为了实施 SAML,我是否需要在我的主机上安装 Shibboleth SP?
我有几个 SAML 实现问题来消除我的困惑......
我需要在 java web 应用程序中实现 SSO。
为此,我需要在主机上安装 Shibboleth SP 像这样,或者我可以通过 OpenSAML 提供 SP 功能吗?
我假设 shibboleth 的功能与 OpenSAML 相同,但只是在网络服务器级别上执行,而 OpenSAML 将在软件方面执行此操作。这个假设正确吗?
编辑: 所以 shibboleth (根据 Scott Cantor 的说法)是用 OpenSAML 构建的...... 我的假设仍然成立吗?
使用 OpenSAML 需要什么?只需 IdP URL 和 idP 注册?
我是否需要提供 SP 目录,例如 ActiveDirectory/LDAP?
编辑:感谢您的回答,但是有人可以直接回答问题吗 上面并详细说明了它们...
I got a couple of SAML implementation questions to clear up my confusion ...
I need to implement SSO in a java web app.
In order to do so, do I need Shibboleth SP installed on my host like so, or can I provide the SP functionality via OpenSAML?
I am assuming that shibboleth is doing the same as OpenSAML but just on a webserver level, whereas OpenSAML will do it on the software side. Is that assumption correct?
EDIT: So shibboleth (according to Scott Cantor) is build with OpenSAML ...
does my assumption still hold though?
What will be needed to use OpenSAML? Just the IdP url and a registration with the idP?
Do I need to provide an SP directory, e.g. ActiveDirectory/LDAP?
EDIT: Thanks for the answers, but can someone directly answer the questions
above and elaborate on them ...
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
用于解决您的编辑问题的更新:
以下是您可以使用的一些 SAML 2 选项。
Shibboleth SP 是一款为您实现 SAML 2.0 的产品,但 OpenSAML 只是一个库,您可以使用它实现 SAML 2.0 解决方案。该库本身是低级的,甚至离 SSO 解决方案还很远。 OpenSAML 本身并不是 SAML 2.0 解决方案。
要使用 OpenSAML 或任何 SAML 2.0 解决方案,您需要交换元数据,如下所述。使用 OpenSAML,您还必须为自己的元数据手动生成 XML 文件。如下所述,这将是大量工作。 SAML 2.0 产品将为您生成 XML 元数据文件,并生成用于加密和签署 SAML 2.0 断言所需的 RSA 密钥。借助 OpenSAML,您将获得用于加载部分 XML 文件的 API 支持以及用于生成和解析断言的 API,但您将编写实际构建 SSO 交互的 Java 代码。
SP 不一定需要 ActiveDirectory/LDAP,但您的 Web 应用程序中需要某种类型的目录来跟踪用户。如果您的 Web 应用程序已经具有用户概念,并具有一些标识信息,您可以使用这些信息将它们与 IdP 的用户概念相关联,那么您只需根据 SAML 2.0 断言中的属性值将这些信息映射到您的 Web 应用程序中。 (如果您的 Web 应用程序不关心用户是谁,那么您只需根据用户是否“有效”来允许访问该应用程序即可。)
--
将 Shibboleth2 SSO 与 Java Web 应用程序集成并不太困难。使用 OpenSAML 来实现 SSO 是可行的,但这比将 Apache 服务器与 Shibboleth 集成要花费更多的精力。
使用 Shibboleth 要求您拥有启用了 Shibboleth 模块的 Apache2,并且安装了 Shibboleth SP 守护程序。通常,它们会放在同一个盒子上。如果您使用 Tomcat 托管 Java Web 应用程序,那么我建议您使用 mod_proxy_ajp 在 Apache2 HTTP 服务器和 Tomcat 之间进行通信。这样您就可以选取 Shibolleth 提供的变量作为 servlet 请求属性。 (您必须在 shibboleth2.xml 中将变量前缀设置为“AJP_”。)
Shibboleth SP 包已经处理了您可能遇到的所有标准 SAML SSO 场景,但尝试直接在您的应用程序中使用 OpenSAML 实现其中一种场景。 Java 应用程序的运行和安全都充满了危险。如果您使用 OpenSAML,您还会增加 Web 应用程序的大小。值得注意的是,Shibboleth SP 不是用 Java 编写的,因此您不会有使用 OpenSAML 的示例,但您可能能够通过查看 Shibboleth IdP 代码(这是一个 Java Web 应用程序)获得一些见解。
无论哪种情况,您都需要与身份提供商交换 SP 元数据(使用 Shibboleth SP 包轻松创建),并在 SP 上获取身份提供商的元数据(使用 Shibboleth SP 包也很容易,因为您只需设置一个元数据提供者)。
一旦您习惯使用 Shibboleth 在线文档,它将为您提供很多帮助。
我认为,如果您可以使用 Shibboleth SP 包而不是使用 OpenSAML 库实现 SAML 2 SSO 解决方案,您将有更大的成功机会。我无法谈论其他全 Java SAML 2 SSO 解决方案,但与简单的 Shibboleth 2 SP 相比,它们看起来都很大且过于企业化。
Updates to address your edits:
Here are some SAML 2 options you can use.
Shibboleth SP is a product that implements SAML 2.0 for you, but OpenSAML is just a library with which you could implement a SAML 2.0 solution. The library itself is low-level, and is not even close to being an SSO solution. OpenSAML is not a SAML 2.0 solution by itself.
To use OpenSAML or any SAML 2.0 solution, you will need to exchange metadata as noted below. With OpenSAML you'll have to hand-generate an XML file for your own MetaData, too. It will be a lot of work as noted below. SAML 2.0 products will generate that XML MetaData file for you and also generate the required RSA keys used for encryption and signing of the SAML 2.0 Assertions. With OpenSAML, you'll have API support for loading parts of the XML files and APIs for generating and parsing your Assertions, but you'll be writing the Java code that actually builds the SSO interaction.
The SP does not necessarily need ActiveDirectory/LDAP, but you will need some type of directory in your web application that keeps track of users. If your web application already has a notion of users with some identifying information that you can use to correlate them with the IdP's notion of users, you can just map those in your web application based on Attribute values in your SAML 2.0 Assertions. (If your web application doesn't care who the users are, then you can simply allow access to the application based on the user being "valid".)
--
Integrating Shibboleth2 SSO with a Java web application is not too difficult. Using OpenSAML to implement the SSO would work, but it would be a lot more effort than integrating an Apache server with Shibboleth.
Using Shibboleth requires that you have Apache2 with the Shibboleth module enabled and that you have the Shibboleth SP daemon installed. Typically, those would be together on the same box. If you're using Tomcat to host the Java web application, then I recommend that you use mod_proxy_ajp to communicate between the Apache2 HTTP server and Tomcat. That way you can pick up the Shibolleth-provided variables as servlet Request attributes. (You have to set the variable prefix to "AJP_" in shibboleth2.xml.)
The Shibboleth SP package already handles all of the standard SAML SSO scenarios you can expect to encounter, but trying to implement even one of those with OpenSAML directly in your Java application is fraught with peril both from getting it to work and also from making it secure. You'll also increase the size of your web app if you use OpenSAML. It's worth noting that the Shibboleth SP is not written in Java, so you will not have examples of using OpenSAML for that, but you might be able to gain some insight by looking at the Shibboleth IdP code, which is a Java web app.
In either case, you'll need to exchange your SP metadata (easily created with the Shibboleth SP package) with your Identity Provider and also get the Identity Provider's metadata on your SP (also easy with the Shibboleth SP package as you simply set up a MetadataProvider).
The Shibboleth documentation online will help you a lot once you get used to using it.
I think you'll have much greater chances of success if you can use the Shibboleth SP package rather than implement a SAML 2 SSO solution with the OpenSAML libraries. I can't speak to the other all-Java SAML 2 SSO solutions, but they all seem big and overly enterprisey compared to a simple Shibboleth 2 SP.
您需要 Java 和 Web 容器,并在您的 war 中包含 opensaml 库。
您需要在本地缓存 IdP 元数据,或者每次要发送 AuthnRequest 或处理 SAMLResponse 时查找它。此外,您还必须在 IdP 端注册 SP 元数据。
如果您使用 Shibboleth 作为 IdP,则应在 conf/relying-party.xml 文件中设置 SP 元数据。
为了登录IdP,您需要在IdP端设置ldap或数据库服务器,并在conf/attribute-resolver.xml和conf/login.config中进行配置。
You need Java and a web container, and include opensaml library in you war.
You need to cache IdP metadata locally or look it up each time when you want to send AuthnRequest or process SAMLResponse. Also you have to register your SP metadata on IdP side.
If you are using Shibboleth as your IdP, the SP metadata should be setup in conf/relying-party.xml file.
In order to login in IdP, you need to set up ldap or database server on IdP side and config it in conf/attribute-resolver.xml and conf/login.config.
您应该将此类问题发布到 Shibboleth 项目运行的相关邮件列表。
OpenSAML 是一个用于实现 SAML 解决方案的非常低级别的工具包,Shibboleth 是一个 SSO 包,用于支持 SAML 的 Web 应用程序,而该应用程序恰好是使用 OpenSAML 构建的。构建安全解决方案非常复杂,需要专业知识。如果您不具备这种专业知识,您就会做得很糟糕,并且 OpenSAML 没有文档记录,因此典型的开发人员可以从头开始构建解决方案。
考虑使用完整的实现,无论是 Shibboleth 还是其他。如果您无法忍受 Apache 和本机代码并且需要 Java,那么您应该尝试现有的 Java SP 选项之一。即使它们不够充分,你也应该以它们为基础,而不是重复它们。
You should post such questions to the relevant mailing lists run by the Shibboleth Project.
OpenSAML is a very low level toolkit for implementing SAML solutions, Shibboleth is a SSO package for web applications supporting SAML that happens to be built with OpenSAML. Building security solutions is complex and requires expertise. If you don't have that expertise, you'll do a bad job of it, and OpenSAML is not documented such that a typical developer could build a solution from scratch.
Consider using a complete implementation, whether it's Shibboleth or something else. If you can't live with Apache and native code and need Java, then you should try one of the extant Java SP options that exist. Even if they were inadequate, you should build on them and not duplicate them.
是的,您应该在您的服务器或计算机上安装 SP。这取决于您的网络服务器,例如 IIS 或 Apache。
Yes, you should install SP in your server or your machine. And it would depend on your webserver, such as IIS or Apache.