堆栈内存溢出
  简体   繁体   English

要求使用相同的IDP重新进行身份验证-Spring SAML

[英]asked to reauthenticate with the same IDP - Spring SAML

 原文  2015-01-06 17:12:28       spring/ authentication/ spring-security/ saml/ spring-saml

问题描述

@vschafer @vschafer

I have a scenario where my application acts as one of the service providers. 我有一个方案,其中我的应用程序充当服务提供商之一。 My application interacts with another service provider as well to get access. 我的应用程序还与其他服务提供商进行交互以获取访问权限。 But both the service providers are communicating with the same IDP for authentication. 但是,两个服务提供商都与同一个IDP通信以进行身份​​验证。

  1. user logs into my application by validating against the IDP 用户通过对IDP进行验证来登录我的应用程序
  2. User is provided access to the application upon successful authentication 成功认证后,将为用户提供对应用程序的访问权限
  3. Now, user tries to access a resource in the application 现在,用户尝试访问应用程序中的资源
  4. User is redirected to another service provider application which is also tied with the same IDP for authentication 用户被重定向到另一个服务提供商应用程序,该应用程序也与同一IDP绑定以进行身份​​验证
  5. Though the user is authenticated once with the same IDP, the user is asked to authenticate again with the second service provider. 尽管使用同一IDP对用户进行了一次身份验证,但仍要求用户再次与第二个服务提供商进行身份验证。

I believe the user should not be allowed to authenticate again forcefully. 我认为不应允许用户再次强制进行身份验证。 Please let me know if my understanding on the same is correct or not. 请让我知道我的理解是否正确。

More over, does forceAuthn has a role to play in this scenario?? 此外,在这种情况下,forceAuthn是否可以发挥作用?

1 个解决方案

解决方案1
 1 已采纳  2015-01-06 19:18:13

All of this should not be in any way related to your application or Spring SAML. 所有这些都不应该与您的应用程序或Spring SAML有任何关系。 Once you redirect user to the second application (step 4), it is its responsibility to interact with the IDP (send its own AuthnRequest and receive a Response ) and there's nothing you can affect about it anymore. 一旦将用户重定向到第二个应用程序(第4步),它就有责任与IDP进行交互(发送自己的AuthnRequest并接收Response ),并且您对此没有任何影响。

It is possible that the second application is setting the forceAuthn flag when sending AuthnRequest to the IDP - forcing the IDP to re-authenticate your user. 当将AuthnRequest发送到IDP时,第二个应用程序可能会设置forceAuthn标志-强制IDP重新验证用户。 It could also be related to some setting on the IDP side, or perhaps some cookie problems. 它也可能与IDP端的某些设置有关,或者可能与某些cookie问题有关。 You should communicate with the IDP's owners and ask them to troubleshoot why is the user asked for re-authentication (for example by examining their logs) instead of being single signed-on. 您应该与IDP的所有者进行沟通,并要求他们解决为什么用户要求重新认证(例如,通过检查其日志)而不是单点登录的问题。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Spring Security SAML在IDP上的会话超时 - session timeout at IDP with spring security saml Spring SAML2 IdP证书更新 - Spring SAML2 IdP certificate update Spring安全saml扩展可用于IDP实现 - Spring security saml extension usable for IDP implementation IDP为Spring SAML扩展启动了SSO - IDP initiated SSO for Spring SAML Extension 使用Spring SAML自动重定向到IdP - Redirecting to IdP Automatically using Spring SAML 在IDP进行Spring SAML预授权检查 - Spring SAML pre auth check at IDP 用于多个IDP的Spring SAML扩展 - Spring SAML extension for multiple IDP'S 使用Spring SAML作为IDP而不是SP - Using Spring SAML as an IDP rather than an SP Spring Security SAML IdP元数据证书和签名 - Spring Security SAML IdP Metadata Certificate and Signature Spring Security SAML全局注销未向IDP发送SAML响应 - Spring Security SAML Global Logout not sending saml response to IDP
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM