxpeXVuLmNvbS9zYW1sL1NTTyIgQ29uc2VudD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNvbnNlbnQ6dW5zcGVjaWZpZWQiIEluUmVzcG9uc2VUbz0iYWY3ajc2ZzlqNGM3N2g4MTU5Z2hhZTJqMWNhODE4IiB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj48SXNzdWVyIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwOi8vbXlDb21wdXRlci5vbmFsaXBheS54eXovYWRmcy9zZXJ2aWNlcy90cnVzdDwvSXNzdWVyPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIgLz48L3NhbWxwOlN0YXR1cz48QXNzZXJ0aW9uIElEPSJfNmE5NTRhYjUtOGU0Ni00NzgzLWEyNzAtZjBkZmIxNTI4M2Y4IiBJc3N1ZUluc3RhbnQ9IjIwMTctMTItMzBUMDQ6MTU6NDAuODYyWiIgVmVyc2lvbj0iMi4wIiB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+PElzc3Vlcj5odHRwOi8vbXlDb21wdXRlci5vbmFsaXBheS54eXovYWRmcy9zZXJ2aWNlcy90cnVzdDwvSXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiAvPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNyc2Etc2hhMjU2IiAvPjxkczpSZWZlcmVuY2UgVVJJPSIjXzZhOTU0YWI1LThlNDYtNDc4My1hMjcwLWYwZGZiMTUyODNmOCI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIiAvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiIC8+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiIC8+PGRzOkRpZ2VzdFZhbHVlPjVsUnp2ZndrZ3BjRjlndVpUV2kxeGkzS25rTUVJRytESjFOOUw5TnBVOFE9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+PGRzOlNpZ25hdHVyZVZhbHVlPldGM2pkOE1LNm5iL3RtVTJGcUFlZ0QrT2lNUldKbWNoMGJ6MlVGSTlNZVdJYzIyQTQyNmFvYlM3YXpTOS9qK3Q0ODFUS3pkNzFiNHBpTXM1U25jTmM1dy9SZDhNL3lJNUdPQ0psMklXQVVlSlpUb1FycUlkQS9UV0h3Wi85bkVrUU1rYXkrRWt6M293SmhWZ3RZVlJLc2V3SHdDQWpXSWRPdEQ5a041RGxRZmExQTlSenhISVlxMWYxVzlXVTkyRnpWaDN3aEl4MzFpZ3R5K1hid1BtQjZQQnNNS1pFZnB3ckR2ZEcwdE91R1RKOWdtdUVwYVo4QWJxV0RhMENLYkx4a2xwZzV6enVDTTV0ejRRWEJMcEUxWWplb0tkR3BKdVZycS9kaEtENHJzOERXZlFtUG5KL2ZGNlNqV0Z1WVBYUUp1NWFDZU5xMlY4T1dkZTFnUDZPdz09PC9kczpTaWduYXR1cmVWYWx1ZT48S2V5SW5mbyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQzZqQ0NBZEtnQXdJQkFnSVFRanhXRGh1YURKQktqdGxrY3ZIYVp6QU5CZ2txaGtpRzl3MEJBUXNGQURBeE1TOHdMUVlEVlFRREV5WkJSRVpUSUZOcFoyNXBibWNnTFNCdGVVTnZiWEIxZEdWeUxtOXVZV3hwY0dGNUxuaDVlakFlRncweE56RXhNREV3TnpFNE16WmFGdzB4T0RFeE1ERXdOekU0TXpaYU1ERXhMekF0QmdOVkJBTVRKa0ZFUmxNZ1UybG5ibWx1WnlBdElHMTVRMjl0Y0hWMFpYSXViMjVoYkdsd1lYa3VlSGw2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE1SkJKL1hsTTJtb045Q0VMZ0xuUzJPQ3ZZZlVlUm9hdWhyN2pGUy9CalRrTXhFNVlYQ3E1ZnU4RFlIcmt4eGFmODFuSERiVlRvdEdqdnBVUzR3L0s4UG4zQVhUb1RBVkZsVTdNOUVjd3FWNVE4R3UzVjQ4NHB5bjhkTUdxWjYwYkZoODRQSHlCeHBCWlNWM0tVNlY2bVZFMTB2cWtoZFFQL3RjVTUwWnNOV05MZDNBUjA2cmE5T2ZuTkdQTmRrWmtZS3dtUnFvcmt6OXNzVkdDRWVyWjUzVFRXZldDam5PajVYMnNwek5OZFJPcXROZ1NFRVVZRmtTRlQzb1V0Sk1vb2FkWCtlM1daWkJuYi8xekthVCtyWndCaG9NSVcvL2VVbnRPSFVLb2JaVE1Ya0xUcktQWVhaeVhnc1o2Nk9NU2hsQlZ3Q1hyRG9QUFhVd01KYUtsdXdJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFGNWV4NFd6emZQRitZOW1qRUdCaGNSNVFKU2dubjIrMkMySi8wTkozQnVIUC9GUG5IaXl6RUMxK3VqVEI2eDFzVHVnK0lXL2tGVXVJQU1VbmhQckp3bSt1VFhUSVVMbGhmRWdmNWQzZG56dk0zbEFML0FRZkpDOXYyUHhyZ0hoVkV0Z01kMFdDbkhMVFVvWERLQ0RXY0dBN09YeDFmMjNzcnJaTGM5UCsvNFNoWFBrd0x5dWRvNmgxeWZ1SnBGWjBnNHR4dTQrMi9YbG4zYzIrUjAraGNYVi9DSnVNcU43aTNmYVpLcFkrb01pcTRndnZXQWpuNmQ3TnBjWS9vWXQ2bGhiTHNucFhUS1FncTd6RGU3aWtMZUhpUDNJU29udjRyUFI2VVprRFdaaVo0RnBDMWxOMDRsWEUzdGZleHJiOThUbUxrU2RuckFCSER3YmJobW10WDwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9LZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxTdWJqZWN0PjxOYW1lSUQ+QWRtaW5pc3RyYXRvckBvbmFsaXBheS54eXo8L05hbWVJRD48U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBJblJlc3BvbnNlVG89ImFmN2o3Nmc5ajRjNzdoODE1OWdoYWUyajFjYTgxOCIgTm90T25PckFmdGVyPSIyMDE3LTEyLTMwVDA0OjIwOjQwLjg2MloiIFJlY2lwaWVudD0iaHR0cHM6Ly9zaWduaW4uYWxpeXVuLmNvbS9zYW1sL1NTTyIgLz48L1N1YmplY3RDb25maXJtYXRpb24+PC9TdWJqZWN0PjxDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNy0xMi0zMFQwNDoxNTo0MC44NTVaIiBOb3RPbk9yQWZ0ZXI9IjIwMTctMTItMzBUMDU6MTU6NDAuODU1WiI+PEF1ZGllbmNlUmVzdHJpY3Rpb24+PEF1ZGllbmNlPmh0dHBzOi8vc2lnbmluLmFsaXl1bi5jb20vc2FtbC9TU088L0F1ZGllbmNlPjwvQXVkaWVuY2VSZXN0cmljdGlvbj48L0NvbmRpdGlvbnM+PEF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNy0xMi0zMFQwNDoxNTo0MC43NTdaIiBTZXNzaW9uSW5kZXg9Il82YTk1NGFiNS04ZTQ2LTQ3ODMtYTI3MC1mMGRmYjE1MjgzZjgiPjxBdXRobkNvbnRleHQ+PEF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpmZWRlcmF0aW9uOmF1dGhlbnRpY2F0aW9uOndpbmRvd3M8L0F1dGhuQ29udGV4dENsYXNzUmVmPjwvQXV0aG5Db250ZXh0PjwvQXV0aG5TdGF0ZW1lbnQ+PC9Bc3NlcnRpb24+PC9zYW1scDpSZXNwb25zZT4=
RelayState:
https://home.console.aliyun.com/

SamlResponse base64解码后:

<?xml version="1.0" encoding="utf-8"?>

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_3b8146b0-eaa8-467c-8fc7-3dab18bb0c27" Version="2.0" IssueInstant="2017-12-30T04:15:40.862Z" Destination="https://signin.aliyun.com/saml/SSO" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="af7j76g9j4c77h8159ghae2j1ca818">
  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://myComputer.onalipay.xyz/adfs/services/trust</Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_6a954ab5-8e46-4783-a270-f0dfb15283f8" IssueInstant="2017-12-30T04:15:40.862Z" Version="2.0">
    <Issuer>http://myComputer.onalipay.xyz/adfs/services/trust</Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
        <ds:Reference URI="#_6a954ab5-8e46-4783-a270-f0dfb15283f8">
          <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          </ds:Transforms>
          <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
          <ds:DigestValue>5lRzvfwkgpcF9guZTWi1xi3KnkMEIG+DJ1N9L9NpU8Q=</ds:DigestValue>
        </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>WF3jd8MK6nb/tmU2FqAegD+OiMRWJmch0bz2UFI9MeWIc22A426aobS7azS9/j+t481TKzd71b4piMs5SncNc5w/Rd8M/yI5GOCJl2IWAUeJZToQrqIdA/TWHwZ/9nEkQMkay+Ekz3owJhVgtYVRKsewHwCAjWIdOtD9kN5DlQfa1A9RzxHIYq1f1W9WU92FzVh3whIx31igty+XbwPmB6PBsMKZEfpwrDvdG0tOuGTJ9gmuEpaZ8AbqWDa0CKbLxklpg5zzuCM5tz4QXBLpE1YjeoKdGpJuVrq/dhKD4rs8DWfQmPnJ/fF6SjWFuYPXQJu5aCeNq2V8OWde1gP6Ow==</ds:SignatureValue>
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIC6jCCAdKgAwIBAgIQQjxWDhuaDJBKjtlkcvHaZzANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSBteUNvbXB1dGVyLm9uYWxpcGF5Lnh5ejAeFw0xNzExMDEwNzE4MzZaFw0xODExMDEwNzE4MzZaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIG15Q29tcHV0ZXIub25hbGlwYXkueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JBJ/XlM2moN9CELgLnS2OCvYfUeRoauhr7jFS/BjTkMxE5YXCq5fu8DYHrkxxaf81nHDbVTotGjvpUS4w/K8Pn3AXToTAVFlU7M9EcwqV5Q8Gu3V484pyn8dMGqZ60bFh84PHyBxpBZSV3KU6V6mVE10vqkhdQP/tcU50ZsNWNLd3AR06ra9OfnNGPNdkZkYKwmRqorkz9ssVGCEerZ53TTWfWCjnOj5X2spzNNdROqtNgSEEUYFkSFT3oUtJMooadX+e3WZZBnb/1zKaT+rZwBhoMIW//eUntOHUKobZTMXkLTrKPYXZyXgsZ66OMShlBVwCXrDoPPXUwMJaKluwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAF5ex4WzzfPF+Y9mjEGBhcR5QJSgnn2+2C2J/0NJ3BuHP/FPnHiyzEC1+ujTB6x1sTug+IW/kFUuIAMUnhPrJwm+uTXTIULlhfEgf5d3dnzvM3lAL/AQfJC9v2PxrgHhVEtgMd0WCnHLTUoXDKCDWcGA7OXx1f23srrZLc9P+/4ShXPkwLyudo6h1yfuJpFZ0g4txu4+2/Xln3c2+R0+hcXV/CJuMqN7i3faZKpY+oMiq4gvvWAjn6d7NpcY/oYt6lhbLsnpXTKQgq7zDe7ikLeHiP3ISonv4rPR6UZkDWZiZ4FpC1lN04lXE3tfexrb98TmLkSdnrABHDwbbhmmtX</ds:X509Certificate>
        </ds:X509Data>
      </KeyInfo>
    </ds:Signature>
    <Subject>
      <NameID>Administrator@onalipay.xyz</NameID>
      <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <SubjectConfirmationData InResponseTo="af7j76g9j4c77h8159ghae2j1ca818" NotOnOrAfter="2017-12-30T04:20:40.862Z" Recipient="https://signin.aliyun.com/saml/SSO"/>
      </SubjectConfirmation>
    </Subject>
    <Conditions NotBefore="2017-12-30T04:15:40.855Z" NotOnOrAfter="2017-12-30T05:15:40.855Z">
      <AudienceRestriction>
        <Audience>https://signin.aliyun.com/saml/SSO</Audience>
      </AudienceRestriction>
    </Conditions>
    <AuthnStatement AuthnInstant="2017-12-30T04:15:40.757Z" SessionIndex="_6a954ab5-8e46-4783-a270-f0dfb15283f8">
      <AuthnContext>
        <AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>
      </AuthnContext>
    </AuthnStatement>
  </Assertion>
</samlp:Response>

最重要的就是Subject里的NameID属性,阿里云会根据这个信息获取登录成功的账号是谁。
阿里云会以NameID中指定的账号登录成功。
RelayState告诉阿里云方登录成功后跳转到的页面,本例子为home.console.aliyun.com

3.结语

至此我们完成了阿里云Saml SSO登录的流程的分析,后续我们还会介绍阿里云SAML和Shibboleth IDP+LDAP如何打通。

文章标签:
云解析DNS
数据格式
XML
Windows
关键词:
阿里云子账号
阿里云sso
阿里云saml
阿里云子账号分析
巴梨
目录
相关文章
游客wxcco55wjbm5g
|
1月前
|
弹性计算 固态存储
玩转阿里云游戏服务器:阿里云幻兽帕鲁Palworld游戏专属服务器搭建保姆级流程
对于热爱《幻兽帕鲁》的玩家们来说,与好友一起联机冒险无疑是游戏的一大乐趣。但如何快速搭建一个专属服务器,让你和朋友轻松“抓帕鲁”呢?本文将为您提供阿里云极简部署幻兽帕鲁专属服务器的指引,让您仅需轻点三次鼠标,3秒轻松开服!
游客wxcco55wjbm5g
95 0
游客cxahk3uf2jeks
|
2月前
|
弹性计算 监控 安全
阿里云ECS云服务器推荐配置,选择流程
阿里云ECS云服务器推荐配置,选择流程,阿里云服务器配置选择方法包括云服务器类型、CPU内存、操作系统、公网带宽、系统盘存储、网络带宽选择、安全配置、监控等,阿里云百科分享阿里云服务器配置选择方法,选择适合自己的云服务器配置
游客cxahk3uf2jeks
49 0
爱学习的千影
|
2月前
|
机器人
阿里云 RPA 的成本效益分析
机器人流程自动化(RPA)技术在企业数字化转型中扮演着越来越重要的角色。阿里云 RPA 作为一种高效的自动化解决方案,不仅可以提高业务效率,还可以降低运营成本。本文将对阿里云 RPA 的成本效益进行分析,帮助企业更好地评估和利用这一技术。
爱学习的千影
80 1
游客677xsv64z
|
2月前
|
弹性计算 数据安全/隐私保护
阿里云上怎样搭建幻兽帕鲁Palworld游戏服务器,流程介绍
在数字游戏的浪潮中,与好友联机共游已成为一种新风尚。最近备受瞩目的幻兽帕鲁,你是否已经跃跃欲试,想和好友一同探索这片神秘的世界?今天,就为大家带来一篇实用的教程,教你如何轻松搭建属于自己的幻兽帕鲁游戏服务器,与好友畅享云端乐趣。
游客677xsv64z
25 2
qtuzunbex43fk
|
2月前
|
弹性计算 搜索推荐
「玩转幻兽帕鲁/Palworld」阿里云自建Palworld/幻兽帕鲁服务器全流程攻略
随着《幻兽帕鲁》这款开放世界生存游戏的热度不断上升,越来越多的玩家开始追求更加自由和个性化的游戏体验。搭建自己的专属服务器,无疑是实现这一目标的最佳选择。今天,就让我们一起来了解如何轻松搭建《幻兽帕鲁》服务器,与好友共同开启精彩刺激的联机游戏吧!
qtuzunbex43fk
47 6
数据中台炜松
|
1月前
|
数据库
阿里云DTS数据迁移和数据同步的差异性分析
阿里云DTS作为一款常用的数据库表迁移工具,提供了功能非常类似的两个功能:数据迁移、数据同步。阿里云DTS产品官网对这两个功能模块进行了简单的区分: 场景1:存量数据批量迁移,建议使用数据迁移功能。 场景2:增量数据实时同步,建议使用数据同步功能。 实际上,无论是数据迁移还是数据同步,都可以做 “结构初始化”+“全量数据迁移”+“增量迁移”,因此两者功能差异并不明显。笔者在多个项目实践DTS数据迁移,在简单需求场景下,将DTS的数据迁移、数据同步进行对比和总结。
数据中台炜松
299 0
游客wmen2wljmyuqy
|
1天前
|
弹性计算 JavaScript Java
阿里云服务器搭建部署宝塔详细流程
以下是内容的摘要: 本文主要介绍了在阿里云上创建和配置服务器环境的步骤,包括注册阿里云账号、实名认证、购买和设置服务器、域名的获取与备案、以及使用宝塔面板安装和配置环境。首先,用户需要注册阿里云账号并进行实名认证,选择合适的服务器配置。接着,购买服务器后,要准备并备案域名,以便通过友好的网址访问网站。在服务器上安装宝塔面板,可以方便地管理和配置LAMP/LNMP/Tomcat/Node.js等应用环境。完成这些步骤后,用户还需要在宝塔面板中安装MySQL、Redis等数据库,部署Java或Vue项目,并配置相关端口。最后,将前端项目打包上传至服务器,并设置站点,即可实现网站的上线。
游客wmen2wljmyuqy
24 1
弹性计算小冉
|
1天前
|
人工智能 安全 云计算
阿里云服务器购买之后发票如何申请?申请发票流程及常见问题参考
申请发票是很多用户尤其是企业级用户在购买完阿里云服务器之后非常关注的问题,对于初次购买阿里云服务器的用户来说,往往并不清楚如何找阿里云申请发票,本文以图文形式为大家介绍阿里云服务器购买完成之后申请发票的详细流程以及常见问题。
弹性计算小冉
15 2
阿里云服务器购买之后发票如何申请?申请发票流程及常见问题参考
游客koxsy2lzz7wl4
|
3天前
|
NoSQL 关系型数据库 MySQL
阿里云服务器部署项目流程
本文主要讲解阿里云服务器的部署,如何选择配置等
游客koxsy2lzz7wl4
31 6
游客koxsy2lzz7wl4
|
3天前
|
存储 Java API
阿里云oss简介和使用流程
本文档介绍了如何准备阿里云OSS(对象存储服务)并开始使用它。首先,需要注册阿里云账号并进行实名认证,然后购买OSS资源包。在阿里云控制台中,可以创建和管理OSS存储空间(称为“Bucket”)。接着,文章简要介绍了阿里云OSS,它是一个基于云端的对象存储服务,提供高可靠性、高性能、低成本和易于使用的特性。 在阿里云OSS控制台,用户可以进行文件的上传和下载操作。通过API,开发者可以使用各种编程语言(如Java)来创建、删除Bucket以及上传、下载和删除文件。例如,Java代码示例展示了如何创建Bucket、上传文件、删除文件以及下载文件到本地的操作。
游客koxsy2lzz7wl4
29 0

热门文章

最新文章

  • 1
    超1/3中国500强企业都在用的「汇联易」,为什么选用阿里云RDS?
  • 2
    阿里云实时计算Flink的产品化思考与实践【下】
  • 3
    云效 AppStack + 阿里云 MSE 实现应用服务全链路灰度
  • 4
    购买阿里云活动内云服务器之后设置密码、安全组、增加带宽、挂载云盘教程
  • 5
    在阿里云Ubuntu 20.04服务器中搭建一个 Ghost 博客
  • 6
    阿里云服务器内存型r7、r8a、r8y实例区别参考
  • 7
    飞天发布时刻丨阿里云 ApsaraMQ 全面升级,携手 Confluent 发布全新产品
  • 8
    阿里云服务器经济型e实例2核2G3M带宽99元搭建网站图文教程参考
  • 9
    阿里云3M带宽云服务器并发多大?阿里云3M带宽云服务器测评参考
  • 10
    什么是阿里云FPGA云服务器?FPGA云服务器产品优势及应用场景介绍
  • 1
    阿里云数据库使用方法,从购买、创建数据库账号密码到连接数据库全流程
    327
  • 2
    阿里云第八代云服务器实例通用型g8i实例性能和适用场景介绍
    381
  • 3
    【产品动态】阿里云弹性计算产品月刊-2024年2月
    761
  • 4
    倚天产品介绍|阿里云核心产品—倚天710
    400
  • 5
    阿里云BssOpenAPI是一个基于阿里云开放API的服务
    136
  • 6
    阿里云CDN HTTPS 证书配置流程
    166
  • 7
    DataWorks常见问题之添加阿里云selectdb失败如何解决
    105
  • 8
    阿里云可观测 2024 年 2 月产品动态
    507
  • 9
    云效AppStack+阿里云MSE实现应用服务全链路灰度
    121399
  • 10
    阿里云服务器ESSD云盘性能等级PL0、PL1、PL2、PL3区别,云盘性能级别PL知识点参考
    192

    • 相关课程

    更多
  • 跟阿里云技术专家学习智能推荐系统
  • 阿里云负载均衡SLB实战演练
  • 云原生基础概念及阿里云云原生产品介绍
  • 阿里云图数据库GDB入门与应用
  • 企业上云攻略-阿里云网络产品应用系列教程
  • 走进阿里云物联网

    • 相关电子书

    更多
  • 阿里云云原生 Serverless 技术实践营 PPT 演讲
  • 阿里云产品十月刊
  • 基于阿里云构建博学谷平台实时湖仓

    • 相关实验场景

    更多
  • 使用阿里云ECS监控您的特斯拉
  • 使用阿里云ECS安装家用内网穿透服务
  • 在阿里云百炼大模型中快速创建企业知识应用
  • 使用阿里云ECS搭建一套网页IDE
  • 使用阿里云ECS搭建自己的持续集成服务
  • 阿里云百炼xAnalyticDB PostgreSQL构建AIGC应用
    • 下一篇
    阿里云oss简介和使用流程
    为什么选择阿里云什么是云计算全球基础设施技术领先稳定可靠安全合规分析师报告
    产品和定价全部产品免费试用产品动态产品定价价格计算器云上成本管理
    解决方案技术解决方案
    文档与社区文档开发者社区天池大赛培训与认证
    权益中心免费试用高校计划企业扶持计划推荐返现计划
    支持与服务基础服务企业增值服务迁云服务官网公告健康看板信任中心
    关注阿里云
    关注阿里云公众号或下载阿里云APP,关注云资讯,随时随地运维管控云服务
    阿里云APP阿里云微信
    联系我们:4008013260
    法律声明Cookies政策廉正举报安全举报联系我们加入我们
    阿里巴巴集团淘宝网天猫全球速卖通阿里巴巴国际交易市场1688阿里妈妈飞猪阿里云计算AliOS万网高德UC友盟优酷钉钉支付宝达摩院淘宝海外阿里云盘饿了么
    © 2009-2024 Aliyun.com 版权所有 增值电信业务经营许可证: 浙B2-20080101 域名注册服务机构许可: 浙D3-20210002 京D3-20220015
    浙公网安备 33010602009975号浙B2-20080101-4