如何将 SAML 设置为多个域? [英] How to setup SAML to mutiple domain?
问题描述
我正在学习 SAML 并且已经阅读了许多文章和论坛,但我仍然对设置 IdP 感到困惑.我正在使用https://simplesamlphp.org/"
I am learning about SAML and already read many articles and forums but I still having confusion about setup IdP.
I am using "https://simplesamlphp.org/"
例如,我有 3 个网站example.com"、one.example.com"、two.example.com">";全部都在三个不同的服务器上.现在,我想使用 SAML 设置单点登录,然后我需要在哪个服务器上设置 IdP.由于example.com"是主域,其中包含有关用户的所有信息.
For example, I have 3 websites "example.com", "one.example.com", "two.example.com";
All are on three different server.
Now, I want to setup single sign on login using SAML then on which server I need to setup IdP.
As "example.com" is main domain which has all the information about user.
据我所知,当我登录example.com"时,它会向 IdP 发送请求.
As I learn, when I login to "example.com" then it sends request to IdP.
但我不知道我必须在哪里设置 IdP 以及 Idp 包含什么?.它在example.com"托管的同一台服务器上或其不同的服务器上,我必须在该服务器上编写什么逻辑?这是简单的登录功能,或者我需要为此设置simplesaml"并将登录逻辑设置到那里.
But I don't get any idea where I have to set IdP and what Idp contains?.
Its on same server where "example.com" hosted OR its different server and what logic I have to write on that server?
It's simple login function OR I need to setup "simplesaml" for this and set login logic to there.
设置IdP后,我需要在其他服务器one.example.com"、two.example.com"上做什么?我是否需要再次将simplesaml"安装到服务器并设置 SP 和 IdP?
After setting up IdP, what I need to do on other server "one.example.com", "two.example.com"?
Do I need to install again "simplesaml" to both server and set SP and IdP?
排序后,哪个服务器有 IdP 和 SP?我需要在哪个服务器上安装simplesaml"?
In sort, which server has IdP and SP? And on which server I need to install "simplesaml"?
提前致谢
推荐答案
身份提供者是提供有关用户信息的人.您将创建一个,我们称之为idp.example.com.
Identity provider is the one who supplies info about users. You'd create one, let's call it idp.example.com.
您可以在那里安装 simpleSAML 并对其进行配置,以便它可以读取有关您的用户的信息,无论是在 MySQL、LDAP 等中(这是 IdP 设置的棘手部分).
You'd install simpleSAML there and configure it so it can read info about your users, be it in MySQL, LDAP etc. (this is the tricky part with IdP setup).
现在,您的网站将成为服务提供商,如果用户未通过身份验证,他们会将用户重定向到 idp.example.com,用户登录,idp.example.com 将用户与包含断言的 XML 文档一起返回给服务提供者.
Now, your websites would be service providers and if user isn't authenticated, they'd redirect the user to idp.example.com, user logs in, idp.example.com returns the user to service provider with the XML document containing assertions.
这意味着您的 SP 需要能够使用 IdP 发送到您网站的SAMLResponse.
That means your SP needs to be able to consume the SAMLResponse which IdP sends to your site.
您可以使用 simpleSAML 来使用它,您现在可以在 SP 模式下配置它.
You can consume this with simpleSAML, which you'd configure in SP mode now.
请记住,SSP (simplesamlphp) 不是 PHP 中处理 SAML 的唯一选择.还有 Lightsaml - 一个合适的库.SimpleSAML 不仅仅是一个库,它还是一个完整的解决方案,老实说 - 一个超级超级糟糕的解决方案,它是人们可以输入并制作一个实际工作的系统(很像 wordpress)的垃圾代码的缩影.
Bear in mind that SSP (simplesamlphp) isn't the only option in PHP to deal with SAML. There's also Lightsaml - a proper library. SimpleSAML isn't just a library, it's a complete solution and quite honestly - a super SUPER terrible one at that, it's the epitome of crap code one can type out and make a system that actually works (much like wordpress).
TL;博士:
- 创建 IdP ->
idp.example.com-> 配置或创建根据您的用户来源(LDAP、ActiveDirectory、关系数据库等)对用户进行身份验证的模块.) - 配置您的 3 个网站以使用
idp.example.com 进行身份验证 - 将您的 3 个网站配置为能够使用来自
idp.example.com 的响应
- create an IdP ->
idp.example.com-> configure or create the module that authenticates users against your user source (LDAP, ActiveDirectory, relational database etc.) - configure your 3 websites to authenticate using
idp.example.com - configure your 3 websites to be able to consume responses from
idp.example.com
这一切都可以用 simplesamlphp 实现.如果您想更进一步并自己实现或使用 SAML - 您可以使用我链接的库.通过 Lightsaml 库需要花费更多时间,因为您必须处理单点注销和单点登录、加密、数字签名、端点、元数据等.
It's all doable with simplesamlphp. If you want to take it further and implement or play with SAML on your own - you can use the library I linked. It'll take way, way, way longer to do it via Lightsaml library though since you have to take care of single logout and single sign-on, encryption, digital signatures, endpoints, metadata etc.
这篇关于如何将 SAML 设置为多个域?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
