我正在尝试弄清楚(如果可能的话)如何将 JBoss GateIn Portal 应用程序与 PicketLink-STS 集成,以生成可用于实现“单点登录”的安全令牌(即 SAML 断言)(因此与后端对话)需要身份验证的 EJB 服务)。
有一些不错的文档介绍了如何使用 EJB 服务配置 JBoss 5.1,并通过 PicketLink-STS 保护它们,以便使用安全令牌进行身份验证(通过安全域和登录配置模块实现)。
然而,尚不清楚如何使 JBoss 5.1/GateIn 门户应用程序与 PicketLink-STS 集成,以便 Portlet 可以获得安全令牌(针对登录用户),然后将其传递给后端 EJB 服务。针对 PicketLink-STS 进行验证以进行身份验证?
想知道这是可能的还是一条死胡同。
I'm trying to figure out (if it's possible) how to integrate the JBoss GateIn Portal app with PicketLink-STS to generate a security token (i.e. SAML Assertion) that can be used to implement "Single Sign On" (thus talk to backside EJB services that require authentication).
There is decent documentation on how to configure JBoss 5.1 with EJB services and have them protected by PicketLink-STS for authentication with a security token (implemented via security domains and login config modules).
However, it's not clear how to get the JBoss 5.1/GateIn portal application to integrate with PicketLink-STS, so that the portlets can obtain a security token (for the logged in user) than can then be passed to the backside EJB services that are validated against the PicketLink-STS for authentication?
Wonder if this is possible or a dead-end road.
发布评论
评论(1)
我不是 GateIn 方面的专家,但是,我在经过一些研究后展示了我的结果。
首先,我基于版本 GateIn 3.4 是 JBoss 5 的最后一个版本。
要配置Gatein基于SAML令牌的身份验证,必须启用SSO身份验证,GateIn与SAML2的集成使用JBoss项目Picketlink 联盟。
SAML SSO 身份验证基于SP 和IDP 之间的信任圈。这可以通过以下链接中描述的步骤来完成:第 6 章. 身份验证和身份 - SAML
所需的资源可以可从以下网址下载:
STS 配置是身份提供商,可以按照以下文档中的说明进行编辑:SecurityToken 服务配置(PicketLinkSTS 元素)
完成启用基于身份验证的所有步骤后SAML 令牌(正常工作),您必须将以下过滤器添加到 GateIn(如
SAML2LogoutFilter):此过滤器设置
org.picketlink.identity.federation.core。 wstrust.SamlCredential到org.jboss.security.client.SecurityClient,这使得能够将身份验证从 SAML2 票证传播到底层EJB 或WS 调用。另请参阅:
我希望这会有所帮助。
I'm no expert on GateIn, but, I show my results after some research .
First I based on version 3.4 of GateIn is the last for JBoss 5.
To configure Gatein authentication SAML token-based, must be enabled SSO autentication, the integration GateIn with SAML2 use JBoss project Picketlink Federation.
SAML SSO authentication is based on circle of trust between SP and IDP. This can be done by following the steps described in this link: Chapter 6. Authentication and Identity - SAML
The resources required can be downloaded from the following url:
The STS configuration is a part of the Identity Provider and this can be edited as described in the following documentation: SecurityToken Service Configuration (PicketLinkSTS Element)
After you have completed all the steps to enable authentication based SAML tokens (working correctly), you must add the following filter to GateIn (like
SAML2LogoutFilter):This filter set
org.picketlink.identity.federation.core.wstrust.SamlCredentialintoorg.jboss.security.client.SecurityClient, which enables to propagate authentication from SAML2 ticket into underlying EJB or WS calls.See also:
I hope this help.