0%

从一月份拿到这本原版书,到五一假期,终于断断续续地把它读完。对于英语渣渣的我来说,原本计划一天读个四五页,花一年时间把它看完。没想到这本书确实挺有意思,加上后来买了个小米电纸书Pro,通勤的时间看起来更方便了,一看就停不下来。真的是很不错的英文读物,虽然有很多专有名词,但是只要有一定的社科知识基础,一些专有名词还是可以靠读音猜出大半。

我后来有查了一下网上对这本书的评价,是两极分化的。喜欢的人极力推荐,不喜欢的人骂它是书商吹捧出来的民科读物。专业这块暂且不去争论,我说说自己整本书看下来的感受。

整本书分成了认知革命,农业革命,科技革命几大部分介绍了我们的祖先智人(Homo Sapiens)是怎么从其他灵长类中脱颖而出,变成这个星球上的主宰。通读下来,我觉得整本书的主旨就一个:我们人类社会之所以是现在这个样子,靠的都是一些虚无缥缈的东西。我们能讲故事,能八卦,能用语言描述那些物质世界之外的东西。靠着这个能力,我们获得了比其他种群更强大的动员能力,让智人们能够集中起来为同一个目标努力。我们生活的世界所相信的所有东西,都是基于这个基础,不管是国家,民族,宗教,亦或是金钱,资本主义,共产主义等等。它们全都是看不见摸不着的东西,但是由于我们的相信,我们做到了其他物种做不到的事情。我以前听说过一个类似的概念:“想像共同体”,只是没想到作者赫拉利能拿它来解释人类社会的一切。书里面的用这个观点解释了人类社会的很多事情,但是里面提到的一些例子和数据,我还是不完全相信的,毕竟我也不是专业人士。这些观点拿来拓宽自己的视野还行,完全当成知识吸收我觉得还是要存疑的,这也是这本书为啥被喷为民科读物的原因吧?

所以一旦接受了书里这个观点,一切是不是就变得悲观了呢?我们所相信的一切,原来都只是我们自己骗自己的而已。作者却又不这么认为,就像他在谈论人类历史的时候同样说,人类从不会从历史中得到教训,历史是重复的,那我们为什么要学习历史呢?因为尽可能的知道我们的祖先是怎么做的,我们可以了解更多的可能性,对未来我们可以有更多的选择。这个也同样适用于我们对人类自己的研究,哪怕我们知道这些东西都是虚无的,但是更好地了解它们的规律,有助于我们在未来做出更好的选择。

在这本书科技革命之后的几章,谈论了人的幸福和人类的未来。我觉得这一块的内容就有点俗套了,特别是关于未来畅想的部分(作者是文科生的关系?),还是没逃脱出科幻小说的话题:环境问题,人类永生,生物革命,赛博朋克等等。这本书写于2014年,从现在2021年回头看,我对科学方面的进步还是持悲观的态度的。

智人未来会走向何方,作者自己也不知道。未来智人这个种群仍然会面对各种未知的困难,然而,作者认为,我们最应该提防的,其实是我们自己,就像他在最后说的:“Is there anything more dangerous than dissatisfied and irresponsible gods who don’t know what they want?”

从去年开始,我强迫自己看一些大部头的技术类书籍,来练习自己的专注能力,同时试着远离手机以及各种公众号文章带来的焦虑。为此我屯了很多PDF电子书,给自己列了一个书单。一开始的做法是用电脑配合PDF阅读器阅读,发现自己还是很容易分心,于是想脱离手机电脑来看书。然而手头的Kindle 只有6寸,拿来看技术文档无异于折磨自己,当时各种品牌的大尺寸电纸书动不动就要2K以上,狠不下心来下单。最后还是选择了折衷方案,找淘宝上打印书本的店铺,把文档打印下来装订成书看,就这么持续了几个月。

阅读全文 »

Java 中的volatile 关键字主要是用于处理并发场景下多线程访问共享变量的内存屏障(Memory Fence/Memory Barrier)问题。经常与同步块sychronized配合使用,因此很多人想到并发就想到它,但是它其实不是用来解决共享变量的问题。以前对它的理解也是浑浑噩噩,今天这里做一下系统性的梳理。

阅读全文 »

最近在v站上看到一篇医生给开中成药的帖子,不出意外没几楼后就开始撕了起来,不愧为经典的友尽话题。一段时间观察下来,我发现网上这类争论挺没有意义的。大力鼓吹中医贬低西医,或者一股脑踩中医的,其实是同一类人。西医好还是中医好对他们来说不重要,他们只是借着这个论点来兜售自己的私货或者借此抨击其他事情。比如厌恶中医的,往往还会一并攻击国学,体制,国民素质等等。而鼓吹中医的,还会带入西方阴谋论等一系列友尽话题。这也是在网上讨论这些永远讨论不出结果的原因。当我们讨论问题的时候带入主观情绪,其实就没只要讨论了,因为最后不会产生理性的结果。

对于不可知的东西,我还是倾向于不急着否定。中医的理论对于现代医学来说,是很荒谬。但是很多时候它的治疗方案是人们长期依赖经验总结的结果,是有可能真的有效的。我们要认识到当前现代医学的局限性,毕竟现在科学还不能解释所有事情。所以在西医久治不愈的情况下,尝试中医方案也未尝不可,前提是它是正规医院给出的方案而不是江湖郎中,并且它的副作用经过现代医学的检验。病人的诉求是把病治好,这个大前提不解决的情况下,你跟他讲中医疗效是安慰剂,通不过双盲测试,真的一点用都没有,那种居高临下嘲笑对方愚昧的态度甚至还有点刻薄。

当然,可以选择的话,看病我还是会优先考虑西医方案。中医目前局限在于它的理论没法证伪,同时又固守经典而不进步,所以骗子很多。现代医学是科学的分支,是通过试验,观测,不断更新前人理论的结果。如果中医还是抱着那些看不见摸不着的东西,不采用现代科学的方法去验证,它的擅长的所有领域被现代医学攻破也是迟早的事。

背景

最近手头有个新项目做压测,本来打算一边压测一边寻找瓶颈调整JVM options。在分析压测时的服务的GC日志过程中,发现有很多类似这样的Full GC记录:

1
[Full GC (Metadata GC Threshold) ...]

整个应用的GC日志看起来挺正常的,就是这类Full GC有点多,不过在压测一段时间后,就不再出现了。

阅读全文 »

不出意外地,本应该在年末完成的总结,又拖到现在才动笔。果然我也许要花一辈子的时间与自己的拖延症斗争到底。2020年在很多人的人生中,绝对是特殊的一年,大家应该都没想到,新冠疫情的影响能够这么久远,甚至到现在国内都还有复发的迹象。我算是幸运的,碰上了一家靠谱的公司,让我们在家办公了大半年。在家办公真的是蛮特殊的一次体验,作为码农,以前心心念念远程工作,但是经过几个月的折磨以后,我更加想念自己的工位,复工之后第一时间回到公司上班。

现在回头想想,回顾2020这一整年,自己都做了什么呢,哪里做得好,又有哪些遗憾?

阅读全文 »

最近尝试用树莓派和两块硬盘搭建了简易的NAS服务,稳定运行了几周,感觉还不错。今天把自己折腾的过程记录一下。

我对NAS的需求

  1. 2T左右的空间
  2. 个人多媒体库(我没有屯片习惯,主要是听歌和偶尔下载一些片子来看)
  3. 管理家庭照片(我和我老婆手机的照片)
  4. 备份
    1. 增量备份到老硬盘
    2. 异地备份到公有云(其实就是百度云)
    3. 定时备份系统,可快速还原系统
  5. 外网访问:查看文件,听音乐,看照片
  6. 用家里电视盒子看视频
  7. 长时间运行不折腾
  8. 可以休眠硬盘(其实现在大部分硬盘自带休眠功能)
  9. 定时开关机
  10. 消息推送:对于一些关注的事件,给我手机发通知(备份成功,开机,关机等等)

购物清单

  1. 咸鱼树莓派4B 2G版本,带外壳带风扇(260元)
  2. 闪迪16G SD卡2张(45元),一张做树莓派系统,一张作为备用
  3. 东芝新小黑A3 2T移动硬盘+2年包换(跟家里一个1T台式机硬盘配合着用)(418元)
  4. 腾讯云HK轻量服务器(安装frp作为内网穿透用)(每月24元)
  5. 腾讯云买的两年域名+免费一年证书(内网穿透用)(46元)
  6. 小米wifi插座(定时开关机用)(40元)
  7. 水星(MERCURY)SG105M 5口千兆交换机 (52元)
阅读全文 »

SSO 与 SAML

在谈论单点登录系统(SSO)实现的时候,我们做技术选型,最常听到的两个方案是SAML与OAuth。得益于现在各互联网大厂的推广,OAuth的概念在这几年深入人心,几乎是SSO的首选方案。但是在OAuth还没兴起的年代,想要快速搭建一套符合业界标准的SSO系统,SAML基本上是唯一选择了。所以在众多历史悠久的企业级应用里,SAML仍然占据着SSO服务的半壁江山。
OAuth 之前已经了解的听清楚了,今天稍微总结一下SAML。

SAML 的一些概念

SP 与 IdP

SAML 中分为SP(service provider)与IdP(identity provider)两个角色。SP属于为用户提供各种业务服务的应用,IdP属于提供用户登录认证的应用。
SAML SSO flow
上面这张图摘自Oasis官方网站上SAML的说明,其中hotels.example.ca就是IdP,当其他两个SP应用需要用户登录时,就会重定向到它这边做登录认证,然后重定向回SP。
详细的认证流程可以参考Oasis官网上的3.3 Identity Federation Use Case对该流程的说明

SAML的XML文档结构

SAML Architecture
上图阐述了传输SAML数据时用到的一些概念。其中Assertions就是传输中具体的用户认证数据,用XML组织。Protocols是Assertions所承载的协议,SAML定义了多种协议,一般常用的是Authentication Request Protocol。Binding定义了idP与SP之间通信的方式(HTTP POST Binding或者SOAP等)。Profiles定义了使用SAML时一些最基础的信息,一般做SSO单点登录时,Profiles是相对固定的。
对于SAML的XML文档中每个属性用途的说明,其实一开始不必过于详细地了解,由于概念太多,很容易收到打击。可以先快速过一遍OASIS网站上的说明,然后挑一种认证流程详细了解一下各请求报文。

Web Broswer SSO Profile

常见web应用基于SAML的SSO实现一般使用的就是Web Broswer SSO Profile。它包含两种flow:
SP-initiated web SSO flow 和 IdP-initiated web SSO flow ,从字面上就很容易理解,一种是SP发起的,一种是IdP发起的。SP-initiated web SSO flow 又分为两种: Redirect/POST Bindings 和 POST/Artifact Bindings。

SP-Initiated SSO: Redirect/POST Bindings

Redirect/POST Bindings
流程说明摘抄自OASIS,挺清楚的,就不翻译了:

  1. The user attempts to access a resource on sp.example.com. The user does not have a valid logon session (i.e. security context) on this site. The SP saves the requested resource URL in local state information that can be saved across the web SSO exchange.
  2. The SP sends an HTML form back to the browser in the HTTP response (HTTP status 200). The HTML FORM contains a SAML message encoded as the value of a hidden form control named SAMLRequest.

    <form method="post" action="https://idp.example.org/SAML2/SSO/POST" ...>
        <input type="hidden" name="SAMLRequest" value="request" />
        <input type="hidden" name="RelayState" value="token" />
        ...
        <input type="submit" value="Submit" />
    </form>
    

    The RelayState token is an opaque reference to state information maintained at the service provider. (The RelayState mechanism can leak details of the user’s activities at the SP to the IdP and so the SP should take care in its implementation to protect the user’s privacy.) The value of the SAMLRequest parameter is the base64 encoding of the following samlp:AuthnRequest element:

    <samlp:AuthnRequest
        xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
        ID="identifier_1"
        Version="2.0"
        IssueInstant="2004-12-05T09:21:59Z"
        AssertionConsumerServiceIndex="1">
        <saml:Issuer>https://sp.example.com/SAML2</saml:Issuer>
        <samlp:NameIDPolicy
            AllowCreate="true"
            Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
    </samlp:AuthnRequest>
    

    For ease-of-use purposes, the HTML FORM typically will be accompanied by script code that will automatically post the form to the destination site (which is the IdP in this case). The browser, due either to a user action or execution of an “auto-submit” script, issues an HTTP POST request to send the form to the identity provider’s Single Sign-On Service.

    POST /SAML2/SSO/POST HTTP/1.1
    Host: idp.example.org
    Content-Type: application/x-www-form-urlencoded
    Content-Length: nnn
    SAMLRequest=request&RelayState=token
    
  3. The Single Sign-On Service determines whether the user has an existing logon security context at the identity provider that meets the default or requested authentication policy requirements. If not, the IdP interacts with the browser to challenge the user to provide valid credentials.

  4. The user provides valid credentials and a local logon security context is created for the user at the IdP.
  5. The IdP Single Sign-On Service issues a SAML assertion representing the user’s logon security context and places the assertion within a SAML <Response> message. Since the HTTP Artifact binding will be used to deliver the SAML Response message, it is not mandated that the assertion be digitally signed. The IdP creates an artifact containing the source ID for the idp.example.org site and a reference to the <Response> message (the MessageHandle). The HTTP Artifact binding allows the choice of either HTTP redirection or an HTML form POST as the mechanism to deliver the artifact to the partner. The figure shows the use of redirection.
  6. The SP’s Assertion Consumer Service now sends a SAML <ArtifactResolve> message containing the artifact to the IdP’s Artifact Resolution Service endpoint. This exchange is performed using a synchronous SOAP message exchange.

    <samlp:ArtifactResolve
        xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
        ID="identifier_2"
        Version="2.0"
        IssueInstant="2004-12-05T09:22:04Z"
        Destination="https://idp.example.org/SAML2/ArtifactResolution">
        <saml:Issuer>https://sp.example.com/SAML2</saml:Issuer>
    <!-- an ArtifactResolve message SHOULD be signed -->
    <ds:Signature
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
    <samlp:Artifact>artifact</samlp:Artifact>
    </samlp:ArtifactResolve>
    
  7. The IdP’s Artifact Resolution Service extracts the MessageHandle from the artifact and locates the original SAML <Response> message associated with it. This message is then placed inside a SAML <ArtifactResponse> message, which is returned to the SP over the SOAP channel.

    <samlp:ArtifactResponse
        xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
        ID="identifier_3"
        InResponseTo="identifier_2"
        Version="2.0"
        IssueInstant="2004-12-05T09:22:05Z">
    <!-- an ArtifactResponse message SHOULD be signed -->
    <ds:Signature
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
    <samlp:Status>
        <samlp:StatusCode
            Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <samlp:Response
        xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
        ID="identifier_4"
        InResponseTo="identifier_1"
        Version="2.0"
        IssueInstant="2004-12-05T09:22:05Z"
        Destination="https://sp.example.com/SAML2/SSO/Artifact">
        <saml:Issuer>https://idp.example.org/SAML2</saml:Issuer>
        <ds:Signature
            xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
        <samlp:Status>
            <samlp:StatusCode
                Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
        </samlp:Status>
        <saml:Assertion
            xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
            ID="identifier_5"
            Version="2.0"
            IssueInstant="2004-12-05T09:22:05Z">
            <saml:Issuer>https://idp.example.org/SAML2</saml:Issuer>
    <!-- a Subject element is required -->
    <saml:Subject>
        <saml:NameID
            Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
            user@mail.example.org
        </saml:NameID>
        <saml:SubjectConfirmation
            Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData
                InResponseTo="identifier_1"
                Recipient="https://sp.example.com/SAML2/SSO/Artifact"
                NotOnOrAfter="2004-12-05T09:27:05Z"/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions
        NotBefore="2004-12-05T09:17:05Z"
        NotOnOrAfter="2004-12-05T09:27:05Z">
        <saml:AudienceRestriction>
            <saml:Audience>https://sp.example.com/SAML2</saml:Audience>
        </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement
        AuthnInstant="2004-12-05T09:22:00Z"
        SessionIndex="identifier_5">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>
                urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
            </saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    </saml:Assertion>
    </samlp:Response>
    </samlp:ArtifactResponse>
    

    The SP extracts and processes the <Response> message and then processes the embedded assertion in order to create a local logon security context for the user at the SP. Once this is completed, the SP retrieves the local state information indicated by the RelayState data to recall the originally-requested resource URL. It then sends an HTTP redirect response to the browser directing it to access the originally requested resource (not shown).

  8. An access check is made to establish whether the user has the correct authorization to access the resource. If the access check passes, the resource is then returned to the browser.

SP-Initiated SSO: POST/Artifact Bindings

POST/Artifact Bindings

  1. The user attempts to access a resource on sp.example.com. The user does not have a valid logon session (i.e. security context) on this site. The SP saves the requested resource URL in local state information that can be saved across the web SSO exchange.
  2. The SP sends an HTML form back to the browser in the HTTP response (HTTP status 200). The HTML FORM contains a SAML message encoded as the value of a hidden form control named SAMLRequest.

    <form method="post" action="https://idp.example.org/SAML2/SSO/POST" ...>
        <input type="hidden" name="SAMLRequest" value="request" />
        <input type="hidden" name="RelayState" value="token" />
        ...
        <input type="submit" value="Submit" />
    </form>
    

    The RelayState token is an opaque reference to state information maintained at the service provider. (The RelayState mechanism can leak details of the user’s activities at the SP to the IdP and so the SP should take care in its implementation to protect the user’s privacy.) The value of the SAMLRequest parameter is the base64 encoding of the following samlp:AuthnRequest element:

    <samlp:AuthnRequest
        xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
        ID="identifier_1"
        Version="2.0"
        IssueInstant="2004-12-05T09:21:59Z"
        AssertionConsumerServiceIndex="1">
        <saml:Issuer>https://sp.example.com/SAML2</saml:Issuer>
        <samlp:NameIDPolicy
            AllowCreate="true"
            Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
    </samlp:AuthnRequest>
    

    For ease-of-use purposes, the HTML FORM typically will be accompanied by script code that will automatically post the form to the destination site (which is the IdP in this case). The browser, due either to a user action or execution of an “auto-submit” script, issues an HTTP POST request to send the form to the identity provider’s Single Sign-On Service.

    POST /SAML2/SSO/POST HTTP/1.1
    Host: idp.example.org
    Content-Type: application/x-www-form-urlencoded
    Content-Length: nnn
    SAMLRequest=request&RelayState=token
    
  3. The Single Sign-On Service determines whether the user has an existing logon security context at the identity provider that meets the default or requested authentication policy requirements. If not, the IdP interacts with the browser to challenge the user to provide valid credentials.

  4. The user provides valid credentials and a local logon security context is created for the user at the IdP.
  5. The IdP Single Sign-On Service issues a SAML assertion representing the user’s logon security context and places the assertion within a SAML <Response> message. Since the HTTP Artifact binding will be used to deliver the SAML Response message, it is not mandated that the assertion be digitally signed. The IdP creates an artifact containing the source ID for the idp.example.org site and a reference to the <Response> message (the MessageHandle). The HTTP Artifact binding allows the choice of either HTTP redirection or an HTML form POST as the mechanism to deliver the artifact to the partner. The figure shows the use of redirection.
  6. The SP’s Assertion Consumer Service now sends a SAML <ArtifactResolve> message containing the artifact to the IdP’s Artifact Resolution Service endpoint. This exchange is performed using a synchronous SOAP message exchange.

    <samlp:ArtifactResolve
        xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
        ID="identifier_2"
        Version="2.0"
        IssueInstant="2004-12-05T09:22:04Z"
        Destination="https://idp.example.org/SAML2/ArtifactResolution">
        <saml:Issuer>https://sp.example.com/SAML2</saml:Issuer>
    <!-- an ArtifactResolve message SHOULD be signed -->
    <ds:Signature
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
    <samlp:Artifact>artifact</samlp:Artifact>
    </samlp:ArtifactResolve>
    
  7. The IdP’s Artifact Resolution Service extracts the MessageHandle from the artifact and locates the original SAML <Response> message associated with it. This message is then placed inside a SAML <ArtifactResponse> message, which is returned to the SP over the SOAP channel.

    <samlp:ArtifactResponse
        xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
        ID="identifier_3"
        InResponseTo="identifier_2"
        Version="2.0"
        IssueInstant="2004-12-05T09:22:05Z">
    <!-- an ArtifactResponse message SHOULD be signed -->
    <ds:Signature
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
    <samlp:Status>
        <samlp:StatusCode
            Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <samlp:Response
        xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
        ID="identifier_4"
        InResponseTo="identifier_1"
        Version="2.0"
        IssueInstant="2004-12-05T09:22:05Z"
        Destination="https://sp.example.com/SAML2/SSO/Artifact">
        <saml:Issuer>https://idp.example.org/SAML2</saml:Issuer>
        <ds:Signature
            xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
        <samlp:Status>
            <samlp:StatusCode
                Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
        </samlp:Status>
        <saml:Assertion
            xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
            ID="identifier_5"
            Version="2.0"
            IssueInstant="2004-12-05T09:22:05Z">
            <saml:Issuer>https://idp.example.org/SAML2</saml:Issuer>
    <!-- a Subject element is required -->
    <saml:Subject>
        <saml:NameID
            Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
            user@mail.example.org
        </saml:NameID>
        <saml:SubjectConfirmation
            Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData
                InResponseTo="identifier_1"
                Recipient="https://sp.example.com/SAML2/SSO/Artifact"
                NotOnOrAfter="2004-12-05T09:27:05Z"/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions
        NotBefore="2004-12-05T09:17:05Z"
        NotOnOrAfter="2004-12-05T09:27:05Z">
        <saml:AudienceRestriction>
            <saml:Audience>https://sp.example.com/SAML2</saml:Audience>
        </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement
        AuthnInstant="2004-12-05T09:22:00Z"
        SessionIndex="identifier_5">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>
                urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
            </saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    </saml:Assertion>
    </samlp:Response>
    </samlp:ArtifactResponse>
    

    The SP extracts and processes the <Response> message and then processes the embedded assertion in order to create a local logon security context for the user at the SP. Once this is completed, the SP retrieves the local state information indicated by the RelayState data to recall the originally-requested resource URL. It then sends an HTTP redirect response to the browser directing it to access the originally requested resource (not shown).

  8. An access check is made to establish whether the user has the correct authorization to access the resource. If the access check passes, the resource is then returned to the browser.

两个 SP-Initiated flow 有什么区别?

OASIS网站上并没有说为什么要这两种flow。上图两者最明显的区别是SP对IdP的response验证方式,一种不走服务端,一种通过SOAP进行了一次服务端通信。我觉得可能是为了满足不同实现方的条件,毕竟不是所有实现方都有证书,可以对XML进行加签和校验,所以只能再走一次服务端通信。

IdP-initiated web SSO flow

IdP-initiated web SSO flow

IdP-initiated web SSO flow 跟 SP-Initiated flow 比较类似了,只是发起端在IdP:

  1. If the user does not have a valid local security context at the IdP, at some point the user will be challenged to supply their credentials to the IdP site, idp.example.org.
  2. The user provides valid credentials and a local logon security context is created for the user at the IdP.
  3. The user selects a menu option or link on the IdP to request access to an SP web site, sp.example.com. This causes the IdP’s Single Sign-On Service to be called.
  4. The Single Sign-On Service builds a SAML assertion representing the user’s logon security context. Since a POST binding is going to be used, the assertion is digitally signed before it is placed within a SAML <Response> message. The <Response> message is then placed within an HTML FORM as a hidden form control named SAMLResponse. (If the convention for identifying a specific application resource at the SP is supported at the IdP and SP, the resource URL at the SP is also encoded into the form using a hidden form control named RelayState.) The Single Sign-On Service sends the HTML form back to the browser in the HTTP response. For ease-of-use purposes, the HTML FORM typically will contain script code that will automatically post the form to the destination site.
  5. The browser, due either to a user action or execution of an “auto-submit” script, issues an HTTP POST request to send the form to the SP’s Assertion Consumer Service. The service provider’s Assertion Consumer Service obtains the <Response> message from the HTML FORM for processing. The digital signature on the SAML assertion must first be validated and then the assertion contents are processed in order to create a local logon security context for the user at the SP. Once this completes, the SP retrieves the RelayState data (if any) to determine the desired application resource URL and sends an HTTP redirect response to the browser directing it to access the requested resource (not shown).
  6. An access check is made to establish whether the user has the correct authorization to access the resource. If the access check passes, the resource is then returned to the browser.

SAML VS OAuth

最后比较一下SAML与OAuth的区别。
SAML 有更多面向企业级的认证授权配置选项,定制化程度高。一旦SP和IdP实现了SAML协议,接入对方只需要对系统进行配置导入和一些简单的配置,基本不会有另外开发工作。所以SAML更适合各种异构的系统组合,特别是那种需要与外部系统(没有源码,无法控制对方行为)对接的情况。
OAuth出现比SAML晚得多,目的是为了方便的做互联网应用之间的授权。它在技术实现上更新,更简单,对互联网应用,移动应用更友好。接入需要一定开发工作。OAuth 是授权(Authorization)协议,不是认证(Authentication)协议,只是某些情况下可以用作登陆认证。

参考

OASIS SAML介绍页


我其实很烦写东西,因为每次翻看以前写的东西,总是有种往事不堪回首的羞耻感。但是马上三十岁了,总觉得应该做点什么仪式感的事。
三十岁的我跟十几年前的我有什么区别?我觉得大体上是没什么区别的。仍然喜欢自己十几岁时候的东西,仍然有种学生心态认为遵守规则才是处事准则,仍然心理发育迟缓不懂为人处世。要说有什么变化,就是开始理解十几岁时听烂的大道理,开始理解父母,理解作为大人的不易,懂得更平静地去看待一些事情。
所以三十岁对我意味着什么?我不认为这个年纪是个门槛,人是不可能在某个节点性情大变的。所以三十岁于我,只能算个值得记录的时间节点。总结一下三十年来的人生,继续前行。
保持学习,保持思考,然后,为家人和自己,保持健康。