我如何从Java与ADFS对话? [英] How do I talk to ADFS from Java?
问题描述
我们在Caucho Resin上运行了一个网站。该站点的绝大多数是JSP / Java。我们在网站上有自己的自定义身份验证,这意味着我们没有使用任何第三方身份验证框架。我们托管网站,而不是我们的客户。
We have a website running on Caucho Resin. The great majority of the site is JSP/Java. We have our own custom authentication on the site, meaning we aren't using any third party authentication frameworks. We host the website, not our clients.
我们的大客户希望让他们的用户使用他们的活动目录凭据登录我们的站点。为此,我假设我将使用SAML与ADFS交谈,如果错误,请纠正我。
Our large clients want to have their users log into our site with their active directory credentials. For this I'm assuming I will be talking to ADFS with SAML, please correct me if that is wrong.
所以我的问题是如何用Java做到这一点?据我所知,OpenSAML听起来并没有做任何事情,如果我想要更多,那么我需要使用Shibboleth。还有其他选择吗?如果我想要的是用户能够登录,我最好的选择是什么?
So my question is how do I go about doing that with Java? from what I can tell there is OpenSAML which sounds like it doesn't do everything, and if I want more then I need to use Shibboleth. Are there other alternatives? if all I want is for the users to be able to log in, what is my best option?
任何信息都会有所帮助。谢谢。
Any information would help. Thank you.
编辑:我刚刚发现另一个选项是OAuth。优点?缺点?
I've just found out that another option would be OAuth. Pros? Cons?
推荐答案
您的应用程序需要直接(从您的代码)或间接(例如通过)充当SAML SP反向代理,应用程序服务器上的SAML SP支持,...)。
Your application needs to act as a SAML SP, either directly (from your code), or indirectly (e.g. through SAML SP support on reverse proxy, application server, ...).
对于直接选项(需要对应用程序进行更多修改)可以:
For direct options (which require more modifications to your application) you can:
- 自己编写SAML SP代码(很可能用 OpenSAML ,您可以在现有产品的来源中找到示例)
- 使用现成的产品集成到您的产品中应用程序,例如 Spring SAML 或 OpenAM Fedlet
- code the SAML SP yourself (most likely with OpenSAML, you can find examples in sources of existing products)
- use a ready-made product to integrate into your application, such as Spring SAML or OpenAM Fedlet
对于间接期权(需要较少的修改)您可以:
For indirect options (which require less modifications to your application) you can:
- 使用 Shibboleth SAML SP插件(如果您使用的话)
- 将SAML SP部署为容器上的另一个应用程序(例如Spring SAML或OpenAM)并使其与您的应用程序通信 - 因此SAML SP使用ADFS执行身份验证并将其传达给您的应用程序,例如:通过共享cookie或自定义令牌
- use Shibboleth SAML SP plugins on your Apache reverse proxy (if you use one)
- deploy SAML SP as another application on your container (e.g. Spring SAML or OpenAM) and make it communicate with your application - so SAML SP performs authentication with ADFS and communicates this to your application e.g. through a shared cookie, or a custom token
您可以找到更多比较详细信息和注意事项 in this thread 。
You can find more comparison details and considerations in this thread.
ADFS 3应该支持OAuth授权服务器,它可能是一种更简单的集成方式,请参阅这里和 here 。使用OAuth实现身份验证通常比SAML容易得多,没有相关的缺点。
ADFS 3 should have support for OAuth Authorization Server and it might well be an easier way to integrate, see here and here. Implementing authentication using OAuth is generally significantly easier than SAML, with no relevant disadvantages.
这篇关于我如何从Java与ADFS对话?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
