如何使用Java服务提供程序验证WS-Federation SAML令牌
[英]How to validate WS-Federation SAML tokens with Java Service Provider
问题描述
I am working on a project that uses ws_federation and SAML to authenticate to a Identity Provider running on a IIS server running on .net called thinktecture 
我正在开发一个项目,该项目使用ws_federation和SAML对在.net上运行的IIS服务器上运行的身份提供程序进行身份验证,名为thinktecture
I need to write a Java Service Provider that sends a SAML authentication request to the Identity Provider and get the SAML response back on my java web app. 我需要编写一个Java服务提供程序,它向身份提供程序发送SAML身份验证请求,并在我的Java Web应用程序上获取SAML响应。
I need to know if there are any good libraries to validate SAML and mabye some direction on setting it up or links to a tutorial on getting started. 我需要知道是否有任何好的库来验证SAML并在设置它时指导一些方向或链接到入门教程。 I have tries spring_security-saml_extensions, but I keep getting errors when I try to put my Identitiy Providers meta-data link into the config files. 我尝试了spring_security-saml_extensions,但是当我尝试将Identitiy Providers元数据链接放入配置文件时,我一直遇到错误。
Any help would be greatly appreciated! 任何帮助将不胜感激!
Also: It would be great if the solution could be integrated into an existing java web application! 另外:如果解决方案可以集成到现有的Java Web应用程序中,那将是很棒的!
Some Additional info: 一些附加信息:
Below is the XML I can get from the response returned by the IDP in my SP I am working on I was under the impression that this was a SAML token. 下面是我可以从我在SP中的IDP返回的响应中获得的XML我正在处理我的印象是这是一个SAML令牌。
<trust:RequestSecurityTokenResponseCollection xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<trust:RequestSecurityTokenResponse Context="rm=0&id=passive&ru=%2fApplicant%2fMyAccount%2fHome">
<trust:Lifetime>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2013-04-17T19:37:18.399Z</wsu:Created>
<wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2013-04-17T20:07:18.399Z</wsu:Expires>
</trust:Lifetime>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>https://[SP Server]/</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<trust:RequestedSecurityToken>
<Assertion ID="_b4c87094-9557-419f-92fd-714a2b9cd8af" IssueInstant="2013-04-17T19:37:18.399Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>http://[IDP Server]/trust/idp</Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="#_b4c87094-9557-419f-92fd-714a2b9cd8af">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>pVpyzVN6Cz7NRNsp+jSVQP4ILt1J8y/4KBPzAtbllMg=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>NnTCfQE7p1FmrdbmYk+wRpbaZ5Rr4Opk67mI2Y6+PTdQlUErv5Bt8C/iBA398CwAgZyREqZfobd47QnxZYOvnFjiMSsQAndmPejZ9PEGwdu8hVrYyhV2VpcPtcaew/tOGWBvTdUKH5YjGmTHLtLxny0WaGYIquYVWoO3S68duy6DWXr/rxMzOEjNhY3s/3alCYMSYqDrhB8jKY8M9M2jruZa2KjIziumW6bzksizYSEFAcn4LfVhACaucrBAVch+r31vKAxO0BpkU7wSRBTaQV+/ALmA1HJAVO/mecujHJnhpizF4GDNdsnbIxck3r/2X9gt7WgMhfwBW+6Xvd2whQ==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIC5TCCAc2gAwIBAgIQSuU/gl5tP49ARSN2SkVRKzANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw9XTVN2Yy1VU0FKLURFVjEwHhcNMTAxMDAxMTI1MjUxWhcNMjAwOTI4MTI1MjUxWjAaMRgwFgYDVQQDEw9XTVN2Yy1VU0FKLURFVjEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgytRM5b2B35ydz+zxt59fklaT02z4AXUd9zm3h7Clq8LZYPMYvHOkzv7tgY38rD+NvmELAzeESBTbHN/wJyFkVbdD3mHVvE/vARGLxZB1lx+JN+gNjrrXT90FQtyWEchWoUcO6eFTAUdLgLonSn7SvI7lze2YUIS9BBc0OdpZzhDnWecUA1N0c5CeMZcjxroZYTuXH1YDGqOacphtZ7TMwCV2V5i7k9Jj4xY8uuSX92l7cW+EIqoqp26XTWmfon/jvDvWe3Dhe/mdtLXKQ2Lu8KCiN+zqA91fiGwezTkoeyDrWh/8/jqoz7Ep/4BN9cNLrbk75ngiryPlGLOCQK7vAgMBAAGjJzAlMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4GA1UdDwQHAwUAsAAAADANBgkqhkiG9w0BAQUFAAOCAQEAVTHuMl7Tr+ZAQOLf9nPbAlFabec8DFb+3jzbo4qUfGD/DYGuDg4gFNfr09s2Ft82DzXf1BQJDprRIRtrQOE8hDpOeM6c5sOXk7xKh0QjPzqE4n7ZJUP8X+NW+Zu9D7OaFSJ0/mUffw/PugoYTusfCEudrKzo2CDgtrQjaTrm7zkxksJdH/DY+YCF1g+ljpUDKR9SYwRaGQ5fj9dn+SMibhcXqDXod+BGKW9xaTo3CLFKSbMRt97LjF+P8sfnq8IGTpHqHR3pFDjdbIQ4ixRCygEpbVZJgXPvcTk2Nnvi3SyLZPeTRTGnZM0R7KMhLji2JnHYEXArC46fVwHtjLGbGw==</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<Subject>
<NameID>e8f279d7-cbd8-468d-a6df-97419729fe59</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" />
</Subject>
<Conditions NotBefore="2013-04-17T19:37:18.399Z" NotOnOrAfter="2013-04-17T20:07:18.399Z">
<AudienceRestriction>
<Audience>https://[SP Server]</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<!-- Data from my database-->
</AttributeStatement>
<AuthnStatement AuthnInstant="2013-04-17T19:37:18.337Z">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</trust:RequestedSecurityToken>
<trust:RequestedAttachedReference>
<SecurityTokenReference d4p1:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" xmlns:d4p1="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_b4c87094-9557-419f-92fd-714a2b9cd8af</KeyIdentifier>
</SecurityTokenReference>
</trust:RequestedAttachedReference>
<trust:RequestedUnattachedReference>
<SecurityTokenReference d4p1:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" xmlns:d4p1="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_b4c87094-9557-419f-92fd-714a2b9cd8af</KeyIdentifier>
</SecurityTokenReference>
</trust:RequestedUnattachedReference>
<trust:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</trust:TokenType>
<trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
<trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
</trust:RequestSecurityTokenResponse>
3 个解决方案
解决方案1
4 已采纳 2013-05-07 15:44:50
I found a great library on github that both handles validation of the SAML Token and if you are feeling adventurous is a good tutorial on how to use OpenSAML. 我在github上找到了一个很好的库,它们都处理SAML令牌的验证,如果你喜欢冒险,那么这是一个关于如何使用OpenSAML的好教程。 The library is called Auth10-Java and it does a great job of breaking down SAML token validation. 该库名为Auth10-Java ,它可以很好地分解SAML令牌验证。 FYI it also handles WS-Federation protocol. 仅供参考,它还处理WS-Federation协议。
Public List<Claim> validateAuthenticationResponse(String yourToken){
SamlTokenValidator validator = new SamlTokenValidator();
validator.setThumbprint("thumbprint from the thinktecture idp server or what ever idp you are using");
validator.getAudienceUris().add(new URI(“http://localhost:8080/javafederationtest”);
//validator.setValidateExpiration(false); //This can be used to stop validation of the expiration fields in the token.
List<Claim> claims = validator.validate(yourToken); //A Federation Exception is thrown if the token is invalid
System.out.println(claims.toString()); //This will show the claims asserted by the token!
}
This worked great for me and better yet I am learning heaps about SAML and OpenSAML from this library! 这对我来说非常有用,而且我从这个库中学到了很多关于SAML和OpenSAML的知识! Just be sure to include all dependencies in your projects build path! 确保在项目构建路径中包含所有依赖项!
解决方案2
2 2013-05-01 02:44:14
The good news is there are open-source Java SAML stacks such as the Java Oracle OpenSSO Fedlet . 好消息是有开源Java SAML堆栈,例如Java Oracle OpenSSO Fedlet 。
The bad news is that the IdentityServer product that you are using has no support for SAML. 坏消息是您使用的IdentityServer产品不支持SAML。
It has support for SAML tokens but not the SAML protocol . 它支持SAML 令牌,但不支持SAML 协议 。
解决方案3
2 2013-05-01 10:58:41
Please look at Shibboleth: http://shibboleth.net/products/service-provider.html . 请查看Shibboleth: http : //shibboleth.net/products/service-provider.html 。 The easiest way to integrate Java with Shibboleth is to setup Apache httpd with Shibboleth and to take the HTTP REMOTE_USER header from the request: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall . 将Java与Shibboleth集成的最简单方法是使用Shibboleth设置Apache httpd并从请求中获取HTTP REMOTE_USER标头: https : //wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall 。 Shibboleth is great framework and fully supports SAML protocol. Shibboleth是一个很棒的框架,完全支持SAML协议。
You can also use the Java code and to create SP code by yourself using OpenSAML code. 您还可以使用Java代码并使用OpenSAML代码自行创建SP代码。 OpenSAML is library used by Shibboleth (link above). OpenSAML是Shibboleth使用的库(上面的链接)。 The instructions how to start to develop: https://wiki.shibboleth.net/confluence/display/OpenSAML/OSTwoDeveloperManual 如何开始开发的说明: https : //wiki.shibboleth.net/confluence/display/OpenSAML/OSTwoDeveloperManual
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.