saml2 idp认证转发
[英]saml2 idp authentication forwarding
问题描述
I have an app that authenticate against an idP using SAML2.
我有一个使用 SAML2 对 idP 进行身份验证的应用程序。 The app support only one idP.该应用程序仅支持一个 idP。
The app is multi-tenant, and I need to forward each tenant user to their own idP.该应用程序是多租户的,我需要将每个租户用户转发到他们自己的 idP。
So I need my local idP (MyIdP, that is registered in the app) to ask the user for their tenat name and based on that, forward the authentication to the appropiate idP and then return it result to the app as its result.所以我需要我的本地 idP(MyIdP,在应用程序中注册)向用户询问他们的租户名称,并在此基础上将身份验证转发给适当的 idP,然后将其结果作为结果返回给应用程序。
Something like a idP proxy (Is there a name for this functionality???)像 idP 代理之类的东西(这个功能有名字吗???)
Is it possible to do it using SimpleSAMLphp, Shibboleth, Keycloak or any other open source idP?是否可以使用 SimpleSAMLphp、Shibboleth、Keycloak 或任何其他开源 idP 来实现?
(App)----->(MyIdP)-----------------------------(idP-Tenant-A) (App)----->(MyIdP)-----------------------------(idP-Tenant-A)
| | |-----(idP-Tenant-B) |-----(idP-租户-B)
{ Ask User Tenant Name |-----(idP-Tenant-C) { 询问用户租户名称 |-----(idP-Tenant-C)
and forward based on it }并以此为基础转发}
Thanks谢谢
1 个解决方案
解决方案1
1 已采纳 2022-06-07 12:26:04
Yes, in Shibboleth this is called IdP Proxy as you guessed.是的,如您所料,在 Shibboleth 中,这称为 IdP 代理。 Here is the docs from Shibboleth 这是来自 Shibboleth 的文档
In keycloak, you can do this using their identity brokering functionality.在 keycloak 中,您可以使用他们的身份代理功能来执行此操作。 This can act as a proxy between different protocols like OIDC and SAML, but also from SAML to SAML.这可以充当不同协议(如 OIDC 和 SAML)之间的代理,也可以充当从 SAML 到 SAML 的代理。 Have a look here for their documentation 在这里查看他们的文档
On my blog I have a post showing how to use this as a proxy between OIDC and SAML.在我的博客上,我有一篇文章展示了如何将其用作 OIDC 和 SAML 之间的代理。 But the mechanics are the same if you want to proxy for SAML.但如果您想代理 SAML,机制是相同的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.