堆栈内存溢出
  简体   繁体   English

SAML + web 服务客户端 + 客户端证书

[英]SAML + web service client + client certificate

 原文  2020-07-02 13:31:44       architecture/ saml/ ws-security/ application-design/ ws-trust

问题描述

I need help reqarding SAML and WS-Security architecture (or possibly completely different standards?).我需要有关 SAML 和 WS-Security 架构(或可能完全不同的标准?)的帮助。

I have following platform-independent scenario which I need to secure using client certification authentication.我有以下独立于平台的场景,我需要使用客户端认证身份验证来保护这些场景。 Scenario is not-interactive, only web service client is involved (1).场景非交互,仅涉及 web 服务客户端(1)。

(1) WS client -> (2) WS's on Service Provider (SP) -> (3) Identity provider (IdP) (1) WS 客户端 -> (2) WS 上的服务提供者 (SP) -> (3) 身份提供者 (IdP)

  • (1) has client certificate on it's machine and calls (2) (1) 在其机器上有客户端证书并调用 (2)
  • (2) has services that (1) needs to consume (2) 具有 (1) 需要消费的服务
  • (3) is able authenticate (1) client using client certificate (3) 能够使用客户端证书对 (1) 客户端进行身份验证

My question is how exactly this scenario could be covered with security standards such as SAML, WS-Trust or other.我的问题是如何使用 SAML、WS-Trust 或其他安全标准来涵盖此场景。

Thanks谢谢

1 个解决方案

解决方案1
 0  2020-07-03 02:57:40

Pretty much any "federation" protocol could be used - OIDC, SAML, WS-Fed, WS-Trust... Take your pick.几乎可以使用任何“联合”协议——OIDC、SAML、WS-Fed、WS-Trust……任你选择。

  1. Browser navigates to SP.浏览器导航到 SP。
  2. SP says "I don't know you" and redirects you to the IdP via an authentication request appropriate for the chosen protocol above SP 说“我不认识你”并通过适用于上述所选协议的身份验证请求将您重定向到 IdP
  3. The IdP says "I don't know you, Authenticate!" IdP 说“我不认识你,请验证!”
  4. Browser presents certificate for authentication浏览器提供证书进行身份验证
  5. The IdP validates the certificate, and builds an "assertion" appropriate for the chosen protocol. IdP 验证证书,并构建适合所选协议的“断言”。
  6. The IdP redirects you back to the SP with the assertion IdP 将您重定向回带有断言的 SP
  7. The SP validates the assertion and lets the browser in SP 验证断言并让浏览器进入

Of the protocols listed... Only WS-Trust would work slightly different... In WS-Trust, depending on who actually the SP and IdP are, the SP could ask the browser to present a certificate that the SP could ask the IdP in an STS call to authenticate.在列出的协议中...只有 WS-Trust 的工作方式略有不同...在 WS-Trust 中,根据 SP 和 IdP 的实际身份,SP 可以要求浏览器提供证书,SP 可以要求 IdP在 STS 调用中进行身份验证。 This would only work if both the IdP and SP were configured to trust the same specific CA.这仅在 IdP 和 SP 都配置为信任相同的特定 CA 时才有效。 This would result in not getting bounced from SP to IdP and back.这将导致不会从 SP 退回到 IdP 并返回。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 来自Web服务的客户端模拟? - Client Impersonation from Web Service? 架构问题:Web服务-多种客户端类型 - Architecture Question: Web Service - Multiple client types Spring Web Service客户端体系结构和设计建议 - Spring Web Service Client Architecture and Design Suggestions 在Web服务中,如何在不更新客户端的情况下更改界面? - In web service, how to change the interface without updating the client? Web应用程序与客户端的交互? - Web app to client interaction? Web API +客户端架构 - Web API + Client Architecture 客户-服务交互逻辑 - Client-service interaction logic 客户端到WCF服务的应用程序体系结构 - Application architecture for client to WCF service 通过Asp.Net MVC应用程序中托管的SignalR集线器从外部服务向Web客户端发送通知 - Send notification to web client from external service via SignalR hub hosted in Asp.Net MVC Application 复杂系统的客户端-Web或WPF - Client for a complex system - web or WPF
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM