我们需要在 IDP 发起的 SSO (SAML) 中使用 Keystore/JKSKeyManager 吗? [英] Do we need Keystore/JKSKeyManager in IDP initiated SSO (SAML)?

问题描述

我已经使用 Spring-SAML 扩展成功实现了 SSO 身份验证.我们支持 IDP 发起的 SSO 到我们的应用程序的主要要求.好吧，通过使用 spring-security-saml2-sample 中的配置，甚至 SP 启动的 SSO 流程也适用于我们.

I've successfully implemented SSO authentication using Spring-SAML extension. Primary requirement for us to support IDP-initiated SSO to our application. Well, by using the configurations from spring-security-saml2-sample even SP-initiated SSO flow also works for us.

问题:密钥库是否用于 IDP 发起的 SSO(如果元数据有证书)?如果不使用，我想从 securityContext.xml 中删除密钥库配置.

Question: Is keystore is used in IDP-initiated SSO (if metadata has certificate)? If not used, I would like to get rid of keystore configurations from securityContext.xml.

注意:我们不需要 SP 发起的 SSO 和全局注销.我们使用 Okta 作为 IDP.

Note: SP-initiated SSO and Global logout is not needed for us. We use Okta as IDP.

推荐答案

这是一个很好的功能请求.我打开了 https://jira.spring.io/browse/SES-160Spring SAML 的主干中为您提供支持和支持，如下所示文档:

This is a good feature request. I've opened https://jira.spring.io/browse/SES-160 for you and support is available in Spring SAML's trunk with the following documentation:

如果您的应用程序不需要创建数字签名和/或解密传入的消息，可以使用空的不需要任何 JKS 文件的密钥库的实现- org.springframework.security.saml.key.EmptyKeyManager.这可以是例如，当仅使用 IDP 初始化的单点登录时.请注意，当使用 EmptyKeyManager 一些 Spring SAML功能将不可用.这至少包括 SP 初始化单点登录、单点注销、使用附加密钥ExtendedMetadata 和元数据签名的验证.使用以下 bean 以初始化 EmptyKeyManager:

In case your application doesn't need to create digital signatures and/or decrypt incoming messages, it is possible to use an empty implementation of the keystore which doesn't require any JKS file - org.springframework.security.saml.key.EmptyKeyManager. This can be the case for example when using only IDP-Initialized single sign-on. Please note that when using the EmptyKeyManager some of Spring SAML features will be unavailable. This includes at least SP-initialized Single Sign-on, Single Logout, usage of additional keys in ExtendedMetadata and verification of metadata signatures. Use the following bean in order to initialize the EmptyKeyManager:

<bean id="keyManager" class="org.springframework.security.saml.key.EmptyKeyManager"/>

这篇关于我们需要在 IDP 发起的 SSO (SAML) 中使用 Keystore/JKSKeyManager 吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！