堆栈内存溢出
  简体   繁体   English

如何使用Web应用程序作为客户端向SAML依赖方进行身份验证

[英]How to authenticate to a SAML relying party using a Web Application as a client

 原文  2015-09-30 15:25:09       javascript/ security/ authentication/ saml/ opensaml

问题描述

I have been researching this topic for a while without much luck. 一段时间以来,我一直在研究这个主题,但运气不佳。

Scenario: 1. Login to a Web Application with using standard form authentication. 场景:1.使用标准表单身份验证登录到Web应用程序。 2. Login from the Web Application to a SAML Relying Party. 2.从Web应用程序登录到SAML依赖方。

Issue: I thought about using an iFrame to perform the authentication to the SAML Relying Party. 问题:我考虑过使用iFrame对SAML依赖方执行身份验证。 The fundamental issue in this approach is that after finalizing the SAML authentication flow, I need to transfer a persistent authentication token back to my Web Application client (this token is used for subsequent access of my Web Application to the SAML relying party). 这种方法的根本问题是,在完成SAML身份验证流程后,我需要将持久身份验证令牌传递回我的Web应用程序客户端(此令牌用于以后将Web应用程序访问SAML依赖方)。

. Can someone comment on whether this is the right approach (security wise)? 有人可以评论这是否是正确的方法(出于安全考虑)吗?

. Is there an alternative approach for authenticating web based clients to a system configured as a SAML relying party? 是否存在用于将基于Web的客户端身份验证为配置为SAML依赖方的系统的替代方法?

Thanks in advance, 提前致谢,

Saimon 西门

2 个解决方案

解决方案1
 0  2015-10-05 19:35:00

The question you are asking is a fundamental federation question. 您要问的问题是一个基本的联邦问题。 In terms of SAML, there is an Identity Provider (IdP) and a Service Provider. 就SAML而言,有一个身份提供程序(IdP)和一个服务提供程序。 The IdP has the responsibility to authenticate the user and issue SAML assertions to SP web applications. IdP负责验证用户身份并向SP Web应用程序发出SAML声明。 In your question, it sounds like your application is the IdP that desires to issue a SAML assertion to the SP web application (I interpreted your SAML relying party to mean the SP web application). 在您的问题中,听起来您的应用程序是希望向SP Web应用程序发出SAML声明的IdP(我将您的SAML依赖方解释为SP Web应用程序)。 Keep in mind that SAML assertions are focused on one time usage for authentication to a SP web application where the SAML assertion can contain attributes used for AuthZ. 请记住,SAML断言集中于对SP Web应用程序进行身份验证的一次使用,其中SAML断言可以包含用于AuthZ的属性。

Another architecture would be to integrate a third party SAML IdP, such that your application is an SP and the other application is an SP. 另一种体系结构是集成第三方SAML IdP,以便您的应用程序是SP,而另一个应用程序是SP。 Both of the SP web application would use the IdP for AuthN and receive SAML assertions. 两个SP Web应用程序都将IdP用于AuthN并接收SAML断言。 Again, this is about AuthN and one time usage of the information in the SAML assertion. 同样,这与AuthN和SAML断言中信息的一次使用有关。

Another architecture would be to leverage OpenID Connect (OIDC) from an IdP Server. 另一种架构是利用IdP服务器的OpenID Connect(OIDC)。 The main difference is that the tokens can be long lived and used for subsequent secure API transactions. 主要区别在于令牌可以长期保存并用于后续的安全API事务。

With respect to security, all of these protocols have security built into them when integrated properly for their respective architecture. 关于安全性,所有这些协议在针对各自的体系结构进行适当集成时都内置了安全性。

解决方案2
 0  2017-07-12 08:57:15

The Problem is, as far as i understand: His application is a consumer who want to access a ressource which is secured and needs a authentication based on SAML. 据我了解,问题是:他的应用程序是一个用户,他想访问资源安全的资源,该资源需要基于SAML的身份验证。

You could do the authentication automatically in the background, but then you have to deal with CORS on both sides (Identity Provider and Service Provider). 您可以在后台自动进行身份验证,但随后必须同时处理双方的CORS(身份提供者和服务提供者)。 Your Approach is easier, since it is a user started action an therefore CORS is not necessary. 您的方法更容易,因为它是用户启动的操作,因此不需要CORS。 To your Problem: Sounds like your Token is part of the header as a special Header with a specific Name. 要解决的问题:听起来您的令牌是标头的一部分,是具有特定名称的特殊标头。 Better approach in your case (if possible): STore this token in a Cookie. 在您的情况下,更好的方法(如果可能):将此令牌存储在Cookie中。 In your approach the cookie should be shared between the different frames. 在您的方法中,cookie应该在不同框架之间共享。 Your Application then can send the cookie when accessing the resource. 然后,您的应用程序可以在访问资源时发送cookie。 But be aware: Using Javascript & XMLHTTPREQUEST you need to set "withCredentials". 但是请注意:使用Javascript和XMLHTTPREQUEST,您需要设置“ withCredentials”。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 您如何在 Web 应用程序中使用护照在 Facebook 上进行身份验证? - How do you authenticate on facebook using passport in a web application? 使用其余客户端/ javascript验证Microsoft Outlook Web(owa)。 - Authenticate microsoft outlook web(owa) using rest client/javascript. 验证基于Javascript的Web客户端 - Authenticate Javascript based Web client 如何在我的Web应用程序中添加第三方组件? - How to add a third-party component in my web application? 使用Web应用程序更新客户端计算机 - Update client computer using web application 从JS客户端在SignalR控制台应用程序上进行身份验证 - Authenticate on SignalR console application from JS client 使用节点请求-如何在基于质询的网页上进行身份验证? - Using Node request - How to authenticate on challenge based web page? 如何使用 web3.js 1.0 认证和发送合约方法 - How to authenticate and send contract method using web3.js 1.0 使用 cookies 进行身份验证以进行 web 抓取? - Authenticate using cookies for web scraping? 在facebook上,如何使用JavaScript验证应用程序? - on facebook, how do i authenticate an application, using JavaScript?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM