我们绝对需要 SAML 的 STS 吗? [英] Do we absolutely need a STS for SAML?
问题描述
我是第一次尝试实现支持 SAML 的 SOAP 服务,我有一些关于安全令牌服务 (STS) 在 SAML 实现中的作用的概念性问题.
I am trying to implement SAML enabled SOAP services for the first time and I have some conceptual questions regarding the role of a Secure Token Service (STS) in a SAML implementation.
用户 ---> Web 应用程序 ---SOAP/SAML--> 消息应用程序
User ---> Web Application ---SOAP/SAML--> Messaging Application
基本上这个场景是用户使用他的用户名和密码登录到 Web 应用程序,Web 应用程序反过来使用外部服务对用户进行身份验证和授权,在成功的身份验证/授权后,Web 应用程序创建一个 Sender Vouches SAML 断言以用户为主体,使用其私钥对断言进行签名,使用 WS-S 将断言打包在一个 soap 信封中,并对消息传递应用程序进行 SOAP 调用.消息传递应用程序收到请求后,它会使用 Web 应用程序的公钥验证签名,从 SAML 断言中提取身份验证和属性语句,并根据它们在端点上实施身份验证策略.
Basically the scenario is that the user logs into the Web application using his user name and password, web application in turn authenticate and authorize the user with an external service, on successful authentication/authorization, Web application creates a Sender Vouches SAML assertion with user as subject, signs the assertion with its private key, packages the assertion in a soap envelope using WS-S and makes a SOAP call to the messaging application. Once messaging application receive the request, it verifies the signature with the public key of the web application, pull the authentication and attribute statements out of the SAML assertion and based on them enforce auth policy on the end point.
正如您在上面的场景中看到的,没有涉及外部 STS,但是我在 SAML 上阅读的大多数文献都表明绝对需要 STS.我的问题是我在上述情况下做错了什么,因为我看不出我绝对需要 STS 的任何理由.当然,拥有 STS 会很好,但至少在我看来,没有它并不能阻止我为我的用例实施 SAML.
As you can see in the above scenario there was no external STS involved however most literature I have read on SAML suggest that an STS is absolutely required. The question I have is that am I doing anything wrong with the above scenario since I cannot see any reason why I would absolutely need an STS. Sure it would be nice to have a STS but at least in my opinion, absence of it does not stop me from implementing SAML for my use case.
推荐答案
不,Web 服务中的 SAML 令牌不需要 STS.STS 将一个令牌(其中令牌"包括用户名+密码之类的东西)交换为另一个,因此它很有用,因为您的 Web 服务使用者可以发送一些输入令牌(通常为用户名+密码或签名+X.509 证书以供简单使用)案例)发送到 STS 并返回 SAML 断言,一切就绪.
No, you don't need an STS for SAML tokens in web services. The STS exchanges one token (where 'token' includes things like username+password) for another, so it's useful in that your web service consumer can send some input token (typically username+password or a signature+X.509 cert for simple use cases) to the STS and get back a SAML assertion all ready to go.
现在,如果您有能力创建将被您的 Web 服务提供商接受的 SAML 令牌,那就来吧!不需要 STS - 线路上的实际 SOAP 消息是相同的,无论其创建过程中是否涉及 STS.
Now, if you have the capability to create SAML tokens that will be accepted by your web service provider, have at it! No STS necessary - the actual SOAP message on the wire is identical whether or not an STS was involved in its creation.
几年前我写了几篇博客文章,详细介绍了其中的一些内容:
I wrote a couple of blog entries a few years ago that detail some of this:
Java EE Tools/NetBeans 5.5 Enterprise Pack 中的 Access Manager 7.1 Beta
Sun Access Manager 7.1 已被 OpenAM 取代,但原则保持不变.特别是,第二个条目独立于任何实际产品.
Sun Access Manager 7.1 has been superseded by OpenAM, but the principles remain the same. In particular, the second entry is independent of any actual product.
这篇关于我们绝对需要 SAML 的 STS 吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
