[英]Requesting Resource from SAML2 Identity Provider Post-Login
Scenario: I work on a portal application that has its own user credential store. 场景:我正在使用具有自己的用户凭证存储的门户应用程序。 Another company who has a mobile app needs to authenticate against our data store using SAML 2.0. 另一个拥有移动应用程序的公司需要使用SAML 2.0针对我们的数据存储进行身份验证。
The user will launch the mobile app, it will send an authentication request to the portal/IdP, the portal presents login page, user logs in and a SAML response is then sent back so user can continue using mobile app. 用户将启动移动应用程序,它将向门户网站/ IdP发送认证请求,门户网站显示登录页面,用户登录,然后发送回SAML响应,以便用户可以继续使用移动应用程序。
My question: Is there anything else extra needed if a user clicks a link in the mobile app that requests a protected page on the portal? 我的问题:如果用户单击移动应用程序中的请求门户网站上受保护页面的链接,还需要其他什么吗? I mean, the user will be authenticated in the portal already, so it should let them right in without any other kind of token or whatever sent to the portal from the mobile browser - is that right? 我的意思是,用户已经在门户中进行了身份验证,因此应该让他们直接进入,而无需任何其他种类的令牌或从移动浏览器发送到门户的任何东西-是吗?
Are there any other considerations or resources for referencing a situation like this? 是否有其他考虑因素或资源可用于引用此类情况?
Any assistance is appreciated. 任何帮助表示赞赏。
There are two aspects that needs to be considered here: Authentication and Authorization. 这里需要考虑两个方面:身份验证和授权。 Even though the user is authenticated, s/he might not be authorized (ie have permissions) to access that particular link. 即使用户已通过身份验证,他/他也可能未被授权(即具有权限)访问该特定链接。
If you follow SAML 2.0 protocol that is OK. 如果您遵循SAML 2.0协议,则可以。 You have just to be careful what are you sending with AuthetnicationResponse and how it will be used on mobile app. 您只需要小心使用AuthetnicationResponse发送什么,以及如何在移动应用程序中使用它。 There is not extra tokens. 没有多余的令牌。 AuthenticationResponse (encrypted and signed) is token by itself. AuthenticationResponse(加密并签名)本身就是令牌。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.