使用Kentor.AuthServices.StubIdp作为生产IDP [英] Using Kentor.AuthServices.StubIdp as production IDP

问题描述

我正在尝试在我的应用程序中实现IDP(SAML2)服务器.考虑到我的应用程序具有所需的所有数据，我不希望任何合作伙伴要求我们的客户进行注册.

I'm trying to implement an IDP (SAML2) server inside my application. I don't want any of my partners to ask our customers to register on their side given the fact that my application has all the data needed.

我对SAML2协议不是很熟悉.我发现项目 Kentor.AuthServices.StubIdp 最多有趣，因为它实现了我需要的一切.我还知道它不是为生产目的而构建的.

I'm not very familiar with the SAML2 protocol. I found the project Kentor.AuthServices.StubIdp to be the most interesting because it implements everything I need. I'm also aware that it's not built for production purposes.

我计划在StubIdp之上构建IDP，因为我负担不起 ComponentPro这样的昂贵解决方案.

I planned to build the IDP on top of StubIdp, because I can't afford pricey solutions like ComponentPro.

还有更好的选择吗?在StubIdp之上构建是个好主意吗?

Is there a better alternatives? Is building on top of StubIdp a good idea?

推荐答案

SAML2登录可以通过两种方式完成:

SAML2 login can be done in two ways:

1. 由SP发起，其中SP向Idp发送AuthnRequest，Idp用SamlResponse回答.
2. Idp要求，Idp发送未经请求的SamlResponse.

Kentor.AuthServices(驱动StubIdp的库)包含Idp启动的登录所需的所有内容.在Stub Idp源代码中查找其完成方式.

Kentor.AuthServices (the library that drives the StubIdp) contains everything needed for Idp-initiated logins. Look in the Stub Idp source for how it's done.

正确执行SP启动的登录更为复杂，因为Idp应该对传入的AuthnRequest进行一些验证.这些验证在Stub Idp中完全丢失(这是测试环境的想法).实施SP启动的登录肯定是可行的，但是要安全地执行登录，还需要做更多的工作.

Doing SP-initiated login correctly is more complicated as the Idp should do some validation on the incoming AuthnRequest. Those validations are completely missing in the Stub Idp (that's kind of the idea for a testing environment). Implementing SP-initiated login is definitely possible, but to do it securely a lot more work is needed.

这篇关于使用Kentor.AuthServices.StubIdp作为生产IDP的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！