使用SAML和身份提供者的微服务身份验证 [英] micro services authentication using SAML and Identity Provider
问题描述
我们正在为我们的领域开发微服务.
We are working on the development of micro services for our domain.
我们需要使用SAML保护微服务.
We have a requirement to secure the micro services using SAML.
我通读了SAML文档,发现有一个Identity Provider,我们已经向其注册了我们的应用程序(SP),并且还应该连接到IdP进行身份验证.我了解我们需要在它们之间建立信任或联盟.
I read through the SAML docs and see that there would an Identity provider to which we have register our application (SP) and also we should connect to IdP for authentication. I understand that we need to establish a circle of trust or federation between them.
我尝试使用Spring Security SAML扩展和SSOCircle.com作为IdP进行身份验证,使用提供的示例应用程序.我能够相应地成功进行身份验证.
I tried using the Spring Security SAML extension and SSOCircle.com as IdP for authentication using the sample application provided. I was able to successfully authenticate accordingly.
我的问题是,在微服务架构中,我们有多种服务.由于它不是一个整体,我们不能仅将一个服务作为SP添加到IdP.
My question is, in a micro services architecture, we have multiple services. Since it is not a monolithic we cannot just add one service as a SP to the IdP.
这意味着我说的每个微服务,员工,部门,销售等也应作为单独的SP应用程序添加到IdP中.
That means every micro service I have say, employee, department,sales etc should also be added as a separate SP application in IdP.
我不确定这是否有意义或实际可行.
I am not sure if that makes sense or actually possible to do so.
如果有人从事过类似的体系结构/开发工作,那么请您提供从身份验证角度出发解决微服务安全性最佳方法的想法.
If anyone has worked on a similar architecture/development can you please provide your thoughts on the best way to approach the security of micro services from the point of authentication.
谢谢, bstechie
Thanks, bstechie
推荐答案
执行此操作的两种方法:
Two ways to do this:
- 正如您所说,将每个微服务配置为SP,并将每个SP与IdP对话以进行SAML身份验证.
- 如果每个微服务都具有与其他微服务不同的用户,组和角色集,则这是合适的.
- 可能有多个SP,管理员需要对其进行维护.
- As you said, configure each micro-service as SP and each SP talk to IdP for SAML authentication.
- This is suitable, if each micro-service has different set of users, groups and roles than others.
- There could be multiple SPs, which admin need to maintain.
- 如果所有微服务都具有相同的用户,组和角色集,这是合适的.
- 管理员可能只需要维护一个SP.
这篇关于使用SAML和身份提供者的微服务身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!