[英]SAML 2.0 + Keycloak + Spring-Boot
我们正在尝试使用 docker 在本地设置 Keycloak,以便能够使用 SAML 2.0 登录我们的应用程序。
使用的版本:
对端点的访问转发给 Keycloak,但我们总是面临同样的错误(在 keycloak-console 中可用): WARN [org.keycloak.events] (executor-thread-15) type=LOGIN_ERROR, realmId=my-app, clientId=null, userId=null, ipAddress=172.18.0.1, error=client_not_found, reason=Cannot_match_source_hash
网络安全配置:
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.saml2.provider.service.metadata.OpenSamlMetadataResolver;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter;
import org.springframework.security.saml2.provider.service.web.DefaultRelyingPartyRegistrationResolver;
import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver;
import org.springframework.security.saml2.provider.service.web.Saml2MetadataFilter;
import static org.springframework.security.config.Customizer.withDefaults;
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private final RelyingPartyRegistrationRepository relyingPartyRegistrationRepository;
public WebSecurityConfig(RelyingPartyRegistrationRepository relyingPartyRegistrationRepository) {
this.relyingPartyRegistrationRepository = relyingPartyRegistrationRepository;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
RelyingPartyRegistrationResolver defaultRelyingPartyRegistrationResolver = new DefaultRelyingPartyRegistrationResolver(relyingPartyRegistrationRepository);
Saml2MetadataFilter filter = new Saml2MetadataFilter(defaultRelyingPartyRegistrationResolver, new OpenSamlMetadataResolver());
http
.saml2Login(withDefaults())
.addFilterBefore(filter, Saml2WebSsoAuthenticationFilter.class)
.antMatcher("/**")
.authorizeRequests()
.antMatchers("/**").authenticated();
}
}
pom.xml中的相关依赖:
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-saml2-service-provider</artifactId>
</dependency>
application.yml(相关部分):
spring:
security:
saml2:
relyingparty:
registration:
saml:
identityprovider:
entity-id: http://localhost:8080/realms/my-app
verification:
- certificate-location: "classpath:saml-certificate/keycloak.cert"
singlesignon:
url: http://localhost:8080/auth/realms/my-app/protocol/saml
sign-request: false
我还可以提供我们的 Keycloak 配置的相关部分,但由于导出量很大,我需要知道哪些部分是相关的。
application.yml 中是否缺少某些内容,或者我们是否需要其他方法来配置它?
您应该在 keycloak 服务器的客户端设置中设置正确的客户端 ID 名称。 客户端 ID 必须与 SAML 请求中的颁发者相同。 Spring-security-saml 使用'{baseUrl}/saml2/service-provider-metadata/{registrationId}'模式,在您的情况下,它应该看起来像 'http://localhost:8080/saml2/service-provider-metadata/saml '
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.