如何通过SAML请求进行OpenID调用 [英] How to make openid call from saml request

问题描述

在我的应用程序中以及从app-1中实现SSO，我需要对app-2进行一次调用.使用SAML登录到app-1，并成功通过身份验证，并尝试使用openid从app-1进行剩余调用，但是由于身份验证仅使用saml，因此无法获取访问/承载令牌.请帮助如何从saml请求/响应中获取访问/承载令牌.我正在使用Keycloak Server进行SSO实施.

Implementing SSO in my application and from app-1 i need to make a rest call to app-2. Login in app-1 with SAML and authenticated successfully and trying for rest call from app-1 with openid but since authentication is using saml only so not able to get the access/bearer token. Please help how to get the access/bearer token from saml request/response. I'm using Keycloak Server for SSO implementation.

推荐答案

(1)OpenID Connect 1.0是基于OAuth 2.0协议的简单标识层.它允许客户端基于授权服务器执行的身份验证来验证最终用户的身份，并以可互操作且类似于REST的方式获取有关最终​​用户的基本配置文件信息.

(1) OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.

(2)当前没有有关OpenID Connect客户端的SAML 2.0配置文件的IETF草案文件.

(2) Presently there is no IETF draft document regarding SAML 2.0 Profile for OpenID Connect client.

我们可以参考IETF草案文档 SAML 2.0配置文件适用于OAuth 2.0客户端.

We can refer to the IETF draft document SAML 2.0 Profile for OAuth 2.0 client.

使用SAML断言的OAuth 2.0访问令牌可以使OAuth客户端使用SAML断言请求访问令牌.这支持OAuth 2.0 SAML流，当客户端希望利用通过SAML断言的语义表示的现有信任关系时使用该OAuth 2.0 SAML流，而无需授权服务​​器上的直接用户批准步骤.有关支持的OAuth流的更多详细信息，请参见 API网关OAuth 2.0身份验证流程.

The OAuth 2.0 Access Token using SAML Assertion filter enables an OAuth client to request an access token using a SAML assertion. This supports the OAuth 2.0 SAML flow, which is used when a client wishes to utilize an existing trust relationship, expressed through the semantics of the SAML assertion, without a direct user approval step at the authorization server. For more details on supported OAuth flows, see API Gateway OAuth 2.0 authentication flows.

(3)Auth0和开源WSO2 Identity Server都为OpenID Connect/OAuth实施SAML配置文件，以将SAML令牌转换为OpenID Connect/OAuth令牌，如 WSO2添加和配置身份提供者.换句话说，Auth0和WSO2 Identity Server可以将SAML IdP提供的SAML身份验证中继到OpenID Connect客户端或OAuth 2.0客户端.

(3) Both Auth0 and open-source WSO2 Identity Server implement the SAML profile for OpenID Connect/OAuth to convert SAML token to OpenID Connect/OAuth token, as demonstrated by Auth0 SAML Configuration and WSO2 Adding and Configuring an Identity Provider. In other words, Auth0 and WSO2 Identity Server can relay SAML authentication provided by SAML IdP to either OpenID Connect client or OAuth 2.0 client.

这篇关于如何通过SAML请求进行OpenID调用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！