如何成为一个SAML服务提供商 [英] How To Become a SAML Service Provider
问题描述
大家上午,
我公司目前开发Java Web应用程序。一对夫妇我们的客户有内部SAML服务器(身份提供者?),并有我们与它们集成的要求。所以,最近我一直在看它和玩弄OpenAM。经过3天的本我对它有一个大致的了解,但仍有在我的知识一定的差距。我希望有人可以清除此为我说话。
My company currently develops a Java web application. A couple of our clients have internal SAML servers (identity providers?) and have request that we integrate with them. So recently I've been reading up on it and playing around with OpenAM. After about 3 days of this I have a general understanding of it, but there are still some gaps in my knowledge. My hope is that someone can clear this up for me.
因此,这里是我如何想象一个用户登录的工作流程。让我们来定义我们的客户SAML服务器 https://their.samlserver.com 。因此,用户来到我们的Web应用程序为的保护的资源。比方说,网址是 http://my.app.com/something 。所以,如果我是正确的,my.app.com是SAML定义为服务提供商。我们的应用程序意识到该用户需要登录,然后我们present一个页面像这样给用户...
So here's how I imagine the workflow of a user logging in. Let's define our customers SAML server as https://their.samlserver.com. So a user comes to our web application for a resource that's protected. Let's say that URL is http://my.app.com/something. So if I'm correct, "my.app.com" is what SAML defines as a "Service Provider". Our application realizes that this user needs to log in. We then present a page like this to the user...
<script>JQuery Script to auto submit this form on ready</script>
<form method="post" action="https://their.samlserver.com/Post/Servlet">
<input type="hidden" name="SAMLRequest" value="someBase64Data" />
<input type="submit" value="Submit" />
</form>
这someBase64Data应使用base64恩的这codeD的版本...
And that someBase64Data should be base64 encoded version of this...
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="identifier_1"
Version="2.0"
IssueInstant="2004-12-05T09:21:59Z"
AssertionConsumerServiceIndex="0">
<saml:Issuer>http://my.app.com</saml:Issuer>
<samlp:NameIDPolicy
AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
</samlp:AuthnRequest>
所以,我的第一对夫妇的问题。什么是假设是ID的价值?为什么我可以宣布自己为发行人?请问身份提供商了解我吗?也许这就是信任圈我已经看到在OpenAM。如果确实如此了解我,它是如何知道我它有什么需要知道的?
So my first couple questions. What is the "ID" value suppose to be? And why can I declare myself as an "Issuer"? Does the Identity Provider know about me? Maybe this is that "Circle of trust" I've been seeing on OpenAM. And if it does know about me, how does it know about me and what does it need to know?
因此用户转发该网页后,它们被带到由IDP提供的网页。 https://their.samlserver.com 。他们在该网页上进行身份验证和IDP做它的魔力来验证身份验证和查找用户。认证成功后,IDP发回&LT; samlp:响应&GT; 中定义的这里。
So after the user is forwarded that page, they are taken to a page provided by the IDP https://their.samlserver.com. They authenticate on that page and the IDP does it's magic to validate the authentication and look up the user. After the authentication is successful, the IDP sends back a <samlp:Response> defined here.
几个问题。首先,请问&LT; samlp:响应&GT; 找回我的web应用程序,所以我可以检查吗?而且我应该在响应中寻找,以验证它是成功的?什么是一个失败的样子?
A few more questions. First, how does the <samlp:Response> get back to my web application so I can check it? And what should I be looking for in that response to validate that it was successful? What does a failure look like?
我们目前使用的电子邮件地址(LDAP)来识别用户,所以我们可能会抢了从响应和使用,在我们现在做的一样。什么我应该铭记的这种反应?
We currently use email address (LDAP) to identify users, so we'll probably grab that from the response and use that in the same way we do now. Anything else I should be mindful of in that response?
所以,现在,我们已经检查了反应的有效性,我们可以授予用户的会话像我们目前做的。但是,当他们要注销,是有一个流程?我必须通知IDP用户已离开?
So now that we've checked that response for validity, we can grant the user a session like we do currently. But when they want to log out, is there a workflow for that? Do I have to notify the IDP that the user has left?
最后,有一对夫妇已经在我的阅读抛向四周的话题,我不知道他们是如何适应这种工作流程。他们是信任圈,令牌和神器。
And finally, there are a couple of topics that have been thrown around in my reading and I'm not sure how they fit into this workflow. They are "Circle of trust", "Tokens", and "Artifacts".
感谢您的帮助大家。我发现了很多资料,在过去几天,这可能是我能多一点上场后拼凑他们。但是,我还没有找到一个直线前进这是早报工作流程文章呢。也许这是因为我错了这是如何工作。也许是因为这不是流行呢。但我真的想确保我得到了工作流程,所以我没有错过在用户认证作为重要的事情的关键一步。
Thanks for any help everyone. I've found a lot of information in the last couple days, and it's possible that I could piece them together after a bit more playing. But I have yet to find a straight forward "Here's the Post" workflow article yet. Maybe that's because I'm wrong on how this works. Maybe it's because this isn't that popular yet. But I really wanted to make sure that I got the workflow so I didn't miss a crucial step in something as important as user authentication.
推荐答案
在回答您的具体问题:
1)什么是应该是ID的价值?
1.) What is the "ID" value supposed to be?
- 这应该是SAML请求的唯一标识符。在SAML 2.0规范规定,它的真正具体如何做到这一点的实现,但提出以下建议:
的机制,通过它一个SAML系统实体确保标识符是唯一留给实现。在一个随机或伪随机技术采用的情况下,两个随机选择的标识符是相同必须小于或等于2的概率^ -128和应小于或等于2 ^ -160的长度。该要求可以通过编码的长度为128和160位之间的随机选择的值来满足。
2)如何对IDP了解你?
2.) How does the IdP know about you?
- 您的SP需要与国内流离失所者进行登记。要做到这一点,SAML规范定义了SAML元数据,它告诉国内流离失所者在您的SAML接收器,一个格式的证书是什么,你的属性交换等OpenAM可能决定配置一个值得信赖的SP一些最低要求。这种变化在每一件产品。
3。)哪里的响应去,什么检查?
3.) Where's the Response go, and what to check?
- 的响应会去通常在SAML元数据,你从国内流离失所者的SP进行初始设置交换定义你的断言使用者服务URL。当您收到一个SAML响应,您需要检查很多东西 - 但最重要的是,SAML状态code应该是成功的inResponseTo的ID应匹配请求的发送的人,你必须在断言验证数字签名。对于这一点,你需要信任对IDP的公开验证证书,你可能还想做吊销检查。
4)什么注销?
- SAML 2.0还定义了单点注销(SLO)的配置文件。这不仅将注销您的SP,也IDP和潜在的任何其他SP的你建立一个sesssion。它有一个类似的请求/响应流作为单点登录(SSO),因此类似的事情来设置和检查(状态codeS,签名,等等)。
因此,在短期 - 这可能是非常复杂的从头来实现。这是最好使用尝试和放大器;真正的函数库和/或产品,如伊恩建议。公司就像他已经投入数百开发商小时的时间按照与其他供应商的规范和测试互操作性的实现。
So in short - this can be quite complex to implement from scratch. It's best to use tried & true libraries and/or products like Ian suggests. Companies like his have invested hundreds of hours of developer time to implement according to the spec and test interoperability with other vendors.
这篇关于如何成为一个SAML服务提供商的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
