基于SAML / XACML的WSO2 Identity Server访问控制
[英]WSO2 Identity Server Access Control based on SAML/XACML
问题描述
I need to secure a SOAP web service (based on Axis2) with this configuration: 
我需要使用以下配置来保护SOAP Web服务(基于Axis2):
- Client tries to consume the service 客户端尝试使用该服务
- Client is redirected to an authentication server for authentication 客户端被重定向到身份验证服务器以进行身份验证
- If the client authenticates properly, the Authentication Server gives client a SAML token with his attributes (basically a role) 如果客户端正确进行身份验证,则身份验证服务器会向客户端提供具有其属性(基本上是角色)的SAML令牌
- There is a XACML policy (client can use an operation provided by the web service only if has a proper role) which is evaluated based on the role included in the SAML token. 有一个XACML策略(客户端只能在具有适当角色的情况下使用Web服务提供的操作),该策略是根据SAML令牌中包含的角色进行评估的。
So I have thought about using WSO2 Identity Server coupled with rampart (I also need WS-Security for encryption and signature). 所以我考虑过使用WOR2 Identity Server和rampart(我还需要WS-Security进行加密和签名)。 Is it possible to do so? 有可能这样做吗? Can you suggest me how? 你能建议我怎么样?
1 个解决方案
解决方案1
3 已采纳 2014-09-15 17:04:19
You can either go with WSO2 IS STS (which is WS-*) or Web Browser SSO of SAML. 您可以使用WSO2 IS STS(WS- *)或SAML的Web浏览器SSO。 Depends on the nature of your application (Web browser based or not), you can pick any one of the above methods. 取决于应用程序的性质(基于Web浏览器或不基于Web浏览器),您可以选择上述任何一种方法。 You can get user roles from the SAML Response. 您可以从SAML响应中获取用户角色。
However, if you are using XACML, you do not need to get the user roles over SAML. 但是,如果您使用的是XACML,则无需通过SAML获取用户角色。 Simply create a policy in WSO2 IS (with the required role and other conditions). 只需在WSO2 IS中创建一个策略(具有所需的角色和其他条件)。 Then create a PEP module to validate service requests. 然后创建一个PEP模块来验证服务请求。 WSO2 IS will get the username and read user roles from LDAP/userstore and do the validation. WSO2 IS将从LDAP / userstore获取用户名和读取用户角色并进行验证。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.