java 如何使用 SAML 和 Shibboleth 实现或集成单点登录
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/11422985/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to implement or integrate single sign on with SAML and Shibboleth
提问by performanceuser
We have two separate products, both including web app and server.
我们有两个独立的产品,包括 Web 应用程序和服务器。
We want to implement Single Sign On for both of them, so when a user has logged into one product, he can automatically access resources in the other product belonging to him.
我们希望对它们都实现单点登录,这样当用户登录一个产品时,他可以自动访问属于他的另一个产品中的资源。
I have explored a little bit and find SAML is a good approach that we can take, but we are not sure how we want to proceed.
我进行了一些探索,发现 SAML 是我们可以采用的一种很好的方法,但我们不确定要如何进行。
Is it a good idea to implement our own Service Provider? I have looked at Shib SP, but looks like if I want to integrate it into my products, it won't be that easy too.
实现我们自己的服务提供者是个好主意吗?我看过 Shib SP,但看起来如果我想将它集成到我的产品中,也不会那么容易。
So I am just looking for some suggestions from people who have encountered a similar problem before.
所以我只是想从以前遇到过类似问题的人那里寻求一些建议。
Another question is what resource that I can study if I need to implement a SP using OpenSaml? Looks like there is not a lot of tutorials or examples that I can refer to.
另一个问题是,如果我需要使用 OpenSaml 实现 SP,我可以研究哪些资源?看起来我可以参考的教程或示例并不多。
I would also be really appreciated if anybody can just point out some big procedures or components that my own SP need to contain.
如果有人能指出我自己的 SP 需要包含的一些大程序或组件,我也将不胜感激。
EDIT 1:
编辑 1:
Just try to provide more details about what I want. We have two separate products. Currently we are able to externalize user database. For example, our products can be configed to connect to LDAP server or any other external user DB as long as they implement a service properly.
尝试提供有关我想要的内容的更多详细信息。我们有两种不同的产品。目前我们能够外部化用户数据库。例如,我们的产品可以配置为连接到 LDAP 服务器或任何其他外部用户数据库,只要它们正确实施服务即可。
Now our goal is we want SSO for both of our products. One scenario is we have our own SP component(either implement or integrate) in both products. Customer may have their own IdP. With some configuration, our SP can connect to their IdP, and do authentication from there, and user doesn't need to login twice to access both products. Of cause, we can provide an out of the box IdP if customer doesn't have it.
现在我们的目标是我们的两个产品都需要 SSO。一种情况是我们在两种产品中都有自己的 SP 组件(实施或集成)。客户可能有自己的 IdP。通过一些配置,我们的 SP 可以连接到他们的 IdP,并从那里进行身份验证,用户无需登录两次即可访问这两种产品。当然,如果客户没有,我们可以提供开箱即用的 IdP。
回答by Will Hartung
The biggest difficulty with Shibboleth is that it is, effectively, a reference implementation of the SAML v2.0 specification.
Shibboleth 的最大困难在于它实际上是 SAML v2.0 规范的参考实现。
For most routine installations, though, you actually need very little of the SAML spec to enable a couple of web apps for SSO.
但是,对于大多数常规安装,您实际上只需要很少的 SAML 规范即可为 SSO 启用几个 Web 应用程序。
But since Shibboleth implements the whole thing, with all of its capability, it can be a bear to configure.
但是由于 Shibboleth 实现了整个事情,并具有其所有功能,因此配置起来可能会很麻烦。
We did a project with Shibboleth (and it was admittedly an on the edge use case), and, for me, a SAML novice at the time, it was really a chore to get everything up and working.
我们与 Shibboleth 一起做了一个项目(这无疑是一个边缘用例),而且,对我来说,当时的 SAML 新手,让一切正常工作真的是一件苦差事。
For our next stab, I looked at the SAML specfor SSO via the Web Profile. If you read it, it's actually quite straightforward for this limited use case. And we decided that instead of using Shibboleth again, we'd write our own IdP and SP using the OpenSAML libraries.
对于我们的下一次尝试,我通过 Web 配置文件查看了 SSO的SAML 规范。如果您阅读它,对于这个有限的用例,它实际上非常简单。我们决定不再使用 Shibboleth,而是使用 OpenSAML 库编写我们自己的 IdP 和 SP。
Could we have got Shibboleth working faster? Probably. But I don't think we'd have the understanding of it that we do of our own. A bit of Not-Invented-Here, sure, but this stuff is confusing enough when you do understand the software and vocabulary, much less when you don't. And SAML is chock full of new vocabulary.
我们可以让 Shibboleth 工作得更快吗?大概。但我认为我们不会像我们自己那样理解它。当然,这里有一些 Not-Invented-Here,但是当您确实了解软件和词汇时,这些东西已经足够令人困惑,而当您不了解时,就更不用说了。SAML 充满了新词汇。
You can also consider using SimpleSAMLas an IdP and writing your own SP for your web apps. SimpleSAML is in PHP, but it's a bit more user friendly. You can just treat it as a self contained apache service.
您还可以考虑使用SimpleSAML作为 IdP 并为您的 Web 应用程序编写自己的 SP。SimpleSAML 是用 PHP 编写的,但它对用户更友好一些。您可以将其视为自包含的 apache 服务。
I will say that our SP weighs in at around 1000 lines of javadoc'd code, but it's mostly wiring OpenSAML stuff together and some utility stuff. In truth it's not that scary. Be prepared to really enjoy reading signed XML blobs though.
我会说我们的 SP 大约有 1000 行 javadoc 代码,但它主要是将 OpenSAML 内容和一些实用程序连接在一起。事实上,它并没有那么可怕。准备好真正享受阅读签名的 XML blob。
It is frustrating that this really isn't simpler, but it's a bit of a chicken/egg thing regarding adoption etc.
令人沮丧的是,这确实并不简单,但在收养等方面有点鸡/蛋的事情。
And if none of that suits you, you can look at OAuth2 and some of its profiles.
如果这些都不适合您,您可以查看 OAuth2 及其一些配置文件。
回答by Vicente Plata
If you only want to implement SSO between 2 products, I think yes, building something from the scratch is easier. If it's Java, Shibboleth's OpenSaml is a very good lib.
如果您只想在 2 个产品之间实施 SSO,我认为是的,从头开始构建一些东西更容易。如果是 Java,Shibboleth 的 OpenSaml 是一个非常好的库。
As you begin to implement more stuff, and some complex scenarios, going for something already built is the best choice. You should also be aware of several stuff you'll be likely to write on a per-system basis (e. g. assertion generation, xml-dsig, validation, etc).
当你开始实现更多的东西和一些复杂的场景时,选择已经构建的东西是最好的选择。您还应该了解您可能会在每个系统的基础上编写的一些内容(例如,断言生成、xml-dsig、验证等)。
At a glance, it might seem like the already built products are way too complex or difficult to scale or adapt to your particular needs. But your dev effort writing connectors and implementations can be rewarded when you feel like exploding all of the SAML capabilities.
乍一看,已经构建的产品似乎过于复杂或难以扩展或适应您的特定需求。但是,当您想扩展所有 SAML 功能时,您编写连接器和实现的开发工作会得到回报。
It'd be very helpful though, if you can explain with more detail what do you want to achieve; I feel your question is quite open...
不过,如果您能更详细地解释您想要实现的目标,那将非常有帮助;我觉得你的问题很开放......
回答by Erwin
I don't have personal experience with Shibboleth Service Provider, but I am currently developing architecture which uses Shibboleth IdP, Shibboleth Discovery Service and Guanxi Service Provider. Integrating lightweight Guard module from Guanxi Service Provider with Java webapp is a piece of cake and you can easily obtain Shibboleth based architecture without writing your own modules. There is localhost tutorialfor setting up Guanxi SP, just skip the parts about Guanxi WAYF and IdP and use Shibboleth components in their place.
我没有使用 Shibboleth Service Provider 的个人经验,但我目前正在开发使用 Shibboleth IdP、Shibboleth Discovery Service 和Guanxi Service Provider 的架构。将来自 Guanxi Service Provider 的轻量级 Guard 模块与 Java webapp 集成是小菜一碟,您无需编写自己的模块即可轻松获得基于 Shibboleth 的架构。有用于设置Guanxi SP的localhost教程,只需跳过有关Guanxi WAYF和IdP的部分并使用Shibboleth组件代替它们。
