参考
OpenAMとO365のSAML連携 - pikesaku’s blog
上記手順で構成。
前提情報
O365(SP)メタファイル
https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" ID="_e1f359fb-13fb-4264-9047-177f62360717" entityID="urn:federation:MicrosoftOnline"> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <Reference URI="#_e1f359fb-13fb-4264-9047-177f62360717"> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>LhwJ4fdEzmYQo4AgLM33skv8EhM=</DigestValue> </Reference> </SignedInfo> <SignatureValue>CmzuV+PjHZAYEHIEPDgmnXtIwKaiBuwdPctJfwp57VBKZRPB+bM7Yrlxm2osn4T8AjLBNxV64I8t5tAALYhJuBnUW7hQwONVetovkAT07fN53Ybjc8uIvJWx0ZkJ4gyAVCwdEzGd7dUJmuqRbImyfaNkTnjWtFXCtj0JJOb7kNMXGxCbjcGXMTPvsItNmZ/goiKAPIGgnAWeJQlXRLBNj3VncEo2rmfFGsaKtqoFKx19JrzI70vxRTcQyCB4Qf6ID+EHrWfMr0crZ94ttJ50wrsS9aIvPgH/Px7mHFKSjC0N4tc7cuVC09/PHCy/hBIfvaWGnjcJOXku2XCNdkbvZw==</SignatureValue> <KeyInfo> <X509Data> <X509Certificate>MIIC/TCCAeWgAwIBAgIQN/GPegnT8blP2EcSdMMbBzANBgkqhkiG9w0BAQsFADApMScwJQYDVQQDEx5MaXZlIElEIFNUUyBTaWduaW5nIFB1YmxpYyBLZXkwHhcNMjEwMjE4MDAwMDAwWhcNMjYwMjE4MDAwMDAwWjApMScwJQYDVQQDEx5MaXZlIElEIFNUUyBTaWduaW5nIFB1YmxpYyBLZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXdLGU2Ll5RPdDUnKQ+f/HS5qiTay2cCh9U2AS6oDM6SOxVhYGtoeJ1VPebcLnpgLfhPxzrwWoVzXSEF+VRQbnYID2Jb4khjgyEeoThk3VqrThwhahpSbBg2vo06vIOp1TS2R1BiwHKTLoB1i1IJnaIFSC3BN6pY4flXWyLQt/5ABXElv2XZLqXM9Eefj6Ji40nLIsiW4dWw3BDa/ywWW0MsiW5ojGq4vovcAgENe/4NUbju70gHP/WS5D9bW5p+OIQi7/unrlWe/h3A6jtBbbRlXYXlN+Z22uTTyyCD/W8zeXaACLvHagwEMrQePDXBZqc/iX2kI+ooZr1sC/H39RAgMBAAGjITAfMB0GA1UdDgQWBBSrX2dm3LwT9jb/p+bAAdYQpE+/NjANBgkqhkiG9w0BAQsFAAOCAQEAeqJfYHnsA9qhGttXFfFpPW4DQLh5w6JCce7vGvWINr5fr1DnQdcOr+wwjQ/tqbckAL2v6z1AqjhS78kbfegnAQDwioJZ1olYYvLOxKoa6HF+b1/p0Mlub8Zukk2n1b2lKPBBOibOasSY7gQDwlIZi7tl9nMTxUfdYK+E5Axv7DVnmUCwcnnpV5/1SFdNyW2kWO4C68rrjMOvECfwrKkbfVJM8f9krEUBuoBF8dTDv7D2ZM4Q2buC70NbfaNWUX0yFvKI0IuTqk8RBfGTRQ4fZAbhMPaykEpBu6dNjTi5YOa0lNqFGS7Ax7leCh5x9lV8elcLkXs8ySo8AOQJk0hgIw==</X509Certificate> </X509Data> </KeyInfo> </Signature> <SPSSODescriptor WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <KeyDescriptor use="signing"> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <X509Data> <X509Certificate>MIIC/TCCAeWgAwIBAgIQbgDHfi3t1JNGVqwD5/7lmjANBgkqhkiG9w0BAQsFADApMScwJQYDVQQDEx5MaXZlIElEIFNUUyBTaWduaW5nIFB1YmxpYyBLZXkwHhcNMjAxMjIxMDAwMDAwWhcNMjUxMjIxMDAwMDAwWjApMScwJQYDVQQDEx5MaXZlIElEIFNUUyBTaWduaW5nIFB1YmxpYyBLZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFT0/0/2qQurnYa0LbJHF9YYozhEH6r9mCxVDBYbewSG4tGgrWpsewQ/96pcczGMQctMvU+h2eX38Hx/f9JAIDbuRQzQlsPhQS7DDZ6WlTXU+t8d/g2C7fpSoLs4KVdJih4xyjLUWj+BK/ijsRjBt4Riw9VbJH/DdWKyoSMbECEiE+s1RtLP/eYoMmNfxyQGqWirCNqVNBTlqzYQp4dgF0foYy4ktoxwmQOVoTcIMFYp1I4pFPI7CxuMLkfK0X7aTbM7YGphvMfJxJkjrQdyI7G5d1t4DNi3zkEbBT7FGAr6qPt3Kn9ralpqJKHdpEBA9N0vNwQo5XTYIhUbPQ16IRAgMBAAGjITAfMB0GA1UdDgQWBBRs7tPmfkksSr67KtElHjYZbeaCTjANBgkqhkiG9w0BAQsFAAOCAQEAJqwMZSjQJ36x+1sty6EeLKQLQewQwPaEC47Zut+8bXed6Q8jMZ0bfa/MM7XquEcabaMZLQuKLft44YXwXXQOfQrI2qjQr3eToJFlDT9hR0rfp9wQqttDxd6Aa6RWwDTgo5oKUQCTKLHhEy8uWzScK0eGt2d7TWTaDXjRSwNq6tM7fRhZs07tKBV3xfi9EQy/mlavAMFRBVm86NSo7AsOG1IOMq03U3ooCWAXh9PdvvHNfHhH19futAnC/HeOjwRF1Qc527aBMphYFQLdiThfmfmiE/AhQqCwZ2oE7uCJhBtR+Kb1ZGhjI35pHfsSqGiFa7Kr+5ave822PDcke89Mvg==</X509Certificate> </X509Data> </KeyInfo> </KeyDescriptor> <KeyDescriptor use="signing"> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <X509Data> <X509Certificate>MIIC/TCCAeWgAwIBAgIQN/GPegnT8blP2EcSdMMbBzANBgkqhkiG9w0BAQsFADApMScwJQYDVQQDEx5MaXZlIElEIFNUUyBTaWduaW5nIFB1YmxpYyBLZXkwHhcNMjEwMjE4MDAwMDAwWhcNMjYwMjE4MDAwMDAwWjApMScwJQYDVQQDEx5MaXZlIElEIFNUUyBTaWduaW5nIFB1YmxpYyBLZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXdLGU2Ll5RPdDUnKQ+f/HS5qiTay2cCh9U2AS6oDM6SOxVhYGtoeJ1VPebcLnpgLfhPxzrwWoVzXSEF+VRQbnYID2Jb4khjgyEeoThk3VqrThwhahpSbBg2vo06vIOp1TS2R1BiwHKTLoB1i1IJnaIFSC3BN6pY4flXWyLQt/5ABXElv2XZLqXM9Eefj6Ji40nLIsiW4dWw3BDa/ywWW0MsiW5ojGq4vovcAgENe/4NUbju70gHP/WS5D9bW5p+OIQi7/unrlWe/h3A6jtBbbRlXYXlN+Z22uTTyyCD/W8zeXaACLvHagwEMrQePDXBZqc/iX2kI+ooZr1sC/H39RAgMBAAGjITAfMB0GA1UdDgQWBBSrX2dm3LwT9jb/p+bAAdYQpE+/NjANBgkqhkiG9w0BAQsFAAOCAQEAeqJfYHnsA9qhGttXFfFpPW4DQLh5w6JCce7vGvWINr5fr1DnQdcOr+wwjQ/tqbckAL2v6z1AqjhS78kbfegnAQDwioJZ1olYYvLOxKoa6HF+b1/p0Mlub8Zukk2n1b2lKPBBOibOasSY7gQDwlIZi7tl9nMTxUfdYK+E5Axv7DVnmUCwcnnpV5/1SFdNyW2kWO4C68rrjMOvECfwrKkbfVJM8f9krEUBuoBF8dTDv7D2ZM4Q2buC70NbfaNWUX0yFvKI0IuTqk8RBfGTRQ4fZAbhMPaykEpBu6dNjTi5YOa0lNqFGS7Ax7leCh5x9lV8elcLkXs8ySo8AOQJk0hgIw==</X509Certificate> </X509Data> </KeyInfo> </KeyDescriptor> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://login.microsoftonline.com/login.srf"/> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat> <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat> <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://login.microsoftonline.com/login.srf" index="0" isDefault="true"/> <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://login.microsoftonline.com/login.srf" index="1"/> <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://login.microsoftonline.com/login.srf" index="2"/> </SPSSODescriptor> <Extensions> <alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </Extensions> </EntityDescriptor>
OpenAM(IdP)メタファイル
※ドメインはhoge.comでレルムはo365の場合、公開URL文字列は以下となる。
https://hoge.com/openam/saml2/jsp/exportmetadata.jsp?entityid=https%3A%2F%2Fhoge.com%3A443%2Fopenam&realm=%2Fo365
EntityDescriptor entityID="https://hoge.com:443/openam"> <IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <KeyDescriptor use="signing"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> 〜省略〜 </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <ArtifactResolutionService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://hoge.com:443/openam/ArtifactResolver/metaAlias/o365/idp"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://hoge.com:443/openam/IDPSloRedirect/metaAlias/o365/idp" ResponseLocation="https://hoge.com:443/openam/IDPSloRedirect/metaAlias/o365/idp"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://hoge.com:443/openam/IDPSloPOST/metaAlias/o365/idp" ResponseLocation="https://hoge.com:443/openam/IDPSloPOST/metaAlias/o365/idp"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://hoge.com:443/openam/IDPSloSoap/metaAlias/o365/idp"/> <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://hoge.com:443/openam/IDPMniRedirect/metaAlias/o365/idp" ResponseLocation="https://hoge.com:443/openam/IDPMniRedirect/metaAlias/o365/idp"/> <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://hoge.com:443/openam/IDPMniPOST/metaAlias/o365/idp" ResponseLocation="https://hoge.com:443/openam/IDPMniPOST/metaAlias/o365/idp"/> <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://hoge.com:443/openam/IDPMniSoap/metaAlias/o365/idp"/> <NameIDFormat> urn:oasis:names:tc:SAML:2.0:nameid-format:persistent </NameIDFormat> <NameIDFormat> urn:oasis:names:tc:SAML:2.0:nameid-format:transient </NameIDFormat> <NameIDFormat> urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress </NameIDFormat> <NameIDFormat> urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified </NameIDFormat> <NameIDFormat> urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName </NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat> <NameIDFormat> urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName </NameIDFormat> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://hoge.com:443/openam/SSORedirect/metaAlias/o365/idp"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://hoge.com:443/openam/SSOPOST/metaAlias/o365/idp"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://hoge.com:443/openam/SSOSoap/metaAlias/o365/idp"/> <NameIDMappingService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://hoge.com:443/openam/NIMSoap/metaAlias/o365/idp"/> <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://hoge.com:443/openam/AIDReqSoap/IDPRole/metaAlias/o365/idp"/> <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" Location="https://hoge.com:443/openam/AIDReqUri/IDPRole/metaAlias/o365/idp"/> </IDPSSODescriptor> </EntityDescriptor>
SP Initiated SSOの場合
以下フローとなる。
①ブラウザがO365(SP)のサインイン画面にアクセスしサインイン(IDのみ入力)
②O365がブラウザをOpenAM(IdP)のレルムのサインイン画面にリダイレクト
③ブラウザがOpenAMサインイン画面にアクセス(SAMLリクエスト送付)
④ブラウザがOpenAMサインイン画面でID/PW入力しサインイン
⑤OpenAMがブラウザをO365にリダイレクト
⑦ブラウザがO365 SAMLにアクセス(SAMLレスポンス送付)
⑥O365にサインイン
SAMLトレーサーの情報で採取した情報は以下の通り。
SAMLリクエスト(③)
<samlp:AuthnRequest ID="_77eeb8fe-8b2b-4752-9ed4-4fc0c3fbf8e9" Version="2.0" IssueInstant="2022-05-15T14:51:07.739Z" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline</Issuer> <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" /> </samlp:AuthnRequest>
SAMLレスポンス(⑦)
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s2faee0cb2cdbb0c40204f41c0613ff54d25cc543c" InResponseTo="_77eeb8fe-8b2b-4752-9ed4-4fc0c3fbf8e9" Version="2.0" IssueInstant="2022-05-15T14:51:13Z" Destination="https://login.microsoftonline.com/login.srf" > <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://hoge.com:443/openam</saml:Issuer> <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> <samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="s26a1ee234251e7b5de92ad22ceecb14a112d9191c" IssueInstant="2022-05-15T14:51:13Z" Version="2.0" > <saml:Issuer>https://hoge.com:443/openam</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <ds:Reference URI="#s26a1ee234251e7b5de92ad22ceecb14a112d9191c"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>o+/KyOny4iHd+yikTkDxWliPlVk=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>〜省略〜</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>〜省略〜</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://hoge.com:443/openam" SPNameQualifier="urn:federation:MicrosoftOnline" >10000</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData InResponseTo="_77eeb8fe-8b2b-4752-9ed4-4fc0c3fbf8e9" NotOnOrAfter="2022-05-15T15:01:13Z" Recipient="https://login.microsoftonline.com/login.srf" /> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2022-05-15T14:41:13Z" NotOnOrAfter="2022-05-15T15:01:13Z" > <saml:AudienceRestriction> <saml:Audience>urn:federation:MicrosoftOnline</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2022-05-15T14:51:13Z" SessionIndex="s22aa3ab0b20f4d83859d1aa1528391652e0dde201" > <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement> <saml:Attribute Name="IDPEmail"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >hoge@hoge.com</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </samlp:Response>
SAMLログアウトリクエスト(おまけ)
<samlp:LogoutRequest ID="_12385893-eebb-45eb-87de-4c023d0230a7" Version="2.0" IssueInstant="2022-05-15T14:51:28.302Z" Destination="https://hoge.com:443/openam/IDPSloRedirect/metaAlias/o365/idp" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline</Issuer> <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" >10000</NameID> <samlp:SessionIndex>s22aa3ab0b20f4d83859d1aa1528391652e0dde201</samlp:SessionIndex> </samlp:LogoutRequest>
SAMLログアウトレスポンス(おまけ)
<samlp:LogoutRequest ID="_12385893-eebb-45eb-87de-4c023d0230a7" Version="2.0" IssueInstant="2022-05-15T14:51:28.302Z" Destination="https://hoge.com:443/openam/IDPSloRedirect/metaAlias/o365/idp" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline</Issuer> <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" >10000</NameID> <samlp:SessionIndex>s22aa3ab0b20f4d83859d1aa1528391652e0dde201</samlp:SessionIndex> </samlp:LogoutRequest>
IDP Initiated SSOの場合
以下フローとなる。
①ブラウザがレルムのOpenAMサインイン画面でID/PW入力しサインイン
URLは以下
https://hoge.com:443/openam/XUI/?realm=%2Fo365#login
②ブラウザがO365 SAMLにアクセス(SAMLレスポンス送付)
https://hoge.com:443/openam/saml2/jsp/idpSSOInit.jsp?metaAlias=%2Fo365%2Fidp&spEntityID=urn%3Afederation%3AMicrosoftOnline&NameIDFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
③O365にサインイン
SAMLトレーサーの情報で採取した情報は以下の通り。
SAMLレスポンス(②)
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s207635788d55874ec055af470c14588ac4d8d151d" Version="2.0" IssueInstant="2022-05-15T15:52:58Z" Destination="https://login.microsoftonline.com/login.srf" > <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://hoge.com:443/openam</saml:Issuer> <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> <samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="s2bd1c86eb6c0ab8f840b6f8eb2f20ab4210b7da2f" IssueInstant="2022-05-15T15:52:58Z" Version="2.0" > <saml:Issuer>https://hoge.com:443/openam</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <ds:Reference URI="#s2bd1c86eb6c0ab8f840b6f8eb2f20ab4210b7da2f"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>IxMkFO2rdzhOk9/t2blfaIE2b6k=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>〜省略〜</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>〜省略〜</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://hoge.com:443/openam" SPNameQualifier="urn:federation:MicrosoftOnline" >10000</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2022-05-15T16:02:58Z" Recipient="https://login.microsoftonline.com/login.srf" /> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2022-05-15T15:42:58Z" NotOnOrAfter="2022-05-15T16:02:58Z" > <saml:AudienceRestriction> <saml:Audience>urn:federation:MicrosoftOnline</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2022-05-15T15:52:26Z" SessionIndex="s2b52578651e4b29cf4b304eceb2475cae0259eb01" > <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement> <saml:Attribute Name="IDPEmail"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >hoge@hoge.com</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </samlp:Response>
SAMLログアウトリクエスト(おまけ)
<samlp:LogoutRequest ID="_19e69436-931a-403e-95d8-c506945df67f" Version="2.0" IssueInstant="2022-05-15T15:53:14.166Z" Destination="https://hoge.com:443/openam/IDPSloRedirect/metaAlias/o365/idp" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline</Issuer> <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" >10000</NameID> <samlp:SessionIndex>s2b52578651e4b29cf4b304eceb2475cae0259eb01</samlp:SessionIndex> </samlp:LogoutRequest>
SAMLログアウトレスポンス(おまけ)
<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="se60d6f6c2dc845c912c51b187496499ebdb0d10b" Version="2.0" IssueInstant="2022-05-15T15:53:14Z" Destination="https://login.microsoftonline.com/login.srf" InResponseTo="_19e69436-931a-403e-95d8-c506945df67f" > <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://hoge.com:443/openam</saml:Issuer> <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> <samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> <samlp:StatusMessage xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> Session did not exist. Already logged-out </samlp:StatusMessage> </samlp:Status> </samlp:LogoutResponse>
ログアウト時、以下エラーになる。
※原因調査中。