堆栈内存溢出
  简体   繁体   English

IDP在现有App中启动SSO实施

[英]IDP Initiated SSO Implementation in existing App

 原文  2016-11-08 11:18:41       java/ spring/ single-sign-on

问题描述

I have an existing application and all of a sudden i have been given a task to implement IDP initiated SSO. 我有一个现有的应用程序,突然之间我被赋予执行IDP启动的SSO的任务。 there is a URL to IDP clicking on it asks me to login with IDP provided credentials, after success login the route moves to our application and than my task start to identify the user and give the proper access. 有一个指向IDP的URL,单击它要求我使用IDP提供的凭据登录,成功登录后,路由转到我们的应用程序,然后我的任务开始识别用户并提供适当的访问权限。 I have the certificate provided from our IDP. 我有IDP提供的证书。 How can i achieve this? 我怎样才能做到这一点? My application is a Spring MVC Java Application.I am using JBOSS AS 7. I havent done a similar thing before. 我的应用程序是Spring MVC Java Application。我正在使用JBOSS AS7。之前我没有做过类似的事情。 Can anyone please give a step by step clear picture on this? 任何人都可以对此进行逐步清晰的描述吗? I saw the Spring SAML extension which i couldnt understand properly to get it integrate with my existing app. 我看到了Spring SAML扩展,我无法正确理解该扩展以使其与现有应用集成。 Any help in this regard will be highly appreciated. 在这方面的任何帮助将不胜感激。

1 个解决方案

解决方案1
 1 已采纳  2016-11-10 09:55:53

IdP-Initiated SSO IdP发起的SSO

IdP-Initiated SSO with POST Binding 具有POST绑定的IdP启动的SSO

  1. If the user does not have a valid local security context at the IdP, at some point the user will be challenged to supply their credentials to the IdP site, idp.example.org. 如果用户在IdP上没有有效的本地安全上下文,则在某个时候,将要求用户向IDP站点idp.example.org提供其凭据。
  2. The user provides valid credentials and a local logon security context is created for the user at the IdP. 用户提供有效的凭据,并在IdP上为该用户创建本地登录安全上下文。
  3. The user selects a menu option or link on the IdP to request access to an SP web site, sp.example.com. 用户选择菜单选项或在IdP上链接以请求访问SP网站sp.example.com。 This causes the IdP's Single Sign-On Service to be called. 这将导致IdP的单一登录服务被调用。
  4. The Single Sign-On Service builds a SAML assertion representing the user's logon security context. 单一登录服务将构建一个SAML断言,该断言表示用户的登录安全上下文。 Since a POST binding is going to be used, the assertion is digitally signed before it is placed within a SAML message. 由于将使用POST绑定,因此在将声明置入SAML消息之前,对声明进行数字签名。 The message is then placed within an HTML FORM as a hidden form control named SAMLResponse. 然后,将消息放置在HTML FORM中,作为名为SAMLResponse的隐藏表单控件。 (If the convention for identifying a specific application resource at the SP is supported at the IdP and SP, the resource URL at the SP is also encoded into the form using a hidden form control named RelayState.) The Single Sign-On Service sends the HTML form back to the browser in the HTTP response. (如果IdP和SP支持在SP处标识特定应用程序资源的约定,则还使用名为RelayState的隐藏表单控件将SP处的资源URL编码为表单。)单一登录服务发送HTML表单将HTTP响应返回到浏览器。 For ease-of-use purposes, the HTML FORM typically will contain script code that will automatically post the form to the destination site. 为了易于使用,HTML FORM通常将包含脚本代码,这些脚本代码将自动将表单发布到目标站点。
  5. The browser, due either to a user action or execution of an “auto-submit” script, issues an HTTP POST request to send the form to the SP's Assertion Consumer Service. 浏览器由于用户操作或执行“自动提交”脚本而发出HTTP POST请求,以将表单发送到SP的Assertion Consumer Service。 The service provider's Assertion Consumer Service obtains the message from the HTML FORM for processing. 服务提供者的断言消费者服务从HTML FORM获取消息以进行处理。 The digital signature on the SAML assertion must first be validated and then the assertion contents are processed in order to create a local logon security context for the user at the SP. 必须首先验证SAML断言上的数字签名,然后处理断言内容,以便为SP处的用户创建本地登录安全上下文。 Once this completes, the SP retrieves the RelayState data (if any) to determine the desired application resource URL and sends an HTTP redirect response to the browser directing it to access the requested resource (not shown). 完成此操作后,SP将检索RelayState数据(如果有)以确定所需的应用程序资源URL,并将HTTP重定向响应发送到浏览器,以指示其访问请求的资源(未显示)。
  6. An access check is made to establish whether the user has the correct authorization to access the resource. 进行访问检查以确定用户是否具有访问资源的正确授权。 If the access check passes, the resource is then returned to the browser. 如果访问检查通过,则资源将返回到浏览器。

See saml-tech-overview-2.0 参见saml-tech-overview-2.0

So if you are implementing the SP, you have to follow the steps 5 and 6 otherwise 1 - 4. 因此,如果要实施SP,则必须执行步骤5和6,否则执行1-4。

For the implementation you could use OpenSaml if you do not get it working with the Spring SAML extension. 对于实现,您可以使用OpenSaml(如果您无法将其与Spring SAML扩展一起使用)。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Idp 发起的 SSO | 由 salesforce 验证 - Idp-Initiated SSO | Validated by salesforce 使用JAVA和SAML 2.0的IdP启动的Web SSO配置文件 - IdP-Initiated Web SSO Profile using JAVA and SAML 2.0 具有不同IDP的多个SSO集成 - Multiple SSO integration with different idp 验证IDP启动的SAML2.0响应 - Validate IDP initiated SAML2.0 Response IdP在POST绑定上启动了单点登录 - IdP initiated Single sign on POST binding 重定向用于IdP启动的身份验证的SAMLResponse POST - Redirect a SAMLResponse POST for IdP initiated authentication 在Azure AD中为SSO生成IDP证书 - Generate IDP Certificate in Azure AD for SSO OneLogin SSO Java实现 - OneLogin SSO java implementation Java中的NTLM SSO实现 - NTLM SSO implementation in Java Spring SAML SSO-IDP元数据不包含SingleSignOnService - Spring SAML SSO - IDP Metadata does not contain SingleSignOnService
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM