Active模式认证

WS-Federation 协议中的 Active 模式，基于SOAP实现，通过SOAP消息请求，传递用户名密码参数，认证通过后返回SOAP响应，实现起来会比较困难，一般不推荐使用。

登录流程

请求说明

POST https://{your_domain}/api/v1/sso/wsfed/{your_app_clientId}/active

请求示例

1. 请求头

参数名	必须	示例值	描述
Content-Type	是	application/soap+xml	SOAP1.2协议标准格式

2. Body消息体

<?xml version='1.0' encoding='UTF-8'?>
<s:Envelope xmlns:s='http://www.w3.org/2003/05/soap-envelope' xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' xmlns:saml='urn:oasis:names:tc:SAML:1.0:assertion' xmlns:wsp='http://schemas.xmlsoap.org/ws/2004/09/policy' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' xmlns:wsa='http://www.w3.org/2005/08/addressing' xmlns:wssc='http://schemas.xmlsoap.org/ws/2005/02/sc' xmlns:wst='http://schemas.xmlsoap.org/ws/2005/02/trust'>
    <s:Header>
        <wsa:Action s:mustUnderstand='1'>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</wsa:Action>
        <wsa:To s:mustUnderstand='1'>https://{your_domain}/api/v1/sso/wsfed/{your_app_clientId}/active</wsa:To>
        <wsa:MessageID>urn:uuid:BCA8CE3D-D522-46E5-85F6-101E8CDFD730</wsa:MessageID>
        <wsse:Security>
            <wsse:UsernameToken wsu:Id='user'>
                <wsse:Username>test_user@test.bccastle.com</wsse:Username>
                <wsse:Password>Password</wsse:Password>
            </wsse:UsernameToken>
        </wsse:Security>
    </s:Header>
    <s:Body>
        <wst:RequestSecurityToken Id='RST0'>
            <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
            <wsp:AppliesTo>
                <wsa:EndpointReference>
                    <wsa:Address>https://login.partner.microsoftonline.cn</wsa:Address>
                </wsa:EndpointReference>
            </wsp:AppliesTo>
            <wst:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</wst:KeyType>
        </wst:RequestSecurityToken>
    </s:Body>
</s:Envelope>

请求消息体说明

• namespace 说明

namespace	地址
wsa	http://www.w3.org/2005/08/addressing
wsse	http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
wsu	http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
wst	http://schemas.xmlsoap.org/ws/2005/02/trust

• <s:Header> 参数说明

参数名	必须	示例值	描述
wsa:Action	是	http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	协议固定值
wsa:To	是	https://{your_domain}/api/v1/sso/wsfed/{your_app_clientId}/active	与Active接口保持一致
wsa:MessageID	是	BCA8CE3D-D522-46E5-85F6-101E8CDFD730	随机值
wsse:Username	是		用户名， 根据应用配置查询IDaaS用户
wsse:Password	是		用户密码
wsu:Created	否	2023-04-19T02:30:59	如果该该值存在，则会校验是否在当前时间之前
wsu:Expires	否	2023-04-19T03:30:59	如果该该值存在，则会校验是否在当前时间之前

• <s:Body> 参数说明

参数名	必须	示例值	描述
wst:RequestType	是	http://schemas.xmlsoap.org/ws/2005/02/trust/Issue	固定值
wst:TokenType	是	urn:oasis:names:tc:SAML:1.0:assertion	固定值
wsa:Address	是		随机值, 目前不做处理
wst:KeyType	是	http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey	固定值

响应示例

正确返回示例

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <s:Header>
        <a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue</a:Action>
        <a:RelatesTo>urn:uuid:BCA8CE3D-D522-46E5-85F6-101E8CDFD730</a:RelatesTo>
        <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <u:Timestamp u:Id="_0">
                <u:Created>2023-04-19T02:30:59</u:Created>
                <u:Expires>2023-04-19T02:35:59</u:Expires>
            </u:Timestamp>
        </o:Security>
    </s:Header>
    <s:Body>
        <wst:RequestSecurityTokenResponse xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
            <wst:Lifetime>
                <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2023-04-19T02:20:59</wsu:Created>
                <wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2023-04-19T02:40:59</wsu:Expires>
            </wst:Lifetime>
            <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
                <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
                    <wsa:Address>https://login.partner.microsoftonline.cn</wsa:Address>
                </wsa:EndpointReference>
            </wsp:AppliesTo>
            <wst:RequestedSecurityToken>
                <saml:Assertion  xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_3435e7b2-b341-4ff7-9bb2-be89df9245b1" Issuer="https://ryan.idaas-test-alpha.bccastle.com" IssueInstant="2023-04-19T02:30:59Z" >
                    <saml:Conditions  NotBefore="2023-04-19T02:20:59Z" NotOnOrAfter="2023-04-19T02:40:59Z" >
                        <saml:AudienceRestrictionCondition>
                            <saml:Audience>urn:federation:MicrosoftOnline</saml:Audience>
                        </saml:AudienceRestrictionCondition>
                    </saml:Conditions>
                    <saml:AttributeStatement >
                        <saml:Subject>
                            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">test_user@test.bccastle.com</saml:NameIdentifier>
                            <saml:SubjectConfirmation>
                                <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
                            </saml:SubjectConfirmation>
                        </saml:Subject>
                        <saml:Attribute AttributeName="authnmethodsreferences" AttributeNamespace="http://schemas.microsoft.com/claims">
                            <saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">http://schemas.microsoft.com/claims/multipleauthn</saml:AttributeValue>
                        </saml:Attribute>
                    </saml:AttributeStatement>
                    <saml:AuthenticationStatement AuthenticationInstant="2023-04-19T02:30:59Z">
                        <saml:Subject>
                            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">test_user@test.bccastle.com</saml:NameIdentifier>
                            <saml:SubjectConfirmation>
                                <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
                            </saml:SubjectConfirmation>
                        </saml:Subject>
                    </saml:AuthenticationStatement>
                    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                        <ds:SignedInfo>
                            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                            <ds:Reference URI="#_3435e7b2-b341-4ff7-9bb2-be89df9245b1">
                                <ds:Transforms>
                                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                                </ds:Transforms>
                                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                                <ds:DigestValue>xvwfmxXYMBzz1mU8r5vTUWNnFDw=</ds:DigestValue>
                            </ds:Reference>
                        </ds:SignedInfo>
                        <ds:SignatureValue>
jijaMvoD7rjZP/IMXo2N78RwBl+gNNIIGkPup/WEGerqEb/9jYbJmMJj+4PV1Mbb+NhJWFZTxsnY
/i/F0leo862tMz0wDBv6mhGna3FvfQT48NR1JFDKX/I4/P5eGkFJYhM7+j6Bk6lD7bxYUewyZAJP
QXV9PFqoEsYKydElBj4yP3JoiDL8llikIo5xSSHaxJn2nEI9ewEGIIuVDZs/ZB0RvIUZpLgOe9/2
2UX+gSRsJlhu2ON2/liCJv3iLzLOGSmQF/YQTSO3KArZ2uJHs6K8phsHZRkvLaYFm9+75E1sttll
zXO/PsYyG6OWPbZi1kamYyaSgfxwaKAO+VrPtQ==
</ds:SignatureValue>
                        <ds:KeyInfo>
                            <ds:X509Data>
                                <ds:X509Certificate>
MIIC2DCCAcCgAwIBAgIGAYcwlcLAMA0GCSqGSIb3DQEBCwUAMC0xKzApBgNVBAMMInJ5YW4uaWRh
YXMtdGVzdC1hbHBoYS5iY2Nhc3RsZS5jb20wHhcNMjMwMzMwMDMzMzUzWhcNMzMwMzMwMDMzNTMz
WjAtMSswKQYDVQQDDCJyeWFuLmlkYWFzLXRlc3QtYWxwaGEuYmNjYXN0bGUuY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkVsNRWM+UPDQcHz2VdaTJn22v21TFLkRBqOcQmQJhlBg
1tUgL5zbxO/4OyGDsraTY4e+vjPKcfmJpM/KvNOpjz7HY9EZelW+AWeTFzjg6X5SZMgK8r2hFUXo
vz2V/vBehtqFDJ9TyjyX1WJHMFjixzwkPhSKwCFlfFc0oJaBdAzKh2/MvH6H7K59zFbQd4ylCzXh
R/jFchOuc50EKlTd6wYKW+7xTHVJGe85HkMrOnnKbaJdK0oJH8zNTa3HUlesGRQAj06/EaPCmMiH
336UsEK81dlPSpTiSOJgskBfOb8nwneBs+HCzoRW22CDOxrToVFdv5VRUjerl3FDd89vQwIDAQAB
MA0GCSqGSIb3DQEBCwUAA4IBAQBwk9A3nl4224VMp+aTnDts8z/kQRkxkSFcxWv6MF34wA3pqmCa
3GgBadyhk10goWD8VZKdgYwdjhjyGiMMs+ogYC1YCTkMMlULo4745hINmUtJ//tSMCAj7muirFqG
bD7+m+Ebe3hVmZYD5gEJYuYG7Z4EWEkGNa3WM+oXJvvGtrIpi4AtedZLY5fCsgka9i3CMIFJ2nLm
QzlaClhFxYatvRib3fKQTgb3cq0LLCJQxNJ81miwLHY9QqvXpTRrrQVx7ahyHfxHBRY3gs5NOZKY
jlkT6waMpKiCiqug9lywWjm/erpFaM6VeylqZsmXUN4jnaSNcyDV5pl36MCL92hg
</ds:X509Certificate>
                            </ds:X509Data>
                        </ds:KeyInfo>
                    </ds:Signature>
                </saml:Assertion>
            </wst:RequestedSecurityToken>
            <wst:RequestedAttachedReference>
                <o:SecurityTokenReference k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
                    <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_3435e7b2-b341-4ff7-9bb2-be89df9245b1</o:KeyIdentifier>
                </o:SecurityTokenReference>
            </wst:RequestedAttachedReference>
            <wst:RequestedUnattachedReference>
                <o:SecurityTokenReference k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
                    <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_3435e7b2-b341-4ff7-9bb2-be89df9245b1</o:KeyIdentifier>
                </o:SecurityTokenReference>
            </wst:RequestedUnattachedReference>
            <wst:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</wst:TokenType>
            <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
            <wst:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</wst:KeyType>
        </wst:RequestSecurityTokenResponse>
    </s:Body>
</s:Envelope>

错误返回示例

<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
    <env:Header/>
    <env:Body>
        <env:Fault>
            <env:Code>
                <env:Value>env:Receiver</env:Value>
                <env:Subcode>
                    <env:Value xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">wsse:FailedAuthentication</env:Value>
                </env:Subcode>
            </env:Code>
            <env:Reason>
                <env:Text xml:lang="en">User is not found</env:Text>
            </env:Reason>
        </env:Fault>
    </env:Body>
</env:Envelope>