[英]How to authenticate to a SAML relying party using a Web Application as a client
I have been researching this topic for a while without much luck. 一段时间以来,我一直在研究这个主题,但运气不佳。
Scenario: 1. Login to a Web Application with using standard form authentication. 场景:1.使用标准表单身份验证登录到Web应用程序。 2. Login from the Web Application to a SAML Relying Party. 2.从Web应用程序登录到SAML依赖方。
Issue: I thought about using an iFrame to perform the authentication to the SAML Relying Party. 问题:我考虑过使用iFrame对SAML依赖方执行身份验证。 The fundamental issue in this approach is that after finalizing the SAML authentication flow, I need to transfer a persistent authentication token back to my Web Application client (this token is used for subsequent access of my Web Application to the SAML relying party). 这种方法的根本问题是,在完成SAML身份验证流程后,我需要将持久身份验证令牌传递回我的Web应用程序客户端(此令牌用于以后将Web应用程序访问SAML依赖方)。
Thanks in advance, 提前致谢,
Saimon 西门
The question you are asking is a fundamental federation question. 您要问的问题是一个基本的联邦问题。 In terms of SAML, there is an Identity Provider (IdP) and a Service Provider. 就SAML而言,有一个身份提供程序(IdP)和一个服务提供程序。 The IdP has the responsibility to authenticate the user and issue SAML assertions to SP web applications. IdP负责验证用户身份并向SP Web应用程序发出SAML声明。 In your question, it sounds like your application is the IdP that desires to issue a SAML assertion to the SP web application (I interpreted your SAML relying party to mean the SP web application). 在您的问题中,听起来您的应用程序是希望向SP Web应用程序发出SAML声明的IdP(我将您的SAML依赖方解释为SP Web应用程序)。 Keep in mind that SAML assertions are focused on one time usage for authentication to a SP web application where the SAML assertion can contain attributes used for AuthZ. 请记住,SAML断言集中于对SP Web应用程序进行身份验证的一次使用,其中SAML断言可以包含用于AuthZ的属性。
Another architecture would be to integrate a third party SAML IdP, such that your application is an SP and the other application is an SP. 另一种体系结构是集成第三方SAML IdP,以便您的应用程序是SP,而另一个应用程序是SP。 Both of the SP web application would use the IdP for AuthN and receive SAML assertions. 两个SP Web应用程序都将IdP用于AuthN并接收SAML断言。 Again, this is about AuthN and one time usage of the information in the SAML assertion. 同样,这与AuthN和SAML断言中信息的一次使用有关。
Another architecture would be to leverage OpenID Connect (OIDC) from an IdP Server. 另一种架构是利用IdP服务器的OpenID Connect(OIDC)。 The main difference is that the tokens can be long lived and used for subsequent secure API transactions. 主要区别在于令牌可以长期保存并用于后续的安全API事务。
With respect to security, all of these protocols have security built into them when integrated properly for their respective architecture. 关于安全性,所有这些协议在针对各自的体系结构进行适当集成时都内置了安全性。
The Problem is, as far as i understand: His application is a consumer who want to access a ressource which is secured and needs a authentication based on SAML. 据我了解,问题是:他的应用程序是一个用户,他想访问资源安全的资源,该资源需要基于SAML的身份验证。
You could do the authentication automatically in the background, but then you have to deal with CORS on both sides (Identity Provider and Service Provider). 您可以在后台自动进行身份验证,但随后必须同时处理双方的CORS(身份提供者和服务提供者)。 Your Approach is easier, since it is a user started action an therefore CORS is not necessary. 您的方法更容易,因为它是用户启动的操作,因此不需要CORS。 To your Problem: Sounds like your Token is part of the header as a special Header with a specific Name. 要解决的问题:听起来您的令牌是标头的一部分,是具有特定名称的特殊标头。 Better approach in your case (if possible): STore this token in a Cookie. 在您的情况下,更好的方法(如果可能):将此令牌存储在Cookie中。 In your approach the cookie should be shared between the different frames. 在您的方法中,cookie应该在不同框架之间共享。 Your Application then can send the cookie when accessing the resource. 然后,您的应用程序可以在访问资源时发送cookie。 But be aware: Using Javascript & XMLHTTPREQUEST you need to set "withCredentials". 但是请注意:使用Javascript和XMLHTTPREQUEST,您需要设置“ withCredentials”。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.