如何使用 Java 服务提供者验证 WS-Federation SAML 令牌
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/16311625/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to validate WS-Federation SAML tokens with Java Service Provider
提问by Calvin
I am working on a project that uses ws_federation and SAML to authenticate to a Identity Provider running on a IIS server running on .net called thinktecture
我正在开发一个项目,该项目使用 ws_federation 和 SAML 对在 .net 上运行的名为thinktecture的 IIS 服务器上运行的身份提供程序进行身份验证
I need to write a Java Service Provider that sends a SAML authentication request to the Identity Provider and get the SAML response back on my java web app.
我需要编写一个 Java 服务提供者,将 SAML 身份验证请求发送到身份提供者,并在我的 Java Web 应用程序上获取 SAML 响应。
I need to know if there are any good libraries to validate SAML and mabye some direction on setting it up or links to a tutorial on getting started. I have tries spring_security-saml_extensions, but I keep getting errors when I try to put my Identitiy Providers meta-data link into the config files.
我需要知道是否有任何好的库来验证 SAML 并提供有关设置的方向或入门教程的链接。我尝试过 spring_security-saml_extensions,但是当我尝试将 Identitiy Providers 元数据链接放入配置文件时,我不断收到错误消息。
Any help would be greatly appreciated!
任何帮助将不胜感激!
Also: It would be great if the solution could be integrated into an existing java web application!
另外:如果该解决方案可以集成到现有的 Java Web 应用程序中,那就太好了!
Some Additional info:
一些附加信息:
Below is the XML I can get from the response returned by the IDP in my SP I am working on I was under the impression that this was a SAML token.
下面是我可以从我正在处理的 SP 中的 IDP 返回的响应中获得的 XML 我的印象是这是一个 SAML 令牌。
<trust:RequestSecurityTokenResponseCollection xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<trust:RequestSecurityTokenResponse Context="rm=0&id=passive&ru=%2fApplicant%2fMyAccount%2fHome">
<trust:Lifetime>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2013-04-17T19:37:18.399Z</wsu:Created>
<wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2013-04-17T20:07:18.399Z</wsu:Expires>
</trust:Lifetime>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>https://[SP Server]/</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<trust:RequestedSecurityToken>
<Assertion ID="_b4c87094-9557-419f-92fd-714a2b9cd8af" IssueInstant="2013-04-17T19:37:18.399Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>http://[IDP Server]/trust/idp</Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="#_b4c87094-9557-419f-92fd-714a2b9cd8af">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>pVpyzVN6Cz7NRNsp+jSVQP4ILt1J8y/4KBPzAtbllMg=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>NnTCfQE7p1FmrdbmYk+wRpbaZ5Rr4Opk67mI2Y6+PTdQlUErv5Bt8C/iBA398CwAgZyREqZfobd47QnxZYOvnFjiMSsQAndmPejZ9PEGwdu8hVrYyhV2VpcPtcaew/tOGWBvTdUKH5YjGmTHLtLxny0WaGYIquYVWoO3S68duy6DWXr/rxMzOEjNhY3s/3alCYMSYqDrhB8jKY8M9M2jruZa2KjIziumW6bzksizYSEFAcn4LfVhACaucrBAVch+r31vKAxO0BpkU7wSRBTaQV+/ALmA1HJAVO/mecujHJnhpizF4GDNdsnbIxck3r/2X9gt7WgMhfwBW+6Xvd2whQ==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIC5TCCAc2gAwIBAgIQSuU/gl5tP49ARSN2SkVRKzANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw9XTVN2Yy1VU0FKLURFVjEwHhcNMTAxMDAxMTI1MjUxWhcNMjAwOTI4MTI1MjUxWjAaMRgwFgYDVQQDEw9XTVN2Yy1VU0FKLURFVjEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgytRM5b2B35ydz+zxt59fklaT02z4AXUd9zm3h7Clq8LZYPMYvHOkzv7tgY38rD+NvmELAzeESBTbHN/wJyFkVbdD3mHVvE/vARGLxZB1lx+JN+gNjrrXT90FQtyWEchWoUcO6eFTAUdLgLonSn7SvI7lze2YUIS9BBc0OdpZzhDnWecUA1N0c5CeMZcjxroZYTuXH1YDGqOacphtZ7TMwCV2V5i7k9Jj4xY8uuSX92l7cW+EIqoqp26XTWmfon/jvDvWe3Dhe/mdtLXKQ2Lu8KCiN+zqA91fiGwezTkoeyDrWh/8/jqoz7Ep/4BN9cNLrbk75ngiryPlGLOCQK7vAgMBAAGjJzAlMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4GA1UdDwQHAwUAsAAAADANBgkqhkiG9w0BAQUFAAOCAQEAVTHuMl7Tr+ZAQOLf9nPbAlFabec8DFb+3jzbo4qUfGD/DYGuDg4gFNfr09s2Ft82DzXf1BQJDprRIRtrQOE8hDpOeM6c5sOXk7xKh0QjPzqE4n7ZJUP8X+NW+Zu9D7OaFSJ0/mUffw/PugoYTusfCEudrKzo2CDgtrQjaTrm7zkxksJdH/DY+YCF1g+ljpUDKR9SYwRaGQ5fj9dn+SMibhcXqDXod+BGKW9xaTo3CLFKSbMRt97LjF+P8sfnq8IGTpHqHR3pFDjdbIQ4ixRCygEpbVZJgXPvcTk2Nnvi3SyLZPeTRTGnZM0R7KMhLji2JnHYEXArC46fVwHtjLGbGw==</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<Subject>
<NameID>e8f279d7-cbd8-468d-a6df-97419729fe59</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" />
</Subject>
<Conditions NotBefore="2013-04-17T19:37:18.399Z" NotOnOrAfter="2013-04-17T20:07:18.399Z">
<AudienceRestriction>
<Audience>https://[SP Server]</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<!-- Data from my database-->
</AttributeStatement>
<AuthnStatement AuthnInstant="2013-04-17T19:37:18.337Z">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</trust:RequestedSecurityToken>
<trust:RequestedAttachedReference>
<SecurityTokenReference d4p1:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" xmlns:d4p1="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_b4c87094-9557-419f-92fd-714a2b9cd8af</KeyIdentifier>
</SecurityTokenReference>
</trust:RequestedAttachedReference>
<trust:RequestedUnattachedReference>
<SecurityTokenReference d4p1:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" xmlns:d4p1="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_b4c87094-9557-419f-92fd-714a2b9cd8af</KeyIdentifier>
</SecurityTokenReference>
</trust:RequestedUnattachedReference>
<trust:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</trust:TokenType>
<trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
<trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
</trust:RequestSecurityTokenResponse>
采纳答案by Calvin
I found a great library on github that both handles validation of the SAML Token and if you are feeling adventurous is a good tutorial on how to use OpenSAML. The library is called Auth10-Javaand it does a great job of breaking down SAML token validation. FYI it also handles WS-Federation protocol.
我在 github 上找到了一个很棒的库,它可以处理 SAML 令牌的验证,如果您喜欢冒险,这是一个关于如何使用 OpenSAML 的好教程。该库称为Auth10-Java,它在分解 SAML 令牌验证方面做得很好。仅供参考,它还处理 WS-Federation 协议。
Public List<Claim> validateAuthenticationResponse(String yourToken){
SamlTokenValidator validator = new SamlTokenValidator();
validator.setThumbprint("thumbprint from the thinktecture idp server or what ever idp you are using");
validator.getAudienceUris().add(new URI(“http://localhost:8080/javafederationtest”);
//validator.setValidateExpiration(false); //This can be used to stop validation of the expiration fields in the token.
List<Claim> claims = validator.validate(yourToken); //A Federation Exception is thrown if the token is invalid
System.out.println(claims.toString()); //This will show the claims asserted by the token!
}
This worked great for me and better yet I am learning heaps about SAML and OpenSAML from this library! Just be sure to include all dependencies in your projects build path!
这对我很有用,而且更好,但我正在从这个库中学习有关 SAML 和 OpenSAML 的大量知识!请务必在您的项目构建路径中包含所有依赖项!
回答by nzpcmad
The good news is there are open-source Java SAML stacks such as the Java Oracle OpenSSO Fedlet.
好消息是有开源 Java SAML 堆栈,例如Java Oracle OpenSSO Fedlet。
The bad news is that the IdentityServer product that you are using has no support for SAML.
坏消息是您使用的 IdentityServer 产品不支持 SAML。
It has support for SAML tokensbut not the SAML protocol.
它支持 SAML令牌,但不支持SAML协议。
回答by Michael
Please look at Shibboleth: http://shibboleth.net/products/service-provider.html. The easiest way to integrate Java with Shibboleth is to setup Apache httpd with Shibboleth and to take the HTTP REMOTE_USER header from the request: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall. Shibboleth is great framework and fully supports SAML protocol.
请看 Shibboleth:http: //shibboleth.net/products/service-provider.html。将 Java 与 Shibboleth 集成的最简单方法是使用 Shibboleth 设置 Apache httpd 并从请求中获取 HTTP REMOTE_USER 标头:https: //wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall。Shibboleth 是一个很棒的框架并且完全支持 SAML 协议。
You can also use the Java code and to create SP code by yourself using OpenSAML code. OpenSAML is library used by Shibboleth (link above). The instructions how to start to develop: https://wiki.shibboleth.net/confluence/display/OpenSAML/OSTwoDeveloperManual
您还可以使用 Java 代码并使用 OpenSAML 代码自行创建 SP 代码。OpenSAML 是 Shibboleth 使用的库(上面的链接)。如何开始开发的说明:https: //wiki.shibboleth.net/confluence/display/OpenSAML/OSTwoDeveloperManual
