带有 OPENAM 的 Spring Security SAML 扩展 [英] Spring Security SAML extension with OPENAM

问题描述

所以这是场景.

我有我的网络应用程序 <==> IDP 代理 <==> IDP.其中 IDP 代理和 IDP 都是 openam 实例.我们的想法是我们可能会添加额外的 IDP(来自其他客户)，因此我们需要一个代理来屏蔽复杂性.

I have my web app <==> IDP Proxy <==> IDP. Where both IDP proxy and IDP are openam instances. The ideas is we may add our additional IDPs (From other clients) so we want a proxy to shield the complexity.

所以这里的 IDP Prxy 是:http://idpproxydev.devs1.int:8080/openam

So here IDP Prxy is : http://idpproxydev.devs1.int:8080/openam

IDP 网址是:http://idpdev.devs1.int:80/openam

我的网络应用程序是:http://ocr-jq0zt91.devs1.int:9081/LOS

我开始使用http://static.springsource.org/spring-security/site/extensions/saml/index.html 用于集成，现在我看到 SAML: request wassent from my web app .

I started using http://static.springsource.org/spring-security/site/extensions/saml/index.html for integrating and now I see that SAML: request wassent from my web app .

我现在遇到的问题是，当我使用 Fedlet(在 IDP 代理上使用 Openam 生成的客户端)测试我的设置时，请求转到代理，然后路由到 IDP，因为 Fedlet 生成的 SAML 请求具有额外的信息，这是 SAML 请求中的这个片段

The issue I have right now is when I tested my set up using Fedlet (client that is generated using Openam on IDP proxy) the request goes to proxy and then gets routed to IDP as the SAML request generated by Fedlet has that additional information, Which is this snippet in the SAML request

<samlp:Scoping xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"  ProxyCount="1"   >
       <samlp:IDPList xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
        <samlp:IDPEntry xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                        ProviderID="http://idpdev.devs1.int:80/openam"  />
    </samlp:IDPList>
</samlp:Scoping>

所以我看到的唯一区别是 FEDLET 生成的 SAML 请求中的额外负载.

So the only difference I see is this additional pay load in FEDLET generated SAML request.

因此，通过在 SAML 请求中看到以上片段，IDP 代理知道最终目的地不是它自己(http://idpproxydev.devs1.int:8080/openam)，但另一个实体在这种情况下是 http://idpdev.devs1.int:80/openam

So by seeing this above snippet in SAML request, the IDP proxy knows that final destination is not itself(http://idpproxydev.devs1.int:8080/openam), but another entity which in this case is http://idpdev.devs1.int:80/openam

Fedlet 具有用于扩展元数据的附加属性文件 (sp-extended.xml)，我们可以在其中添加这些附加内容.

Fedlet has additional property file for extended metadata (sp-extended.xml ) where we can add these additional things .

<Attribute name="enableIDPProxy">
           <Value>true</Value>
       </Attribute>
       <Attribute name="idpProxyList">
           <Value> http://idpdev.devs1.int:80/openam</Value>  (the attribute name is little confusing as this is the IDP)
       </Attribute>
       <Attribute name="idpProxyCount">
           <Value>1</Value>
       </Attribute>

但是在 spring saml 安全库中，我看不到任何可以添加这些附加属性的方法，以便 SAML 请求可以包含此信息.有没有办法提供上面列出的其他属性?

However in spring saml security library I don’t see any way where I can add these additional attributes so that SAML request can include this info. Is there way I can feed the additional attributes listed above ?

以便在我的网络应用程序发送请求时可以读取 spring saml 扩展?

so that spring saml extension can read when my web app sends the request ?

推荐答案

我找到了解决此问题的方法.您需要使用 org.springframework.security.saml.websso.WebSSOProfileOptions

I found the fix for this issue. You need to use org.springframework.security.saml.websso.WebSSOProfileOptions

这是我的网络应用程序中的一个示例.将此添加到您的 security.xml

Here is one example from my web app. Add this into your security.xml

<beans:bean id="samlEntryPoint" class="org.springframework.security.saml.SAMLEntryPoint">
        <beans:property name="defaultProfileOptions">
            <beans:bean class="org.springframework.security.saml.websso.WebSSOProfileOptions">
                <beans:property name="binding" value="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
                <beans:property name="includeScoping" value="true"/>
                <!-- to skip proxyCount, 0 to disable proxying, >0 to allow proxying-->
                <beans:property name="proxyCount" value="1"/>
                <beans:property name="allowedIDPs">
                    <beans:set>
     <beans:value>http://idpproxydev.devs1.int:80/openam</beans:value>                  
                    </beans:set>
               </beans:property>        
  <!--  Allowed Values are in  AuthnContextComparison.java -->
            <beans:property name="authnContextComparison" value="EXACT"/>
            <beans:property name="authnContexts">
                    <beans:list>
 <beans:value>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</beans:value>                  
                    </beans:list>
            </beans:property>
            <beans:property name="nameID" value="urn:oasis:names:tc:SAML:2.0:nameid-  format:transient"/>
            <beans:property name="allowCreate" value="true"/>
                </beans:bean>
        </beans:property>
    </beans:bean>

现在我看到来自 WEB 应用程序的 SAML 请求具有 IDP 列表.

Now I see that my SAML request from WEB app has the IDP list.

还添加了一些附加说明，以使用 SPRING SAML 扩展将 JSF Web 应用程序与 openam 集成.

Also added some additional notes to integrate JSF web app with openam using SPRING SAML extension.

请参阅我关于 Openam 概念相关通用信息的文章http://reddymails.blogspot.com/2013/03/sso-for-java-or-net-web-based.html

Please see my articles on generic info related to Openam concepts http://reddymails.blogspot.com/2013/03/sso-for-java-or-net-web-based.html

使用 Spring SAML 扩展和 Spring Security 将 JSF 2 Web 应用程序与 Openam 集成的步骤.http://reddymails.blogspot.com/2013/06/integrating-jsf-web-applicataion-with.html

Steps to integrate JSF 2 web application with Openam using Spring SAML extension and Spring Security. http://reddymails.blogspot.com/2013/06/integrating-jsf-web-applicataion-with.html

-拉玛

这篇关于带有 OPENAM 的 Spring Security SAML 扩展的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！