Your application needs to act as a SAML SP, either directly (from your code), or indirectly (e.g. through SAML SP support on reverse proxy, application server, ...).

您的应用程序需要直接（从您的代码）或间接（例如，通过对反向代理、应用程序服务器等的 SAML SP 支持）充当 SAML SP。

For direct options(which require more modifications to your application) you can:

对于直接选项（需要对您的应用程序进行更多修改），您可以：

• code the SAML SP yourself (most likely with OpenSAML, you can find examples in sources of existing products)
• use a ready-made product to integrate into your application, such as Spring SAMLor OpenAM Fedlet

• 自己编写 SAML SP（最有可能使用OpenSAML，您可以在现有产品的来源中找到示例）
• 使用现成的产品集成到您的应用程序中，例如Spring SAML或OpenAM Fedlet

For indirect options(which require less modifications to your application) you can:

对于间接选项（需要对应用程序进行较少修改），您可以：

• use Shibboleth SAML SP pluginson your Apache reverse proxy (if you use one)
• deploy SAML SP as another application on your container (e.g. Spring SAML or OpenAM) and make it communicate with your application - so SAML SP performs authentication with ADFS and communicates this to your application e.g. through a shared cookie, or a custom token

• 在您的 Apache 反向代理上使用Shibboleth SAML SP 插件（如果您使用）
• 将 SAML SP 作为另一个应用程序部署到您的容器（例如 Spring SAML 或 OpenAM）上并使其与您的应用程序通信 - 因此 SAML SP 使用 ADFS 执行身份验证并将其传达给您的应用程序，例如通过共享 cookie 或自定义令牌

You can find more comparison details and considerations in this thread.

您可以在此线程中找到更多比较细节和注意事项。

ADFS 3 should have support for OAuth Authorization Server and it might well be an easier way to integrate, see hereand here. Implementing authentication using OAuth is generally significantly easier than SAML, with no relevant disadvantages.

ADFS 3 应该支持 OAuth 授权服务器，它可能是一种更简单的集成方式，请参阅此处和此处。使用 OAuth 实现身份验证通常比 SAML 容易得多，并且没有相关的缺点。

The Resin Authenticators that Caucho provides aren't gonna help with federation. Instead, you need to add a ServletFilter that looks for unauthenticated users. When it finds one, you should direct them to a login page. On this, you should ask the user if they want to login directly to your site or federate to another organization. (This could be done by displaying a username/password form + logos of trusted third-parties.) In the former, direct login case, use the Resin Authenticator to check against your local user repo or however you're doing it now. For the federated case, use SAML.

Caucho 提供的 Resin Authenticators 不会帮助联邦。相反，您需要添加一个 ServletFilter 来查找未经身份验证的用户。当它找到一个时，您应该将它们定向到登录页面。在这方面，您应该询问用户是否想直接登录到您的站点或联合到另一个组织。（这可以通过显示用户名/密码表单 + 受信任第三方的徽标来完成。）在前一种直接登录的情况下，使用 Resin Authenticator 来检查您的本地用户存储库，或者您现在正在这样做。对于联合案例，请使用 SAML。

Federation would start by sending an authentication request to the trusted partner (the ADFS server). This is a little XML documentpacked into a form that will need a few things to be changed per request (e.g., creation time). This can be done with String.format -- nothing complicated. Send this authentication request to the SAML server (i.e., ADFS) at the organization the user selected. They'll login and send the authentication response to some "Assertion Consumer Service" that you need to create.

联合将首先向受信任的合作伙伴（ADFS 服务器）发送身份验证请求。这是一个打包成一个表单的小 XML 文档，每个请求都需要更改一些内容（例如，创建时间）。这可以用 String.format 来完成——没什么复杂的。将此身份验证请求发送到用户选择的组织中的 SAML 服务器（即 ADFS）。他们将登录并将身份验证响应发送到您需要创建的某些“断言消费者服务”。

An ACS is just an endpoint that receives the SAML authentication response. This needs to be an unauthenticated endpoint that will parse and validate the reply from ADFS. Use OpenSAML to do this. There are quite a few things you need to do to make sure it's valid. For example, you must verify the digital signature of the assertion. You also need to check the issue time, that it's not in the future. Verify that the assertion is for you by checking the Destination in the confirmation data, audience, and recipient. Etc. Etc.

ACS 只是接收 SAML 身份验证响应的端点。这需要是一个未经身份验证的端点，它将解析和验证来自 ADFS 的回复。使用 OpenSAML 执行此操作。你需要做很多事情来确保它是有效的。例如，您必须验证断言的数字签名。您还需要检查问题时间，它不是在未来。通过检查确认数据、受众和收件人中的目标来验证断言是否适合您。等等等等。

If this is beyond what you'd like to code, checkout an open source or commercial SAML server. It needs to function as an SP, and should run in Resin to keep things simple. One candidate that is mean and lean is Asimba. (The company I work foris the maintainer of this project.) You can deploy this into Resin, and it will take care of both the request and the reply.

如果这超出了您想要编码的范围，请查看开源或商业 SAML 服务器。它需要充当 SP，并且应该在 Resin 中运行以保持简单。Asimba是一位既刻薄又精益求精的候选人。（我工作的公司是这个项目的维护者。）你可以把它部署到 Resin 中，它会处理请求和回复。

A Note about OAuth

关于 OAuth 的说明

What you're contemplating here is federation (or Web single-sign on). OAuth isn't suited for federation. It is a protocol designed to do delegated authorization. The OpenID Foundation has extended OAuth 2 to support federation in the OpenID Connect profile of OAuth. ADFS doesn't support this federation protocol, and is limited to WS-Federation and SAML. Therefore, you should no be looking into OAuth if ADFS will be used by your partners.

您在这里考虑的是联合（或 Web 单点登录）。OAuth 不适合联合。它是一种旨在进行委托授权的协议。OpenID Foundation 已扩展 OAuth 2 以支持 OAuth 的 OpenID Connect 配置文件中的联合。ADFS 不支持此联合协议，并且仅限于 WS-Federation 和 SAML。因此，如果您的合作伙伴将使用 ADFS，您不应该考虑 OAuth。