如何实现SAML SSO [英] How to implement SAML SSO
问题描述
如何实施SAML SSO?
How is SAML SSO typically implemented?
我读过这个(nb已过时)关于在Google Apps上使用SAML,以及 SAML 。
I've read this (n.b. obsolete) about using SAML with Google Apps, and the wikipedia entry on SAML.
维基百科条目讨论了使用包含SAMLRequest和SAMLResponse详细信息的表单进行响应。这是否意味着用户必须在物理上提交表单才能继续进行单点登录?
The wikipedia entry talks about responding with forms containing details of the SAMLRequest and SAMLResponse. Does this mean that the user has to physically submit the form in order to proceed with the single sign on?
谷歌条目谈到使用重定向,这似乎更无聊我。但是,它还讨论了使用用户必须提交的响应表单(虽然它确实讨论了使用JavaScript自动提交表单)。
The google entry talks about using redirects, which seems more seemless to me. However, it also talks about using a form for the response which the user must submit (although it does talk about using JavaScript to automatically submit the form).
这是这样做的标准方式?使用重定向和JavaScript进行表单提交?
Is this the standard way of doing this? Using redirects and JavaScript for form submission?
有没有人知道如何在Windows域和J2EE Web应用程序之间实现SSO的其他好资源。 Web应用程序位于单独的网络/域中。我的客户希望使用 CA Siteminder (使用SAML)。
Does anyone know of any other good resources about how to go about implementing SSO between a Windows Domain and a J2EE web application. The web application is on a separate network/domain. My client wants to use CA Siteminder (with SAML).
推荐答案
这样做的方式是,在对用户进行身份验证后,SAML身份提供程序(IdP)将表单呈现给包含SAML的浏览器响应 - 表单的动作(即目标)是服务提供商(SP)。在HTML中,有一个JavaScript onLoad事件提交表单,因此净效果是用户自动从IdP转到SP,SAML响应。
The way this works is that, after authenticating the user, the SAML identity provider (IdP) renders a form to the browser containing the SAML response - the form's 'action' (i.e. target) is the service provider (SP). In the HTML, there is a JavaScript onLoad event that submits the form, so the net effect is that the user is automatically taken from the IdP to the SP, SAML response in hand.
用户必须单击任何内容以提交表单的唯一时间是他们禁用了JavaScript。在这种情况下,SAML实现通常会在< noscript> 标记中提供带按钮的消息。
The only time a user would have to click anything to submit the form is if they have JavaScript disabled. In this case, SAML implementations typically provide a message with a button to press in the <noscript> tag.
有关详细信息,请参阅几年前我写过的这篇文章 - 但请注意,'Lightbulb'现在已经过时了 - 对于PHP SAML,请参阅 simpleSAMLphp 。
For more detail see this article I wrote a few years ago - but note, 'Lightbulb' is long obsolete now - for PHP SAML see simpleSAMLphp.
您的客户希望使用CA SiteMinder - 开源 OpenAM ,这是一种耻辱。 (以前称为OpenSSO)很容易做到这一点。
It's a shame your client wants to use CA SiteMinder - the open source OpenAM (formerly known as OpenSSO) does this pretty easily.
这篇关于如何实现SAML SSO的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
