Java 创建 SAML 断言并签署响应
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/26482902/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Create SAML Assertion and Sign the response
提问by iUser
I have a Java web application. I want to implement SAML Single-Sign-On login for my application. I have got this GitHub onelogin programto send request and get response. But it was not working properly. I created one account there. But I don't have an enterprise account. When I run the application, it is going to onelogin loginpage. I tried to login, but it is not returning anyuthing in the response, showing I don't have permission. If I provide wrong credentials also, it is not giving any SAML response.
我有一个 Java Web 应用程序。我想为我的应用程序实现 SAML 单点登录登录。我有这个GitHub onelogin 程序来发送请求并获得响应。但它没有正常工作。我在那里创建了一个帐户。但是我没有企业帐户。当我运行该应用程序时,它将转到onelogin 登录页面。我尝试登录,但在响应中没有返回任何内容,表明我没有权限。如果我也提供了错误的凭据,它不会给出任何 SAML 响应。
So I decided to create an assertion and sign it.
所以我决定创建一个断言并签名。
- Do I need to send a SAML request to any identity provider first?
- How to create a sample SAML assertion instead of going to IdP(Like this is fine?)
- Once I get the SAML response, how do I sign it in my application and proceed?
- 我是否需要先向任何身份提供者发送 SAML 请求?
- 如何创建示例 SAML 断言而不是转到 IdP(这样可以吗?)
- 收到 SAML 响应后,如何在我的应用程序中对其进行签名并继续?
Thanks
谢谢
UPDATE 1
更新 1
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="123" InResponseTo="abc" IssueInstant="2014-11-21T17:13:42.872Z"
Version="2.0">
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0">
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
[email protected]
</saml:NameID>
</saml:Subject>
<saml:AuthnStatement AuthnInstant="2014-11-21T17:13:42.899Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
回答by Stefan Rasmusson
The first thing you need to do is to read up on the SAML protocol. I have two blogs I can recommend.
您需要做的第一件事是阅读 SAML 协议。我有两个博客可以推荐。
Next you can choose to build the SAML integration in your app or you can use a third party application to do the integration. Typical third party applications are Shibbolethand OpenAM.
接下来,您可以选择在您的应用程序中构建 SAML 集成,也可以使用第三方应用程序进行集成。典型的第三方应用程序是Shibboleth和OpenAM。
If you decide to build it in to your application, you can for example use OpenSAML. OpenSAML is a library that helps to work with SAML messages. I have several blogs on the subjectand one book that is good to start with
如果您决定将其构建到您的应用程序中,您可以例如使用 OpenSAML。OpenSAML 是一个有助于处理 SAML 消息的库。我有几个关于这个主题的博客和一本很好的书
About your questions.
关于你的问题。
- You dont need to send a request. The IDP can start the process without a request.
- Well you can create one just by editing the one that you found. You can also use OpenSAML to create the assertion
- You do not sign the response in your application, the IDP signs the response. he signature verification depends on the software. Here is how you do it in OpenSAML
- 您不需要发送请求。IDP 可以在没有请求的情况下启动该过程。
- 那么你可以通过编辑你找到的那个来创建一个。您还可以使用 OpenSAML 来创建断言
- 您不在申请中签署响应,IDP 签署响应。签名验证取决于软件。这是您在 OpenSAML 中的操作方法
回答by shimon001
You can also use Java Saml from Oneloginto sign the response using their utility class (com.onelogin.saml2.util.Util):
您还可以使用Onelogin 中的 Java Saml使用其实用程序类 (com.onelogin.saml2.util.Util) 对响应进行签名:
// loads xml string into Document
Document document = Util.loadXML(saml);
// loads certificate and private key from string
X509Certificate cert = Util.loadCert(pubKeyBytes);
PrivateKey privateKey = Util.loadPrivateKey(privKeyBytes);
// signs the response
String signedResponse = Util.addSign(document, privateKey, cert, null);
You can also use another .addSignmethod that takes Nodeas first parameter to sign the assertion of the SAML response.
您还可以使用另.addSign一种Node将 SAML 响应的断言作为第一个参数的方法。
Their Maven dependency is:
他们的Maven依赖是:
<dependency>
<groupId>com.onelogin</groupId>
<artifactId>java-saml</artifactId>
<version>2.0.0</version>
</dependency>
