SAML2 与 axis2 Web 服务的使用
有什么方法可以使用 SAML 通过 axis2 Web 服务向 Idp 进行身份验证(SSO)吗?
Is there any way that i can use SAML to authenticate(SSO) to an Idp using an axis2 web service?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
SAML WebBrowser SSO 配置文件用于将身份验证断言从 IdP(身份提供商)传送到 SP(服务提供商),这可能会导致在 SP 处进行身份验证。 SAML SSO 不用于对 IdP 执行身份验证。 SP 可以向 IdP 发送身份验证请求 (AuthnRequest),但这只是一个请求,而不是身份验证本身。 SAML SSO 配置文件允许通过 HTTP(重定向/POST/Artifact)进行 AuthnRequest 和通过 HTTP(POST/Artifact)进行响应(来自 IdP 的身份验证断言)。如果 IdP 支持/使用 HTTP Artifact,则将通过调用 IdP 处的 Web 服务来获取身份验证断言,而不是直接在响应 XML 中传送。
也许您应该查看增强型客户端或代理 (ECP) 配置文件,它使用反向 SOAP (PAOS)。这对于 Axis2 来说当然是可能的,但需要明确的是,Web 服务本身将存在于 IdP 中。
您正在实施哪一端:IdP 还是 SP?
SAML WebBrowser SSO Profile is used to convey an authentication assertion FROM an IdP (identity provider) TO a SP (service provider), which may result in authentication occurring at the SP. SAML SSO isn't used to perform authentication to an IdP. An SP can send an authentication request (AuthnRequest) to an IdP, but that's simply a request, not the authentication itself. The SAML SSO profile allows for AuthnRequest over HTTP (Redirect/POST/Artifact) and Response (the authentication assertion from the IdP) over HTTP (POST/Artifact). If IdP supports/uses HTTP Artifact, then the authentication assertions would be obtained by calling a web service at the IdP, rather than being conveyed directly in the response XML.
Perhaps you should look at the Enhanced Client or Proxy (ECP) profile, which uses Reverse SOAP (PAOS). This certainly would be possible with Axis2, although to be clear, the web service itself would live at the IdP.
Which end are you implementing, IdP or SP?
您可以尝试使用 saml 库 opensaml http://www.opensaml.org/ 生成您的 authnRequest 并处理IDP 发送的响应。
You could try using the saml library opensaml http://www.opensaml.org/ to generate your authnRequest and process the response sent by the idp.