Spring Security的SAML认证请求配置POST ProtocolBinding [英] Configure POST ProtocolBinding in Spring Security SAML authentication request

问题描述

Spring Security的SAML坚持要求神器在SAML认证请求绑定（ProtocolBinding属性）：

Spring Security SAML insists on requesting the Artifact binding in the SAML authentication request (ProtocolBinding attribute):

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                 AssertionConsumerServiceURL="http://sp.com/saml/SSO/alias/defaultAlias"
                 Destination="https://idp.com/idp"
                 ForceAuthn="false"
                 ID="a4acj06d42fdc0d3494h859g3f7005c"
                 IsPassive="false"
                 IssueInstant="2012-12-05T17:07:18.271Z"
                 ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
                 Version="2.0"
                 >

如何配置POST绑定呢？
感谢您的任何答案！

How can I configure POST binding instead? Thanks for any answers!

- 安德烈亚斯

推荐答案

感谢诺比和Sanjeev，我最近申请这一个类似的案件，并把我在正确的轨道上。

Thanks nobby and Sanjeev, I've recently applied this to a similar case and it put me on the right track.

作为很新的Spring Security的SAML2延伸，我不得不做一些额外的周围挖得到应用WebSSOProfileOptions。从本质上得到一个HTTP-POST你需要传递给 org.springframework.security.saml.websso.WebSSOProfileImpl＃sendAuthenticationRequest（）方法的配置文件选项的SAML认证请求绑定

Being very new to the Spring Security SAML2 extension, I had to do a little extra digging around to get the WebSSOProfileOptions applied. Essentially to get an HTTP-POST binding on the SAML authentication request you need the profile options passed to the org.springframework.security.saml.websso.WebSSOProfileImpl#sendAuthenticationRequest() method.

有关我们的配置，这是非常相似的<一个href=\"https://github.com/SpringSource/spring-security-saml/blob/master/saml2-sample/src/main/resources/security/securityContext.xml\">config在Spring RC2示例项目，这意味着通过了 WebSSOProfileOptions 豆在Sanjeev的解决 samlEntryPoint.defaultProfileOptions 属性（或添加绑定属性那里）。

For our config, which is very similar to the config in the Spring RC2 sample project, this meant passing the WebSSOProfileOptions bean as described in Sanjeev's solution to the samlEntryPoint.defaultProfileOptions property (or adding a binding property there).

麻烦的是，这并不会导致AuthnRequest拿起绑定属性的设置。在我们的例子中，我们SAML元数据被指定 ISDEFAULT = TRUE 上绑定的HTTP神器 AssertionConsumerService 。而在我们的春季安全SAML2库RC2版本，这是默认的行为 org.springframework.security.saml.metadata.MetadataGenerator 。

Trouble is, this did not result in the AuthnRequest picking up the binding property as set. In our case our SAML metadata was specifying isDefault=true on the HTTP-Artifact bound AssertionConsumerService. And in our RC2 version of the Spring Security SAML2 library this is the default behaviour of the org.springframework.security.saml.metadata.MetadataGenerator.

这可以通过设置MetadataGenerator的 assertionConsumerIndex 属性来重写。相应的HTTP POST断言使用者获取我们的情况下，配置索引1。

This can be overridden by setting the assertionConsumerIndex property of the MetadataGenerator. The HTTP Post assertion consumer gets configured at index 1 in our case.

<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
   <constructor-arg>
      <bean class="org.springframework.security.saml.metadata.MetadataGenerator">
         <property name="assertionConsumerIndex" value="1" /><!-- 1=HTTP-POST -->
      </bean>
   </constructor-arg>
</bean>

这篇关于Spring Security的SAML认证请求配置POST ProtocolBinding的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！