春季SAML SSO
[英]Spring saml SSO
问题描述
I have a portal application developed using spring security and mvc framework. 
我有一个使用Spring Security和MVC框架开发的门户应用程序。 This portal application connects to IDP (Developed using Spring security and spring saml) for authentication. 此门户网站应用程序连接到IDP(使用Spring安全性和spring saml开发)进行身份验证。 if the user authentication is success,user will be navigated to homepage where multiple links are provided for external applications… When the user clicks on the application link, user should successfully navigated to the respective application without challenging login page. 如果用户身份验证成功,则用户将被导航到为外部应用程序提供多个链接的主页...当用户单击应用程序链接时,用户应成功导航至相应的应用程序而不会挑战登录页面。
Other applications are developed using struts and spring security. 使用支柱和弹簧安全装置开发了其他应用程序。 How do I make sure that when a link is clicked from the portal, either saml token or context is passed to other application so it will not ask for login. 我如何确保从门户网站单击链接时,saml令牌或上下文会传递到其他应用程序,因此它不会要求登录。
Any help is greatly appreciated. 任何帮助是极大的赞赏。
1 个解决方案
解决方案1
2 已采纳 2017-06-02 13:20:26
The most common flow for SAML is something like the following: SAML的最常见流程如下所示:
- Application (called service provider, or SP) receives request (any request, like request for a business resource) from unauthenticated user 应用程序(称为服务提供商或SP)从未经身份验证的用户接收请求(任何请求,例如对业务资源的请求)
- It redirects the user (most commonly via http redirect) to the IdP (in which the SP should already be registered) 它将用户(最常见的是通过http重定向)重定向到IdP(其中应该已经在其中注册了SP)
- If the user is not authenticated to the IdP (not logged in to SSO), a login form is presented and login is managed by the IdP until there is a user session with the IdP 如果用户未通过IdP身份验证(未登录SSO),则会显示登录表单,并由IdP管理登录,直到与IdP进行用户会话为止
- If the user is already authenticated with the IdP (because either he was already or entered a correct user/password), the IdP issues its claim token and posts the user with the token back to the Assertion Consumer Service in the SP (the original application) 如果用户已经通过IdP进行身份验证(因为他已经被身份验证或输入了正确的用户/密码),则IdP会发出其声明令牌,并将带有令牌的用户发布回SP中的断言消费者服务(原始应用程序) )
- The Assertion Consumer Service (practically just an API endpoint) receives and validates the SAML token and creates an own application session with the user. 断言消费者服务(实际上只是一个API端点)接收并验证SAML令牌,并与用户创建自己的应用程序会话。 Now the user is authenticated to the application (SP) 现在,用户已通过应用程序(SP)的身份验证
- Upon the next request to the application (SP), there is already a session, so SAML is not involved 在对应用程序(SP)的下一个请求时,已经存在一个会话,因此不涉及SAML
Note that if there is already a session with the IdP, all of this is seamless for the user. 请注意,如果已经存在与IdP的会话,则所有这些对于用户都是无缝的。 A bunch of redirects take place, but the user will just reach the application without entering credentials. 发生了一系列重定向,但是用户将直接进入应用程序而无需输入凭据。
So the short answer to your question is that your external applications need to support SAML SSO and need to be registered with the identity provider, in which case they can just use the IdP for authenticating the user and signing the claims it may have. 因此,对您的问题的简短回答是,您的外部应用程序需要支持SAML SSO,并且需要在身份提供者中注册,在这种情况下,他们可以仅使用IdP来对用户进行身份验证并签署它可能拥有的声明。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.