使用PingFederate为SSO配置Spring SAML [英] Configuring Spring SAML for SSO with PingFederate

问题描述

我们已决定使用Ping Federate作为我们的SSO解决方案.我已经搜索了许多示例，但没有找到可以清楚地描述我如何在PingFederate侧设置SP和/或IdP的弹簧配置.我还没有找到一个Spring文档来描述实现此目标所需的确切条件.

We have decided to use Ping Federate to be our SSO solution. I have searched many examples but have not found a spring configuration that clearly describes how I need to set up my SP and/or IdP on the PingFederate side. I have not found a Spring document that describes what I need exactly to implement this.

任何帮助，不胜感激.

推荐答案

当前没有关于在Spring SAML和Ping之间建立联盟的分步指南，但是这些步骤与快速入门指南 SAML.

Currently there's no step-by-step guide on establishing federation between Spring SAML and Ping, but the steps are very similar to what's described in the quick start guide of Spring SAML.

最好的方法是从Spring SAML中包含的示例应用程序开始，对其进行配置以与Ping一起使用，然后将配置转移到当前的Spring应用程序中.

The best approach is to start with the sample application included inside Spring SAML, configure it to work with Ping and then transfer the configuration to your current Spring application.

高级步骤是:

• 部署Spring SAML示例应用程序
• 从https://server:port/context/saml/metadata下载其SP元数据(只需打开浏览器访问URL并存储返回的所有内容)
• 通过创建新的"SP连接"来配置Ping，作为导入之前存储的元数据的过程的一部分，首先，您可以对大多数设置使用默认设置
• 完成后，使用管理功能->元数据导出为您在上一步中创建的连接从Ping导出IDP元数据
• 将IDP元数据导入到您的Spring SAML中(示例在手册中)

• deploy Spring SAML sample application
• download its SP metadata from https://server:port/context/saml/metadata (just open browser to the URL and store all content it returns)
• configure Ping by creating new "SP Connection", as part of the process you import metadata which you stored earlier, to start with you can use defaults on most of the settings
• when done, export the IDP metadata from Ping using Administrative functions -> Metadata Export for the connection you created in the previous step
• import the IDP metadata to your Spring SAML (examples are in the manual)

这将在两者之间建立联盟，并使您能够开始通过Ping对用户进行身份验证.

This establishes federation between the two and enables you to start authenticating your users through Ping.

根据您的情况，元数据配置(bean元数据)应如下所示:

The metadata configuration (bean metadata) should look as follows in your case:

<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
    <constructor-arg>
        <list>
            <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                <constructor-arg>
                    <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                        <constructor-arg>
                            <value type="java.io.File">classpath:security/idp.xml</value>
                        </constructor-arg>
                        <property name="parserPool" ref="parserPool"/>
                    </bean>
                </constructor-arg>
                <constructor-arg>
                    <bean class="org.springframework.security.saml.metadata.ExtendedMetadata"/>
                </constructor-arg>
                <property name="metadataTrustCheck" value="false"/>
            </bean>
        </list>
    </constructor-arg>
</bean>

确保用PF中的元数据替换resources/security/idp.xml.您可以删除所有未使用的ExtendedMetadata Bean实例(例如用于SSO Circle的实例).元数据bean可以包含多个链接"的原因是它可以同时支持许多IDP.

Make sure to replace resources/security/idp.xml with metadata from PF. You can remove all unused instances of ExtendedMetadata beans (like the one for SSO Circle). The reason metadata bean can contain multiple "links" is that it can support many IDPs at the same time.

这篇关于使用PingFederate为SSO配置Spring SAML的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！