Fedlet 服务提供商和 CA Siteminder 身份提供商

发布于 2024-10-07 12:53:54 字数 400 浏览 7 评论 0原文

有人使用 Fedlet 作为他们的服务提供商并使用 CA Siteminder 作为他们的身份提供商吗?我们的客户正在使用 CA Siteminder 联合安全服务,我们需要将我们的终端配置为可以接受具有属性映射的 SAMLv2 断言的服务提供商。 IDP 是否可以通过此设置启动 SSO?

我只能让 Fedlet 与 OpenSSO 身份提供商一起使用,但不能与 CA Siteminder 一起使用。客户端只提供了要使用的 idp 和 sp ID、它们的元数据、协议和绑定标准,仅此而已。我给了他们我们的断言消费者服务 URL(我从 Fedlet conf 上的 sp.xml 获得)和中继状态 URL,我们将在用户成功登录后重定向用户。

或者您是否推荐使用不同的技术作为 CA siteminder IDP 的服务提供商?

请指教。

Has anyone used Fedlet as their service provider and CA Siteminder as their identity provider? Our client is using CA Siteminder Federation Security services and we need to configure our end to be a service provider that can accept SAMLv2 assertions with attribute mapping. Is the IDP iniatiated SSO possible with this setting?

I was only able to make Fedlet work with an OpenSSO identity provider, but not with the CA Siteminder. The client only gave the idp and sp ID to use, their metadata, protocol and binding standard and nothing else. I gave them our Assertion consumer service URL (I got from the sp.xml on our Fedlet conf) and the relay state url where we will redirect the user upon successful login on their side.

Or do you recommend a different technology to use as a service provider for the CA siteminder IDP?

Please advise.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

玉环 2024-10-14 12:53:54

Fedlet 非常简单,由 Sun(现在的 Oracle)设计,可以作为 IDP 与 OpenSSO 一起使用。虽然它可能在某种程度上兼容,但我想它可能不是 SAML 2.0 SP-Lite 的完整实现,而是其子集。

如果您正在寻找更强大的选项,我会从 PingIdentity 查看 PingFederate。我们有数十个 SP 使用 SAML 1.x 和 2.0 作为 IDP 与 CA SM FSS 集成(反之亦然)。它占用空间非常小,可以支持多种开发语言/平台,并且可以非常快速地设置和投入生产。

HTH-伊恩B

The Fedlet is pretty bare bones and was designed by Sun (now Oracle) to work with OpenSSO as the IDP. While it is probably compliant to some degree, I would imagine that it may not be a full implementation of SAML 2.0 SP-Lite but a sub-set of that.

I'd check out PingFederate from PingIdentity if you are looking for a more robust option. We have dozens of SPs who are integrating with CA SM FSS as the IDP (and vice versa) using SAML 1.x and 2.0. It has a very light footprint, can support a multitude of development languages/platforms and can be setup and in Production extremely quickly.

HTH - IanB

时光磨忆 2024-10-14 12:53:54

如果您已经安装了 SiteMinder,那么 SMFSS 是最快、最简单且最强大的解决方案,恕我直言,但我支持它。当新客户已经拥有可用的 SiteMinder 架构并且 OpenSSO 没有已知问题时,我可以在不到一天的时间内让新客户启动并运行 SAML 2.0 POC。如果您遇到特定问题,您应该提供启用了 HTTPS 解密的 fiddler 跟踪和日志,以便我们提供帮助。此外,R12 SP3 或 SM6 SMFSS 文档中有关于需要匹配哪些设置的章节,以及为 SAML 2.0 设置 IDP 和 SP 的章节,只要您具有匹配值章节的设置(即倒数第二章和章节编号根据文档版本而变化。

如果您的 SP 实现了属性查询 SAML 规范,您还可以使用我们提供的属性权限在 SP 端进行授权。也就是说,如果没有属性权限,那么就需要在SP端存储属性以备后用。话虽如此,如果您使用 SMFSS(SiteMinder 联合安全服务)SP,您可以使用 SP 端的会话存储并在身份验证时将断言属性存储在那里。如果您对此还有其他疑问,请告诉我。我喜欢 SMFSS 的一点是,你真正了解自己在做什么,并且可以变得非常熟练,而许多其他产品似乎使用大量元数据将内容添加到他们的 UI 中,恕我直言,这导致人们并不真正理解他们正在建立和管理的联合会。

我想知道 IanB 是不是我在 Ping 的老同事 Ian Barnett?如果是的话你好!!!

克里斯·克鲁格石
SiteMinder 支持预计 2000 年 5 月 1 日

If you already have a SiteMinder installation setup then SMFSS is the fastest, easiest and most robust solution, IMHO but then I support it. I am able get new customers up and running in less than a day for SAML 2.0 POC when they already have a working SiteMinder architecture in place and there are no known issues with OpenSSO. If you have a particular issue you should give a fiddler trace with HTTPS decryption enabled and logs so we can assist. Also, the R12 SP3 or SM6 SMFSS docs have the chapter on what settings need to match, the setting up the IDP and SP for SAML 2.0 chapters which are step by step as long as you have the settings for the matching values chapter which is the second to last chapter and chapter number changes depending on version of the docs.

You can also do Authorization on the SP side using the Attribute Authority we provide if your SP implements the Attribute Query SAML specification. In other words, if there was no attribute authority then you would need to store attributes on the SP side for use later. With that being said, if you used an SMFSS (SiteMinder Federation Security Services) SP you could use the Session Store on the SP side and store the assertions attributes there at authentication time. Let me know if you have any more questions on this. The thing I like about SMFSS is you really get a good idea of what your doing and can become quite proficient where a lot of other products seem to use a lot of the MetaData to add stuff into their UI's which IMHO results in people not really understanding the federation that they are setting up and administering.

I am wondering if IanB is my old co-worker Ian Barnett of Ping? If so hello!!!

Crissy Krueger Stone
SiteMinder Support est. 5/1/2000

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文