如何成为 SAML 服务提供商
我的公司目前正在开发 Java Web 应用程序。我们的一些客户拥有内部 SAML 服务器(身份提供商?),并要求我们与它们集成。所以最近我一直在阅读它并尝试使用 OpenAM。经过大概3天的时间,我对它有了一个大致的了解,但是我的知识还存在一些差距。我希望有人能为我解决这个问题。
以下是我想象的用户登录工作流程。
让我们将客户 SAML 服务器定义为 https://their.samlserver.com 。因此,用户访问我们的 Web 应用程序以获取受保护的资源。假设 URL 为 http://my.app.com/something。
因此,如果我没猜错的话,my.app.com 就是 SAML 定义的服务提供商。我们的应用程序意识到该用户需要登录。然后我们向用户呈现这样的页面...
<script>JQuery Script to auto submit this form on ready</script>
<form method="post" action="https://their.samlserver.com/Post/Servlet">
<input type="hidden" name="SAMLRequest" value="someBase64Data" />
<input type="submit" value="Submit" />
</form>
并且 someBase64Data 应该是该页面的 base64 编码版本。
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="identifier_1"
Version="2.0"
IssueInstant="2004-12-05T09:21:59Z"
AssertionConsumerServiceIndex="0">
<saml:Issuer>http://my.app.com</saml:Issuer>
<samlp:NameIDPolicy
AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
</samlp:AuthnRequest>
所以我的前几个问题。
ID 值应该是多少?
为什么我可以声明自己是发行人?
身份提供者了解我吗?也许这就是我在 OpenAM 上看到的信任圈。如果它确实了解我,它是如何了解我的以及它需要了解什么?
因此,在用户转发该页面后,他们将被带到 IDP 提供的页面 https://their.samlserver.com< /a>.他们在该页面上进行身份验证,IDP 会神奇地验证身份验证并查找用户。身份验证成功后,IDP 发回定义的
还有几个问题。
首先,
我应该在该响应中寻找什么来验证它是否成功?失败是什么样子的?
我们目前使用电子邮件地址 (LDAP) 来识别用户,因此我们可能会从响应中获取该地址并以与现在相同的方式使用它。在该回复中我还应该注意什么吗?
现在我们已经检查了响应的有效性,我们可以像现在一样向用户授予会话。但是当他们想要注销时,是否有相应的工作流程?我是否必须通知 IDP 用户已离开?
最后,在我的阅读中出现了几个主题,我不确定它们如何适合这个工作流程。它们是信任圈、代币和工件。
感谢大家的帮助。这几天我查到了很多资料,玩多了可能就能把它们拼凑起来。但我还没有找到一篇简单的“这是帖子”工作流程文章。也许那是因为我对它的工作原理的理解是错误的。也许是因为这个不太受欢迎。但我真的想确保我掌握了工作流程,这样我就不会错过像用户身份验证这样重要的事情中的关键步骤。
My company currently develops a Java web application. A couple of our clients have internal SAML servers (identity providers?) and have requested that we integrate with them. So recently I've been reading up on it and playing around with OpenAM. After about 3 days of this, I have a general understanding of it, but there are still some gaps in my knowledge. My hope is that someone can clear this up for me.
So here's how I imagine the workflow of a user logging in.
Let's define our customers SAML server as https://their.samlserver.com. So a user comes to our web application for a resource that's protected. Let's say that URL is http://my.app.com/something.
So if I'm correct, my.app.com is what SAML defines as a Service Provider. Our application realizes that this user needs to log in. We then present a page like this to the user...
<script>JQuery Script to auto submit this form on ready</script>
<form method="post" action="https://their.samlserver.com/Post/Servlet">
<input type="hidden" name="SAMLRequest" value="someBase64Data" />
<input type="submit" value="Submit" />
</form>
And that someBase64Data should be base64 encoded version of this...
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="identifier_1"
Version="2.0"
IssueInstant="2004-12-05T09:21:59Z"
AssertionConsumerServiceIndex="0">
<saml:Issuer>http://my.app.com</saml:Issuer>
<samlp:NameIDPolicy
AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
</samlp:AuthnRequest>
So my first couple questions.
What is the ID value suppose to be?
And why can I declare myself as an Issuer?
Does the Identity Provider know about me? Maybe this is that Circle of trust I've been seeing on OpenAM. And if it does know about me, how does it know about me and what does it need to know?
So after the user is forwarded that page, they are taken to a page provided by the IDP https://their.samlserver.com. They authenticate on that page and the IDP does it's magic to validate the authentication and look up the user. After the authentication is successful, the IDP sends back a <samlp:Response> defined here.
A few more questions.
First, how does the <samlp:Response> get back to my web application so I can check it?
And what should I be looking for in that response to validate that it was successful? What does a failure look like?
We currently use the email address (LDAP) to identify users, so we'll probably grab that from the response and use that in the same way we do now. Anything else I should be mindful of in that response?
So now that we've checked that response for validity, we can grant the user a session like we do currently. But when they want to log out, is there a workflow for that? Do I have to notify the IDP that the user has left?
And finally, there are a couple of topics that have been thrown around in my reading and I'm not sure how they fit into this workflow. They are Circle of trust, Tokens, and Artifacts.
Thanks for any help everyone. I've found a lot of information in the last couple days, and it's possible that I could piece them together after a bit more playing. But I have yet to find a straightforward "Here's the Post" workflow article yet. Maybe that's because I'm wrong on how this works. Maybe it's because this isn't that popular. But I really wanted to make sure that I got the workflow so I didn't miss a crucial step in something as important as user authentication.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
针对您的具体问题:
1.)“ID”值应该是什么?
2.) IdP 如何了解您?
3.) 响应在哪里,要检查什么?
4.) 注销怎么样?
简而言之,从头开始实施可能会非常复杂。最好使用尝试过的&像伊恩建议的那样,真正的图书馆和/或产品。像他这样的公司投入了数百小时的开发时间来根据规范进行实施并测试与其他供应商的互操作性。
In response to your specific questions:
1.) What is the "ID" value supposed to be?
2.) How does the IdP know about you?
3.) Where's the Response go, and what to check?
4.) What about Logout?
So in short - this can be quite complex to implement from scratch. It's best to use tried & true libraries and/or products like Ian suggests. Companies like his have invested hundreds of hours of developer time to implement according to the spec and test interoperability with other vendors.
如果您只是尝试将单个 Java 应用程序设置为服务提供商,则应考虑使用 Oracle (作为独立的)或 ForgeRock (与 OpenAM 捆绑)。 ForgeRock Fedlet 在与 Shibboleth 2.2.1 作为身份提供者交互时存在一些问题,但我发现它配置起来更简单,信息也更丰富。
每个文件的自述文件中都包含明确的说明,可帮助您进行部署。配置 Fedlet 并与 IDP 通信后,成功页面会显示将联合 SSO 集成到应用程序中所需的所有代码。它执行发送和接收 AuthnRequests 和 Responses 的后台工作。
Scott 的回答很好地回答了您提出的问题,但我认为尝试自己编写生成 SAML 的代码是在重新发明轮子。 Fedlet 的设计正是考虑到了这一用例。
If you're just trying to set a single Java application up as a Service Provider, you should consider using a Fedlet from either Oracle (as a standalone ) or ForgeRock ( bundled with OpenAM ). The ForgeRock Fedlet has some issues interacting with Shibboleth 2.2.1 as an Identity Provider, but I find it to be somewhat simpler to configure and more informative.
Each has explicit instructions contained in the README to help you deploy. Once the Fedlet is configured and communicating with the IDP, the success page shows you all the code you need to integrate federated SSO into your application. It does the background work of sending and receiving AuthnRequests and Responses.
Scott's answer responds quite well to the questions you had, but I think that trying to write code on your own that generates the SAML is reinventing the wheel. The Fedlet was designed with precisely this use case in mind.