简体繁体 English

SAML2 SSO断言使用者

[英]SAML2 SSO Assertion Consumer

原文 2013-02-18 18:06:30 7 4 java/ single-sign-on/ saml-2.0/ openam/ shibboleth

I have a customer who wants to implement SSO using SAML2 assertion based approach. 我有一个客户想要使用基于SAML2断言的方法来实现SSO。 The customer will be the Identity Provider (IDP) and my application will effectively be the Service Provider (SP). 客户将是身份提供商（IDP），而我的应用程序将实际上是服务提供商（SP）。

In the past I've implemented SSO solutions where the IDP was Oracle Access Manager and therefore we were provided with the idp.xml file which allowed us to configure our SP environment using the supplied Fedlet. 过去，我已经实现了IDP为Oracle Access Manager的SSO解决方案，因此为我们提供了idp.xml文件，该文件允许我们使用提供的Fedlet配置SP环境。 This conveniently created a relevant WAR file which, when deployed, allowed me to distribute the sp.xml file to the customer who imported it into their IDP. 这很方便地创建了一个相关的WAR文件，该文件在部署后使我可以将sp.xml文件分发给将其导入其IDP的客户。 This all worked fine and I understand the concepts ie We receive the initial request, the fedlet handles this and takes the user to the IDP where they authenticate, then they're passed back to our SP with a SAML response which the Fedlet allows us to parse and extract some data identifying the user. 一切都很好，我理解了概念，即我们收到了初始请求，Fedlet处理了此请求并将用户带到他们进行身份验证的IDP，然后将它们通过SAML响应传递回我们的SP，Fedlet允许我们解析并提取一些标识用户的数据。 I then do what's required to sign them into our application. 然后，我执行将它们签名到我们的应用程序中所需的操作。

However the current requirement is not using any backend framework to provide the IDP, they've stated that it's custom built one. 但是，当前的要求是不使用任何后端框架来提供IDP，他们表示这是定制构建的。 They've given me the IDP URL and a cert file and are asking for our "AssertionConsumerServiceURL" and "AudienceURI". 他们给了我IDP URL和一个证书文件，并要求我们提供“ AssertionConsumerServiceURL”和“ AudienceURI”。

The application which I'm enabling SSO for is largely Java based. 我为SSO启用的应用程序很大程度上基于Java。 My investigation so far has led me to Forgerock's OpenAM solution as well as Shibboleth's OpenSAML. 到目前为止，我的调查使我开始使用Forgerock的OpenAM解决方案以及Shibboleth的OpenSAML。 However I'm struggling with the first step, essentially where do what I start building a custom SP application connecting to a third party IDP using OpenAM/Shibboleth/AnotherFramework. 但是，我在第一步中苦苦挣扎，从本质上讲，我在哪里开始使用OpenAM / Shibboleth / AnotherFramework构建连接到第三方IDP的自定义SP应用程序。

Any pointers would be very useful. 任何指针将非常有用。

Thanks, Lee 谢谢李

4 个解决方案

Depends on what what you requirements are. 取决于您的要求。 OpenAM feldlet or Shibboleth i probably the best approach since you don't have to do so much coding on your own. OpenAM feldlet或Shibboleth可能是最好的方法，因为您不必自己做太多的编码。

OpenSAML is a very low level toolkit for handling SAML messages. OpenSAML是用于处理SAML消息的非常底层的工具包。 I would not recommend it if, not really needed. 如果不需要，我不建议这样做。

As for the things they are asking for, the AssertionConsumerServiceURL is the service endpoint where you recieve your SSO SAML messages. 至于他们要的东西，AssertionConsumerServiceURL是您接收SSO SAML消息的服务端点。

Defenition of AudienceURI is quite gray. AudienceURI的定义非常灰色。 Basically you send them an identifier, they include this in their messages and you validate that identifier is the same you gave them. 基本上，您向他们发送一个标识符，他们在其消息中包含该标识符，并确认该标识符与您给他们的标识符相同。 I my self do not understand the difference between this and Destination... 我自己不明白这和Destination之间的区别...

I'm a bit surprised that they ask you for this. 我为他们要求您而感到惊讶。 The standard way to do this first exchange of information is by SAML metadata documents. 进行第一次信息交换的标准方法是使用SAML元数据文档。

As you may know OpenAM also provides the FedLet, which is a lightweight SAML2.0 SP implementation. 如您所知，OpenAM还提供了FedLet，它是轻量级的SAML2.0 SP实现。 If you want to do it all yourself you have to build an SAML2.0 SP yourself. 如果您想自己做所有事情，则必须自己构建SAML2.0 SP。

If you want to mess around with Spring you could also use Spring Security SAML2 extension ..' http://static.springsource.org/spring-security/site/extensions/saml/index.html ' 如果您想弄乱Spring，还可以使用Spring Security SAML2扩展..' http: //static.springsource.org/spring-security/site/extensions/saml/index.html'

Why roll out those heavy SAML solutions? 为什么要推出那些繁琐的SAML解决方案？ Have you taken a look at PingOne APS (Application Provider Services) or PingFederate from Ping Identity? 您是否从Ping Identity看过PingOne APS（应用程序提供商服务）或PingFederate？ You can implement APS in less than a day and you first customer config is free. 您可以在不到一天的时间内实施APS，并且第一个客户配置是免费的。 Includes dashboard reporting, IDP self service functionality for config and a dead simple REST API integration for your application. 包括仪表板报告，用于配置的IDP自助服务功能以及针对您的应用程序的简单REST API集成。 [Note: I work for Ping.] [注意：我为Ping工作。]

You can setup the Spring Security SAML Extension. 您可以设置Spring Security SAML扩展。 The extension creates an AssertionConsumerServiceURL and if they want to access your metadata just as you are accessing theirs, they would just need to go to www.yourwebsite.com/saml/metadata and your SP metadata will be downloaded by them. 该扩展创建了一个AssertionConsumerServiceURL，如果他们想像访问您的元数据一样访问您的元数据，则只需访问www.yourwebsite.com/saml/metadata，他们的SP元数据将被下载。