Iis如何使用saml2.0访问adfs [英] how Iis USES saml2.0 to access adfs

问题描述

IIS如何使用saml2.0访问adfs？

在我看来，IIS需要通过发送带有saml 2.0的请求来部署Web应用程序以访问adfs

但是直到现在，我还没有找到部署可发送saml2.0的Web应用程序的方法。

是否必须使用isapi或Shibboleth？

解决方案：（1）Shibboleth SP应该建立SSO会话/ HTTP $从SAML响应中提取用户信息后，b $ b登录会话由SAML IdP发送了
。 （2）将用户信息插入SSO会话/ HTTP登录
会话中。如何在Asp.net中从会话而不是
数据库中插入和获取数据MVC C＃提供了有关如何将
数据插入HTTP会话（在IIS中）以及从HTTP $ b $提取数据的说明。 b会话（在Glassfish中）。

//在IIS会话中[ HTTP_MAIL] = Request.Headers [ HTTP_MAIL];

//在HTTP重定向字符串user_email =
Session [ HTTP_MAIL];之后的Glassfish中；

谢谢您的回答！

让我先说说我所知道的。如果有什么问题，请指出

1. Shibboleth SP，保存该值属于SAML响应，该响应是从SAML获取的Idp（这次是ADFS）到三个位置（※），我们可以在
   中看到它 https：// SP 的域名/Shibboleth.sso/Session

   
   
   

   ※
   ①Session
   ②服务器变量
   ③请求标头
   指的是 SP的AttributeAccess




2. Shibboleth SP保存该值后，将自动跳到浏览器中访问的界面。




3. ②服务器变量和③请求标头中都有信息，因此IIS之上的应用程序可以通过以下代码通过邮件
   来获取它，而HTTP_MAIL可以获取该值。

 <％@ Page Language = C＃％> 
<％
 Response.Write（< h3>服务器变量< / h3>）; 
 Response.Write（ Name = + Request [ name] +< br>）; 
 Response.Write（ Email = + Request [ mail] +< br>）; 
 Response.Write（ Tel = + Request [ tel] +< br>）; 
 
％> 
  

结果是：

 服务器变量
名称= tom 
电子邮件= tom@yahoo.com 
电话= 0251-4584-635 
  

---

问题是何时使用HTTP重定向（HTTP重写等方式也可以），
上面的值如何传递给glassfish〜

参考您的答案，我做了以下事情〜

1. 将iis上面的程序修改为此：

  <％ @ Page Language = C＃％> 
<％
 Response.Write（< h3>服务器变量< / h3>）; 
 Response.Write（ Name = + Request [ name] +< br>）; 
 Response.Write（ Email = + Request [ mail] +< br>）; 
 Response.Write（ Tel = + Request [ tel] +< br>）; 
 
 Session [ HTTP_MAIL] =请求[ HTTP_MAIL]; ※将值设置为Session 
 Response.Write（ Mail2 = + Session [ HTTP_TEST] +< br>）; 
 
％> 
  

2. 为此创建Glassfish的应用程序：

  @RequestMapping（value = / info2，method = RequestMethod.GET）
 public对象getUserInfo2（HttpSession会话，模型模型）{
 Enumeration< String> headerNames = session.getAttributeNames（）; 
 StringBuffer stringBuffer = new StringBuffer（）; 
 while（headerNames.hasMoreElements（））{
字符串键=（字符串）headerNames.nextElement（）; 
字符串值=（字符串）session.getAttribute（key）; 
 stringBuffer.append（key +： + value + \n）; 
} 
 model.addAttribute（ StringBuffer，stringBuffer）; 
返回索引； 
 
} 
  

会话中没有任何内容。

似乎在执行之前，使用IIS的HTTP重定向功能在IIS上重定向应用程序。
换句话说，似乎没有执行会话分配

我这样做正确吗？

解决方案

问题＃1 ：

IIS如何使用saml2.0访问adfs ？

在我看来，IIS需要通过发送带有saml 2.0的请求来部署Web应用程序以访问adfs。

答案：

是。你是对的。

（1）IIS需要部署SAML SP（服务提供商）才能将SAML身份验证请求发送到ADFS。

（2）您需要将ADFS配置为SAML IdP（身份提供者）。

微软官方添加ADFS作为SAML身份提供者提供有关如何将ADFS配置为SAML IdP的说明。

问题＃2 ：

是否必须使用isapi或Shibboleth？

答案： p>

您可以在IIS上部署Shibboleth SP（服务提供商）。

带有IIS的Shibboleth SP 提供了有关如何在IIS上部署Shibboleth SP的说明。

后续问题＃1 ：

最终效果如下：adfs的终点：

  iis。*。com / Sh ibboleth.sso / SAML2 / POST 
 iis。*。com / Shibboleth.sso / SAML2 / Artifact 
  

但是，adfs是作为帖子返回的，并且我没有通过iis端的程序在请求标头中获得信息

请访问该网站< a href = https://www.secioss.co.jp/shibboleth-sp-for-iis-%E3%81%A7SAML%E5%AF%BE%E5%BF%9C/ rel = nofollow noreferrer > Shibboleth SP for IISでSAML対応

如何通过get

获取adfs返回的数据

答案：

（1）Shibboleth SP AssertionConsumerService不为 GET提供 HTTP重定向端点/ URL。 / p>

（I）您不能通过get获取adfs返回的数据。

（II）您必须通过POST获取adfs返回的数据。

（2）假定您的网站为 https：/ /shibbolethiis.int.secioss.work

（I）Shibboleth SP AssertionConsumerService端点/ URL，由您的Shibboleth SP元数据 https://shibbolethiis.int.secioss.work/Shibboleth.sso/Metadata

 < md：AssertionConsumerService Binding = urn：oasis：names：tc：SAML：2.0：bindings：HTTP-POST Location = https： //shibbolethiis.int.secioss.work/Shibboleth.sso/SAML2/POST index = 1 /> 
  

（II）引用您评论中的链接。即用于IIS的Shibboleth SP対応SAML対応

默认网站を选択し。IISを再启动します。

これでShibboleth-SPの设定は终了です。
以下のURLに接続し，正常に稼働しているか确认してください。

https://shibbolethiis.int.secioss.work /Shibboleth.sso/Status

正常に稼働している场合，以下のようなXMLが返ります。
最后のStatusタグ

（III）检查您的网站Shibbolth SP会话

https://shibbolethiis.int.secioss.work/Shibboleth.sso/Session

上面的Shibboleth SP会话URL应该显示ADFS发送的SAML响应所携带的用户信息

从上面的Shibboleth SP Sessio查找任何用户信息n URL

（III.a）配置ADFS以发送具有SAML属性/ SAML断言/ SAML响应的用户信息

（III.b）参照 Shibboleth SP shibboleth-sp-testapp / shibboleth-sp / attribute-map。 xml 在GitHub存储库中。

通常Shibboleth SP使用SAML属性（例如 mail属性）（例如ethan.smith@example.com）进行记录用户进入您的网站。

（4）备注：

（ I）如何在GitHub存储库上使用Docker容器构建和运行Shibboleth SAML IdP和SP leth SP配置示例。

（II）为了方便起见，我进行了一次新提交，将ADFS属性添加到 Shibboleth SP shibboleth-sp-testapp / shibboleth-sp / attribute-map.xml 在上述GitHub存储库中。请注意，我使用相同的ADFS属性成功登录Box帐户。

（III）为SAML 2.0和ADFS 3.0配置属性提供了宝贵的资源Shibboleth SP如何通过 attribute-map.xml提取ADFS返回的用户信息/数据的信息和讨论。

后续问题＃2 ：

修改属性后。 XML，并访问shibboleth.sso / Session，它可以显示以下信息。

 属性邮件：1个值
 tel：1个值
  

请参阅此网站用于IIS ShiSAML対応的Shibboleth SP

  ５。动作确认
 
显示以下信息
 
 HTTP_MAIL：ya * @ cn。*。com 
 HTTP_TEL：17 * 
  

当我通过请求将其重定向到glassfish时，如何从请求标头中获取信息iis的HTTP重定向功能？

答案：

另一个StackOverflow问题获取请求。标头值提供了有关如何使用C＃从请求标头中获取信息的解决方案，例如，

  if（Request.Headers [ HTTP_MAIL]！= null）{
字符串user_email = Request .Headers [ HT TP_MAIL]; 
} 
  

后续问题＃3 ：

不是问如何在IIS上获取标头，我的问题是如何获取关于glassfish的登录信息〜换句话说，我如何在将请求标头信息传递给glassfish之后从iis获得它？我还在> iis上的glassfish get shibboleth sp属性中问了一个问题，

答案：

来自从网络安全的角度来看，您不能重定向用户信息以建立Glassfish应用程序的HTTP登录会话。否则，黑客可以使用相同的用户信息登录到Glassfish应用程序，而无需任何身份验证，例如本地用户名/密码身份验证或第三方SAML身份验证。

后续问题4 ：

使用HTTP重定向（HTTP重写等方式也可以）时，如何将上述值传递给glassfish？

会话中没有任何内容。

似乎使用IIS的HTTP重定向功能在IIS上重定向应用程序在执行之前。换句话说，似乎未执行会话分配

我这样做正确吗？

答案：

（1）Apache，GlassFish，IIS，Jetty和Tomcat可以视为托管Web应用程序的并行Web服务器。

顶级Java应用服务器：Tomcat，Jetty，GlassFish和WildFly

Microsoft IIS与Apache Tomcat：有什么区别？

  Microsoft IIS和Apache Tomcat属于技术堆栈的 Web服务器类别。 
  

Windows Server 2016可以同时运行IIS 10 Web服务器和GlassFish 5.1.0 Web服务器，而IIS 10 Web服务器和GlassFish 5.1.0 Web服务器可以运行自己的Web应用程序。

（2）从网络安全的角度来看，不同的Web应用程序应在其各自的服务器上建立HTTP登录会话。后端服务器（例如Apache，Glassfish，IIS，JETTY和Tomcat）通过第三方SAML IdP（例如Shibboleth SAML IdP）对用户进行身份验证之后。

因此，您不能将用户信息从IIS重定向到Glassfish，因为IIS和Glassfish应该为被授予访问Web应用程序访问权限的用户建立自己的HTTP会话。

解决方案：

您可以使用OneLogin Java SAML SP接受程序（对您的Java应用进行编码以通过OneLogin提供SSO ），以便为基于Java的应用构建SAML SP Glassfish Web应用程序。

请注意，基于Java的GlassFish Web应用程序的OneLogin SAML SP可以与任何SAML IdP进行通信，包括其自己的OneLogin SAML IdP，在Docker容器上运行的Shibboleth SAML IdP ，或我们的零密码验证和授权系统。

How does IIS use saml2.0 to access adfs?

In my opinion, IIS needs to deploy a web application to access adfs by sending the request with saml 2.0.

But until now, I haven't found the way to deploy a web application that can send saml2.0.

Does it have to use isapi or Shibboleth ?

Resolution: (1) Shibboleth SP should establish the SSO session/HTTP login session after extracting the user info from SAML response sent by SAML IdP. (2) Insert the user info into the SSO session/HTTP login session. How to insert and fetch Data from Sessions instead of Database in Asp.net MVC C# provides the instruction on how to insert data into the HTTP session (at IIS) and extract data from the HTTP session (at Glassfish).

//In IIS Session["HTTP_MAIL"] = Request.Headers["HTTP_MAIL"];

//In Glassfish after HTTP redirect string user_email = Session["HTTP_MAIL"];

Thanks for you answer!

let me tell about what I know first. If there is any something wrong, please point it out

1. Shibboleth SP save the value belongs of SAML response which is getting from SAML Idp(this time is ADFS) to three places(※), and we can see it in https://SP's domaim name/Shibboleth.sso/Session

   　※ ①Session ②Server Variables ③Request Headers refer to SP's AttributeAccess

2. After Shibboleth SP save the value, automatically jumps to the interface accessed in the browser.

3. There is information in ②Server Variables and ③Request Headers, so applications above IIS can get it through the following code through by both mail and HTTP_MAIL can get the value.

<% @ Page Language="C#" %>
<%
Response.Write("<h3>Server Variables</h3>");
Response.Write("Name = " + Request["name"] + "<br>");
Response.Write("Email = " + Request["mail"] + "<br>");
Response.Write("Tel = " + Request["tel"] + "<br>");

%>

the result is :

Server Variables
Name = tom
Email = tom@yahoo.com
Tel = 0251-4584-635

---

the question is when use HTTP Redirect(HTTP Rewrite and other way is also ok)， How are the above values passed to glassfish~

Refer to your answer, I did the following things ~

1. Modify the program above iis to this:

<% @ Page Language="C#" %>
<%
Response.Write("<h3>Server Variables</h3>");
Response.Write("Name = " + Request["name"] + "<br>");
Response.Write("Email = " + Request["mail"] + "<br>");
Response.Write("Tel = " + Request["tel"] + "<br>");

Session["HTTP_MAIL"] = Request["HTTP_MAIL"];     ※set value to Session
Response.Write("Mail2 = " + Session["HTTP_TEST"] + "<br>");  

%>

2. create Glassfish's app to this:

@RequestMapping(value = "/info2", method = RequestMethod.GET)
    public Object getUserInfo2(HttpSession session, Model model) {
    Enumeration<String> headerNames  = session.getAttributeNames();
    StringBuffer stringBuffer = new StringBuffer();
    while (headerNames.hasMoreElements()) {
            String key = (String) headerNames.nextElement();
            String value = (String) session.getAttribute(key);
            stringBuffer.append(key + ":" + value + "\n");
        } 
        model.addAttribute("StringBuffer", stringBuffer);
        return "index";

    }

there is nothing in session.

it seems that using IIS's HTTP redirect function to redirect the app on IIS before it executes. In other words, the session assignment does not appear to have been performed

Did I do that right?

解决方案

Question #1:

How does IIS use saml2.0 to access adfs?

In my opinion, IIS needs to deploy a web application to access adfs by sending the request with saml 2.0.

Answer:

Yes. You are correct.

(1) IIS needs to deploy a SAML SP (service provider) to send SAML auth request to ADFS.

(2) You need to configure ADFS to be SAML IdP (Identity Provider).

The official Microsoft website of Add ADFS as a SAML identity provider provides the instruction on how to configure ADFS to be SAML IdP.

Question #2:

Does it have to use isapi or Shibboleth ?

Answer:

You can deploy Shibboleth SP (service provider) on IIS.

The official link of Shibboleth SP with IIS provides the instruction on how to deploy Shibboleth SP on IIS.

Follow-up Question #1:

The final effect is as follows: adfs's end point:

iis.*.com/Shibboleth.sso/SAML2/POST
iis.*.com/Shibboleth.sso/SAML2/Artifact

However, adfs is returned as a post, and I did not get the information in the request header through the program on the iis side

Refer to this website Shibboleth SP for IIS でSAML対応

How can I get the data returned by adfs through get

Answer:

(1) Shibboleth SP AssertionConsumerService does NOT provide "HTTP-Redirect" endpoint/URL for "GET".

(I) You can NOT "get the data returned by adfs through get".

(II) You have to get the data returned by adfs through POST.

(2) Assume that your website is https://shibbolethiis.int.secioss.work

(I) Shibboleth SP AssertionConsumerService endpoint/URL demonstrated by your Shibboleth SP metadata "https://shibbolethiis.int.secioss.work/Shibboleth.sso/Metadata"

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://shibbolethiis.int.secioss.work/Shibboleth.sso/SAML2/POST" index="1"/>

(II) Quote the link from your comment. i.e., Shibboleth SP for IIS でSAML対応

「Default Web Site」を選択し。IISを再起動します。

これでShibboleth-SPの設定は終了です。 以下のURLに接続し、正常に稼働しているか確認してください。

https://shibbolethiis.int.secioss.work/Shibboleth.sso/Status

正常に稼働している場合、以下のようなXMLが返ります。 最後のStatusタグの内容がOKなら正常です。

(III) Check your website Shibbolth SP session

https://shibbolethiis.int.secioss.work/Shibboleth.sso/Session

The above Shibboleth SP Session URL should display the user info carried by SAML response sent by ADFS

If you can NOT find any user info from the above Shibboleth SP Session URL

(III.a) Configure ADFS to send the user info with SAML attribute/SAML assertion/SAML response

(III.b) Modify Shibboleth SP "attribute-map.xml" to accept SAML attributes sent by ADFS with reference to the example provided by Shibboleth SP shibboleth-sp-testapp/shibboleth-sp/attribute-map.xml at the GitHub repository.

Usually Shibboleth SP uses SAML attribute such as "mail" attribute (e.g., ethan.smith@example.com) to log the user in to your website.

(4) Remarks:

(I) How to build and run Shibboleth SAML IdP and SP using Docker container at GitHub repository provides Shibboleth SP configuration example.

(II) For your convenience, I have made a new commit to add ADFS attributes to Shibboleth SP shibboleth-sp-testapp/shibboleth-sp/attribute-map.xml at the above GitHub repository. Note that I have used the same ADFS attributes to log in to Box account successfully.

(III) Configuring Attributes for SAML 2.0 and ADFS 3.0 provides the valuable information and discussion on how Shibboleth SP extract the user info/data returned by ADFS through "attribute-map.xml".

Follow-up Question #2:

After modifying attribute. XML, and visit shibboleth.sso/Session, it can display the following information.

Attributes mail: 1 value(s) 
tel: 1 value(s) 

Refer to this website Shibboleth SP for IIS でSAML対応

５．動作確認 

Display the following information 

HTTP_MAIL:ya*@cn.*.com 
HTTP_TEL:17* 

how can i get information from the request header when i redirect it to glassfish via iis's HTTP redirect function?

Answer:

Another StackOverflow question Getting a Request.Headers value provides the solution on how to get information from the request header using C#, for example,

if (Request.Headers["HTTP_MAIL"] != null) {
    string user_email = Request.Headers["HTTP_MAIL"];
}

Follow-up Question #3:

Instead of asking how to get headers on IIS, my question is how to get login information on glassfish~ In other words, how do i pass the request-header information to glassfish after getting it from iis? I also asked a question in glassfish get shibboleth sp attribute on iis, and it is more detailed than his current comment.

Answer:

From the cybersecurity perspective, you can NOT redirect the user info to establish the HTTP login session for Glassfish application. Otherwise, hackers can use the same user info to log in to Glassfish application without any authentication such as local username/password authentication or third-party SAML authentication.

Follow-up Question #4:

when use HTTP Redirect(HTTP Rewrite and other way is also ok)， How are the above values passed to glassfish?

there is nothing in session.

it seems that using IIS's HTTP redirect function to redirect the app on IIS before it executes. In other words, the session assignment does not appear to have been performed

Did I do that right?

Answer:

(1) Apache, GlassFish, IIS, Jetty, and Tomcat can be regarded as parallel web servers for hosting web applications.

Top Java Application Servers: Tomcat vs. Jetty vs. GlassFish vs. WildFly

Microsoft IIS vs Apache Tomcat: What are the differences?

Microsoft IIS and Apache Tomcat belong to "Web Servers" category of the tech stack.

Windows Server 2016 can run both IIS 10 web server and GlassFish 5.1.0 web server, while IIS 10 web server and GlassFish 5.1.0 web server can run their own web application.

(2) From the cybersecurity perspective, different web application should establish their HTTP login session on their backend server (such as Apache, Glassfish, IIS, JETTY, and Tomcat) after their user has been authenticated by a third-party SAML IdP (such as Shibboleth SAML IdP).

Therefore, you can NOT redirect the user info from IIS to Glassfish, because IIS and Glassfish should establish their own different HTTP sessions for their user who is granted access to web application.

Resolution:

You can use OneLogin Java SAML SP tookit (Code Your Java App to Provide SSO via OneLogin) to build SAML SP for your Java-based GlassFish web application.

Note that OneLogin SAML SP for your Java-based GlassFish web application can communicate with any SAML IdP including their own OneLogin SAML IdP, Shibboleth SAML IdP running on Docker container, or SAML IdP provided by our Zero-Password Authentication and Authorization System.

这篇关于Iis如何使用saml2.0访问adfs的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！