扩展WebSphere SAML Identity传播
[英]Extending WebSphere SAML Identity propogation
问题描述
I have an existing financial application which uses an API gateway to authenticate web-based users. 
我有一个现有的财务应用程序,该应用程序使用API网关来验证基于Web的用户。 This gateway maintains a security session for the user, and proxies SOAP calls on to a WebSphere box. 该网关为用户维护安全会话,并将SOAP调用代理到WebSphere框。 It adds a signed SAML assertion to these SOAP calls. 它将签名的SAML断言添加到这些SOAP调用中。
A series of JAX-WS Services are deployed on WebSphere, and these are protected with WebSphere policies to consume the SAML assertions. 一系列JAX-WS服务已部署在WebSphere上,并且使用WebSphere策略加以保护以使用SAML断言。 The identity and group memberships specified in the SAML assertions are then propagated to the WebSphere security context for the service call. 然后,将SAML断言中指定的身份和组成员身份传播到服务调用的WebSphere安全上下文。 All works very well, all of the security logic is done purely by configuration. 一切工作都很好,所有安全逻辑完全由配置完成。
New requirements now require that we propagate the sessionId in the API gateway all the way through to WebSphere , and beyond. 现在,新的要求要求我们将API会话中的sessionId一直传播到WebSphere以及以后。 This is for reasons of traceability. 这是出于可追溯性的原因。
Clearly we could change the WSDL for all of the services to include some Meta-data fields, but this is a big change, and would require very extensive testing. 显然,我们可以将所有服务的WSDL更改为包括一些元数据字段,但这是一个很大的更改,并且需要非常广泛的测试。
I was hoping there might be a way to map some arbitrary attributes from the SAML assertion (Other than Identity and groupMembership) to the WebSphere security context. 我希望有一种方法可以将一些任意属性从SAML断言(除Identity和groupMembership之外)映射到WebSphere安全上下文。 Or even to access the SAML XML in the (authenticated) JAX-WS Service. 甚至访问(已认证的)JAX-WS服务中的SAML XML。
Has anyone done this? 有人这样做吗?
2 个解决方案
解决方案1
1 2019-06-18 18:15:36
You can have API gateway to add sessionid as an SAML attribute, then retrieve the attribute from Subject after SAML is processed by WebSphere. 您可以使用API网关将sessionid添加为SAML属性,然后在WebSphere处理SAML之后从Subject中检索该属性。 Here is sample code to get SAML attribute in WebSphere after SAML is processed. 这是在处理SAML之后在WebSphere中获取SAML属性的示例代码。
Subject subject = WSSubject.getRunAsSubject();
SAMLToken samlToken = (SAMLToken) AccessController.doPrivileged(
new java.security.PrivilegedExceptionAction() {
public Object run() throws java.lang.Exception
{
final java.util.Iterator authIterator = subject.getPrivateCredentials(SAMLToken.class).iterator();
if ( authIterator.hasNext() ) {
final SAMLToken token = (SAMLToken) authIterator.next();
return token;
}
return null;
}
});
Map<String, String> attributes = samlToken.getStringAttributes();
List<SAMLAttribute> attributes = samlToken.getSAMLAttributes();
解决方案2
0 2019-06-20 20:24:15
Instead of looping through the creds yourself, you can use the WSSUtilFactory API to do it for you: https://www.ibm.com/support/knowledgecenter/SSAW57_9.0.0/com.ibm.websphere.javadoc.doc/web/apidocs/com/ibm/websphere/wssecurity/wssapi/WSSUtilFactory.html 您可以使用WSSUtilFactory API来代替自己遍历证书,而不必自己动手: https ://www.ibm.com/support/knowledgecenter/SSAW57_9.0.0/com.ibm.websphere.javadoc.doc/web/ apidocs / COM / IBM / websphere的/的WSSecurity / wssapi / WSSUtilFactory.html
Assuming that you are using a SAML 2.0 token, you can do: 假设您正在使用SAML 2.0令牌,则可以执行以下操作:
WSSUtilFactory wssuf = WSSUtilFactory.getInstance();
SAMLToken token = wssuf.getSaml20Token();
The getSaml20Token method was added to WSSUtilFactory in 70043, 80013, 85510 and 9000. 将getSaml20Token方法添加到了70043、80013、85510和9000中的WSSUtilFactory中。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.