配置Ping Federate和Spring SAML对应用程序进行身份验证 [英] Configuring Ping Federate and Spring SAML to authenticate application

问题描述

我在运行Windows_Server-2008-R2_SP1-English-64Bit-Base-2014.04.09的AWS EC2上安装了PingFederate.我有一个使用Spring Security进行身份验证的Java应用程序.

我已经阅读了有关如何使用PingFederate来设置身份提供者(IdP)和服务提供者(SP)的信息.我已经收集到IdP将是提供登录凭据(身份)并将其传递给SP的应用程序用户，此页面在此页面上的此图中具有SP的目标应用程序:

http://documentation.pingidentity.com/display/PF66/服务+提供者+和+身份+提供者

此图还显示了IdP和SP两侧的联合身份验证软件.

我已经使用本地PingFederate服务器创建了一个IdP和SP，只是为了查看配置选项是什么，我对我实际上需要能够为Spring Security应用程序拥有SSO的哪个部分感到困惑.

我的问题是:

1. 我是否需要一个IdP和SP来实现我要执行的操作.

2. 现在我们的用户名和密码存储在SQL Server中，我可以利用它供PingFederate用来验证用户身份吗?

3. 我应该为此使用Spring Security SAML还是其他路线更合适?

感谢您的帮助，我已经联系了PingFederate，但是我的区域解决方案架构师恰好在星期五之前.

如果我完全不考虑自己的想法，我也深表歉意，我想将自己的想法笼罩在需要的地方.

解决方案

假定您的目标是在Ping与您的应用程序之间建立联盟(例如，使身份验证外部化或启用单点登录)，那么您的想法是正确的./p>

Ping联合身份验证充当身份提供者(IDP)，您可以对其进行配置以连接到SQL Server，以便它可以从那里对现有用户进行身份验证. IDP与称为服务提供商(SP)的其他应用程序进行通信.

为了连接到Ping，您的应用程序因此必须能够充当SAML 2.0服务提供者，而使用Spring SAML是使它实现此目的的一种很好的方法.

SP和IDP之间用于单点登录的典型数据流类似于:

1. 用户访问需要身份验证的SP应用程序
2. SP创建一个AuthenticationRequest并将其发送到IDP(使用用户浏览器中的重定向)
3. IDP处理请求并验证用户身份
4. IDP用AuthenticationResponse消息响应SP
5. SP处理响应并根据所包含的数据为用户创建会话

I installed PingFederate on an AWS EC2 running Windows_Server-2008-R2_SP1-English-64Bit-Base-2014.04.09. I have a Java application that is using Spring Security for authentication.

I have read about how with PingFederate, I can set up an Identity Provider(IdP) and a Service Provider(SP). I have gathered that the IdP would be the Application User providing login credentials(the Identity) and passing this to the SP which has the Target Application apart of the SP in this diagram on this page here:

http://documentation.pingidentity.com/display/PF66/Service+Providers+and+Identity+Providers

This image also shows the Federated Identity Software on both sides of the IdP and the SP.

I have created an IdP and SP with my local PingFederate server just to see what the configuration options are and I am confused on which parts of this I actually need to be able to have a SSO for my Spring Security application.

My questions are:

1. Do I need an IdP and SP to implement that I am trying to do.

2. Right now our usernames and passwords are stored in a SQL Server, would I leverage this for PingFederate to use to authenticate the users?

3. Should I even be using Spring Security SAML for this or would another route be more appropriate?

Thanks for any help, I have reached out to PingFederate but my Regional Solutions Architect happens to be out until Friday.

I also apologize if I am completely off in my thinking, I am trying to wrap my mind around what is needed.

解决方案

Presuming your goal is to establish federation between Ping and your application (in order to e.g. externalize authentication or enable single sign-on), your thinking is correct.

The Ping Federate serves as an Identity Provider (IDP) and you can configure it to connect to your SQL server, so that it can authenticate your existing users from there. IDP communicates with other applications which are called Service Providers (SP).

In order to connect to Ping your application therefore needs to be able to act as a SAML 2.0 Service Provider and using Spring SAML is a very good way to enable it to do so.

The typical flow of data between SP and IDP for single sign-on is similar to:

1. User accesses SP application which requires authentication
2. SP creates an AuthenticationRequest and sends it to IDP (using redirect in user's browser)
3. IDP processes the request and authenticates the user
4. IDP responds back to SP with an AuthenticationResponse message
5. SP processes the response and creates a session for the user based on the included data

这篇关于配置Ping Federate和Spring SAML对应用程序进行身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！