简体繁体 English

SAML 到 Oauth2 使用 spring 安全

[英]SAML to Oauth2 using spring security

原文 2018-02-13 02:52:40 3 1 java/ spring-security/ spring-security-oauth2/ spring-security-saml2

So the problem I have is that the SAML already has been implemented in the project using spring-security-saml to integrate with federate IDP.所以我的问题是 SAML 已经在项目中使用 spring-security-saml 与联邦 IDP 集成。

And now I need to secure REST API calls that are happening from a place where JSESSIONID can't be persisted so I want to exchange SAML Assertion that I get from federate to JWT to provide back to client side so it can be used in Authentication header.现在我需要保护在 JSESSIONID 无法持久化的地方发生的 REST API 调用，所以我想交换从联邦到 JWT 获得的 SAML 断言以提供回客户端，以便它可以在身份验证标头中使用.

For now I'm a bit lost, I was trying to use JwtAccessTokenConverter from spring-security-jwt to create a JWT token but can't figure out how to glue that together with SAML.现在我有点迷茫，我试图使用 spring-security-jwt 中的 JwtAccessTokenConverter 创建一个 JWT 令牌，但无法弄清楚如何将它与 SAML 粘合在一起。

Can someone please shed some light on this one?有人可以对此有所了解吗？ Or maybe there is another option on how to secure REST API using SAML that I don't know.或者也许还有另一种我不知道的关于如何使用 SAML 保护 REST API 的选项。

Thank you!谢谢！

1 个解决方案

You can exchange your SAML token with JWT from your IDP if your IDP supports Oauth2 grant type urn:ietf:params:oauth:grant-type:saml2-bearer .如果您的 IDP 支持 Oauth2 授权类型urn:ietf:params:oauth:grant-type:saml2-bearer您可以从 IDP 与 JWT 交换您的 SAML 令牌。

In this case you need to invoke oauth2 token endpoint of your IDP and pass the saml-assertion, client-id and client-secret and scope=openid as input and your IDP should return you JWT token, which you can use to secure your rest api.在这种情况下，您需要调用 IDP 的 oauth2 令牌端点并传递 saml-assertion、client-id 和 client-secret 以及 scope=openid 作为输入，您的 IDP 应返回 JWT 令牌，您可以使用它来保护您的休息接口。 This jwt token will also contain all claims you received in SAML assertion.此 jwt 令牌还将包含您在 SAML 断言中收到的所有声明。