使用 SAML 和 Spring Security 的 SSO 为 REST 服务
[英]SSO using SAML with Spring Security for REST service
问题描述
I have a REST service on Spring Boot and now need to add SSO using SAML into it.
我在 Spring Boot 上有一个 REST 服务,现在需要使用 SAML 添加 SSO。 I'm a new on SAML / Spring Security and trying to understand main pieces which need to add into the my application.我是 SAML / Spring Security 的新手,并试图了解需要添加到我的应用程序中的主要部分。
My IT provided metadata file:我的 IT 提供了元数据文件:
<md:EntityDescriptor ID="Lusm3k0_RWEBKgnQ" cacheDuration="PT1440M" entityID="XXX.UAT.SAML2.0"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"
WantAuthnRequestsSigned="false">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
MIIHRzCCBi+gAwIBAgIRAP2hizjHsU8HAAAAAFD9OXMwDQYJKoZIhvcNAQELBQAwgboxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXkwNwYDVQQLEzAoYykgMjAxMiBFbnRydXN0LCBJbmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxLjAsBgNVBAMTJUVudHJ1c3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBMMUswHhcNMjAwMTE3MDI1ODQxWhcNMjIwMTE1MDMyODQxWjBgMQswCQYDVQQGEwJVUzEOMAwGA1UECBMFVGV4YXMxEzARBgNVBAcTClJvdW5kIFJvY2sxDTALBgNVBAoTBERlbGwxHTAbBgNVBAMTFDUucGYtdWF0LnVzLmRlbGwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs57iI360pnTb/FynNqTVnoFGnZomQvt2p4PRfilZ2NF2peEaSkuTqicPlsyVjD5YOPykWhkrU1Redjrf1w79MsF3L2APV7imkcXT1IEvIxK2qC3LpYrDTDNS8qbhel+j5LgFJxcU1SMB8TKzjCcLeKWjmFLGSC4e+aLzEOkOOVtvhtUrPIUuFZ1TBwQqShAK9NIvK18pgXeAGy0N9wEfAQ/myJ6uzFrwRPDtvxiWUfQgbCo/F8FOxLEWr5+Wz84/mjDBUYTztsuiorqIJoDgXdFDtKBlH6NGxQZ7GSgSh6AOF/lkhtx4rhjcAjtuOZQGqS1feQMgZsmhD2rbhS0bVQIDAQABo4IDnzCCA5swOQYDVR0RBDIwMIIUNS5wZi11YXQudXMuZGVsbC5jb22CGHd3dy41LnBmLXVhdC51cy5kZWxsLmNvbTCCAfYGCisGAQQB1nkCBAIEggHmBIIB4gHgAHcAh3W/51l8+IxDmV+9827/Vo1HVjb/SrVgwbTq/16ggw8AAAFvsYu6GgAABAMASDBGAiEA0tXGqHGuFE5HAKr9b/DLgjemzdp13aP0r9QQhY6jZ+0CIQCbC8RMCzftTVFvQQ4dOtFh/vUO4cowiKcH/o6Qzq1/UgB1AFWB1MIWkDYBSuoLm1c8U/DA5Dh4cCUIFy+jqh0HE9MMAAABb7GLui4AAAQDAEYwRAIgEU5remYWOEPPk+fhrgcQm/NgYrrcwTpf+oiggPR6kYkCIAK0TRhNFmVrQJ7fKEUYqlE0glfRccEAUjN2sFGOuB8GAHYAVhQGmi/XwuzT9eG9RLI+x0Z2ubyZEVzA75SYVdaJ0N0AAAFvsYu6PAAABAMARzBFAiANg/jCBsnUDap12noO8ll28jLwlDKzAgf0D2BXnsQ3vgIhALFREe+ciB5d5ExlNLaP8PFeCRkxBSOdSnoTZCnjSf29AHYApLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BAAAAFvsYu6HQAABAMARzBFAiEA8/DsZ5Klvv0QBYrpzZfYgzLBIhE7N65BhbGfrZGhQLcCIAH8emfakwKO+45tBU92gBw4jzWTE5EwCC1y5ycHPPLlMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5lbnRydXN0Lm5ldC9sZXZlbDFrLmNybDBLBgNVHSAERDBCMDYGCmCGSAGG+mwKAQUwKDAmBggrBgEFBQcCARYaaHR0cDovL3d3dy5lbnRydXN0Lm5ldC9ycGEwCAYGZ4EMAQICMGgGCCsGAQUFBwEBBFwwWjAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZW50cnVzdC5uZXQwMwYIKwYBBQUHMAKGJ2h0dHA6Ly9haWEuZW50cnVzdC5uZXQvbDFrLWNoYWluMjU2LmNlcjAfBgNVHSMEGDAWgBSConB03bxTP8971PfNf6dgxgpMvzAdBgNVHQ4EFgQUosGRuZnSMIu0IMh4rcDt4ckYvnkwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAKhGZoh2+UfbOvREbivpnbSI9I5Mdsn6k4L+kr+MA4CpPP9osmfMOwZ5aCbQP/xthZD+HUrHyeYPyPdgnkd020/V+doHv6/H1rCIJBtoB58WHseZ4SMePcIp+zYjOozgZ/gm0jmsfepLRYSFR59yBsNiMaSTHc440rk6GGJ51f1x5qT6owbqKMqahc8aE2ZQLNsrMe4I+LaNd97fBAyKyM6NJvE15544wMr7FXWCaaCZ1ezgM/NVVhSgs8JcBlyOCMrl5cZM+K4hhlx2XZs0pxK7YsTMINIPV/Fy78tub83A6V5qQX5k/RiEyABNjks0D+KBKfS8R1vcbxNUuVMytsw==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:ArtifactResolutionService index="0" Location="https://SITE-XXX.com/idp/ARS.ssaml2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" isDefault="true"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://SITE-XXX.com/idp/SLO.saml2"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://SITE-XXX.com/idp/SLO.saml2"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="https://SITE-XXX.com/idp/SLO.saml2"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://SITE-XXX.com/idp/SLO.ssaml2"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://SITE-XXX.com/idp/SSO.saml2"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://SITE-XXX.com/idp/SSO.saml2"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="https://SITE-XXX.com/idp/SSO.saml2"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://SITE-XXX.com/idp/SSO.saml2"/>
<saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
</md:IDPSSODescriptor>
<md:AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:AttributeService Location="https://SITE-XXX.com/idp/attrsvc.ssaml2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
</md:AttributeAuthorityDescriptor>
<md:ContactPerson contactType="administrative">
<md:Company>XXX, Inc.</md:Company>
<md:GivenName>Global</md:GivenName>
<md:SurName>Directory Services</md:SurName>
<md:EmailAddress>IAM_SSO_Ops@XXX.com</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
in pom.xml I added dependency:在 pom.xml 我添加了依赖项:
<dependency>
<groupId>org.springframework.security.extensions</groupId>
<artifactId>spring-security-saml2-core</artifactId>
<version>2.0.0.M31</version>
</dependency>
How can I configure and use this metadata for Spring SAML?如何为 Spring SAML 配置和使用此元数据? How the configuration files should looks like?配置文件应该是什么样子的? I need just simplest case, where /** all REST points is secured.我只需要最简单的情况,其中 /** 所有 REST 点都是安全的。
The solutions which I googled in internet didn't use such kind of metadata and I do not understand how properly use it.我在互联网上搜索的解决方案没有使用这种元数据,我不明白如何正确使用它。
Thanks.谢谢。
1 个解决方案
解决方案1
0 2020-10-06 09:50:20
There is a bit of learning curve for SAML, as it contains many terminologies. SAML 有一些学习曲线,因为它包含许多术语。 End to end example may not be possible here, but I can tell you how it works.端到端示例在这里可能无法实现,但我可以告诉您它是如何工作的。
The xml provided by your Admin is the federation metadata of your IdP.您的管理员提供的 xml 是您的 IdP 的联合元数据。 In SAML, both SAML Service Provier and SAML IdP exchange their metadata, either through xml files or as a service which returns this xml content.在 SAML 中,SAML 服务提供者和 SAML IdP 都通过 xml 文件或作为返回此 xml 内容的服务交换其元数据。
Federation metadata contains information such as signing/encryption certs, endpoint information, protocols supported, etc.联合元数据包含诸如签名/加密证书、端点信息、支持的协议等信息。
Similar to the above file, you will have to create your own federation metadata file, and provide it to Admin and ask him to register your app as Service Provider inside IdP.与上述文件类似,您必须创建自己的联邦元数据文件,并将其提供给管理员并要求他将您的应用程序注册为 IdP 内的服务提供者。
How to get started with SAML in spring is given here . 此处给出了如何在春季开始使用 SAML。
About securing REST APIs -关于保护 REST APIs -
- You should add a filter to check the authentication token.您应该添加一个过滤器来检查身份验证令牌。
- If token is not present, then redirect to IdP.如果令牌不存在,则重定向到 IdP。
- Once authentication is done, IdP will redirect back to a known endpoint in your application (assertion consumer endpoint) where you will get SAML assertion.身份验证完成后,IdP 将重定向回您的应用程序中的已知端点(断言消费者端点),您将在其中获得 SAML 断言。
- Extract this assertion to know the user details.提取此断言以了解用户详细信息。 You will have to use open SAML libraries for this.为此,您必须使用开放的 SAML 库。
- Create separate session for your application, generate token or cookie and send it as a response.为您的应用程序创建单独的会话,生成令牌或 cookie 并将其作为响应发送。 Next time, expect this token for each REST call.下次,每个 REST 调用都需要这个令牌。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.