如何将openam配置为身份提供程序(IdP)以测试基于SAML的SSO
[英]how to Configure openam as Identity provider(IdP) to test SAML based SSO
问题描述
I am trying to configure openam as Identity provider to test my SAML based service provider application. 
我正在尝试将openam配置为身份提供程序来测试我的基于SAML的服务提供程序应用程序。
I have searched a lot and saw documentation of openam. 我搜索了很多,看到了openam的文档。 There are lots of thing supported by openam which probably I do not need at this moment. openam支持很多东西,这可能是我现在不需要的东西。 I don't wish to read whole documentation which will take lot of time reading things I do not want to test right now. 我不想阅读整篇文档,这些文档需要花费大量时间阅读我现在不想测试的内容。 I even saw chatpet 9 "Managing SAML 2.0 SSO" at http://docs.forgerock.org/en/openam/10.0.0/admin-guide/index/index.html But it requires lot of things to be configured before this. 我甚至在http://docs.forgerock.org/en/openam/10.0.0/admin-guide/index/index.html上看到了聊天9“管理SAML 2.0 SSO”但是在此之前需要配置很多东西。 。
Is there any quick start guide to test it as saml based IdP? 有没有快速入门指南来测试它作为基于saml的IdP?
EDIT 编辑
Not a quick, detailed is also fine. 不是很快,详细也很好。 But I want OpenAm as Identity provider. 但我希望OpenAm成为身份提供者。 SP is an application hosted on Jetty which we have developed. SP是我们开发的Jetty上托管的应用程序。 Also tell me what changed do I have to make on SP like what urls of application should respond with what. 还要告诉我,我必须在SP上做些什么改变,比如应用程序的URL应该响应什么。
2 个解决方案
解决方案1
3 已采纳 2013-04-24 21:40:53
There is no one-fits-all answer to your question really. 你的问题确实没有一个通俗的答案。 Setting up SAMLv2 Federation largely depends on the actual SP implementation, some SPs can work with SAML metadata, some don't.. The simplest way to set up federation between two OpenAM instances for reference would be something like: 设置SAMLv2联合在很大程度上取决于实际的SP实现,一些SP可以使用SAML元数据,有些则不能。在两个OpenAM实例之间设置联合以供参考的最简单方法是:
- Create Hosted IdP wizard on node1 在node1上创建Hosted IdP向导
- Create Hosted SP wizard on node2 在node2上创建托管SP向导
- On both nodes remove the persistent NameID-Format, so both will have transient at the top of the list 在两个节点上删除持久性NameID-Format,因此两者都将在列表顶部具有瞬态
- Register Remote SP wizard on node1, with URL: node2/openam/saml2/jsp/exportmetadata.jsp 在node1上注册远程SP向导,URL为:node2 / openam / saml2 / jsp / exportmetadata.jsp
- Register Remote IdP wizard on node2, with URL: node1/openam/saml2/jsp/exportmetadata.jsp 在node2上注册Remote IdP向导,URL为:node1 / openam / saml2 / jsp / exportmetadata.jsp
- On node2 in the Hosted SP setting set the transient user to "anonymous" 在Hosted SP设置中的node2上,将瞬态用户设置为“匿名”
After all this you can test Federation by using: 毕竟,你可以使用以下方法测试联邦:
- /openam/spssoinit?metaAlias=/sp&idpEntityID=node1_entityid on node2 / openam / spssoinit?metaAlias = / sp&idpEntityID = node2上的node1_entityid
- /openam/idpssoinit?metaAlias=/idp&spEntityID=node2_entityid on node1 node1上的/ openam / idpssoinit?metaAlias = / idp&spEntityID = node2_entityid
I've used the default metaAlias values, but those should be visible on the console pages. 我使用了默认的metaAlias值,但这些值应该在控制台页面上可见。 Similarly by downloading the metadata you can see the actual entity IDs for the given entities. 同样,通过下载元数据,您可以看到给定实体的实际实体ID。
Based on this, you should see now that with an OpenAM IdP you could at least test SAML support using the idpssoinit URL (if your SP supports unsolicited responses), but from the other way around it pretty much depends on your SP implementation how you need to actually trigger a SAML authentication. 基于此,您现在应该看到,使用OpenAM IdP,您至少可以使用idpssoinit URL测试SAML支持(如果您的SP支持未经请求的响应),但从相反的方面来看,它几乎取决于您的SP实现如何需要实际上触发SAML身份验证。
解决方案2
1 2013-04-24 11:12:12
这看起来像一个简单的设置。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.