SAML/ADFS node.js 实施指南?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/26901368/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
SAML/ADFS node.js implementation guide?
提问by SpacePope
I'd like to preface this by saying that until now, I hadn't even HEARD of SAML, much less developed a SSO strategy involving it. That, combined with the fact that I've barely been doing node for a year makes for a glorious newbie sandwich. Currently, I have a client who uses SAML and ADFS as their SSO provider. I am already using passport.js for local logins, so using passport-saml seems to be the way to go to implement the SSO using SAML/ADFS. In doing my research, I've found a couple different implementation guides, but since I literally know NOTHING about this process, I could use a few pointers.
我想先说一下,直到现在,我什至没有听说过 SAML,更不用说开发了涉及它的 SSO 策略。再加上我一年来几乎没有做 node 的事实,这让我做了一个很棒的新手三明治。目前,我有一个客户使用 SAML 和 ADFS 作为他们的 SSO 提供商。我已经在使用passport.js 进行本地登录,因此使用passport-saml 似乎是使用SAML/ADFS 实现SSO 的方法。在进行研究时,我找到了几个不同的实施指南,但由于我对这个过程一无所知,我可以使用一些提示。
In the passport-saml documentation, I found the following for a strategy proven to work with ADFS (according to the docs):
在passport-saml 文档中,我发现了以下已证明适用于ADFS 的策略(根据文档):
{
entryPoint: 'https://ad.example.net/adfs/ls/',
issuer: 'https://your-app.example.net/login/callback',
callbackUrl: 'https://your-app.example.net/login/callback',
cert: 'MIICizCCAfQCCQCY8tKaMc0BMjANBgkqh ... W==',
identifierFormat: null
}
I suppose my main question is where does this cert come from? Is this a cert I generate on my server via SSL? Does the provider provide it?
我想我的主要问题是这个证书来自哪里?这是我通过 SSL 在我的服务器上生成的证书吗?供应商提供吗?
In my searching, I have also found this: https://github.com/auth0/passport-wsfed-saml2, which is based on passport-saml. The following configuration is suggested for ADFS:
在我的搜索中,我还发现了这个:https: //github.com/auth0/passport-wsfed-saml2,它基于passport-saml。建议为 ADFS 使用以下配置:
{
path: '/login/callback',
realm: 'urn:node:app',
homeRealm: '', // optionally specify an identity provider
identityProviderUrl: 'https://auth10-dev.accesscontrol.windows.net/v2/wsfederation',
cert: 'MIIDFjCCAf6gAwIBAgIQDRRprj9lv5 ... ='
}
In this example, the path object is obvious, and my provider has already given me an providerURL. But realm makes no sense to me, and there's that darn cert again.
在这个例子中,路径对象很明显,我的提供者已经给了我一个 providerURL。但是境界对我来说毫无意义,而且还有那个该死的证书。
Could someone provide me with an "explain-like-i'm-five" way of implementing SAML/ADFS SSO in a node.js site? Or help me make heads or tails of the argument objects requested by the two solutions I've outlined? Much appreciated in advance!
有人可以为我提供一种在 node.js 站点中实现 SAML/ADFS SSO 的“像我一样解释”的方式吗?或者帮助我了解我概述的两个解决方案所要求的参数对象的正面或反面?非常感谢提前!
回答by Chris Eaves-Kohlbrenner
I recently went through the same thought process: having never heard of SAML, I needed to enable a web application to authenticate via SAML with OneLogin as the identity provider (instead of Active Directory).
我最近经历了同样的思考过程:从未听说过SAML,我需要启用 Web 应用程序以通过 SAML 进行身份验证,并将 OneLogin 作为身份提供者(而不是 Active Directory)。
During implementation, I made heavy use of OneLogin's documentation and the passport-samllibrary, both of which I recommend, though I'm not affiliated with either.
在实施过程中,我大量使用了 OneLogin 的文档和passport-saml库,我推荐这两者,尽管我不隶属于其中任何一个。
What I came to realize was that the confusion was three-fold:
我逐渐意识到混淆是三方面的:
(1) how SAML works,
(1) SAML 的工作原理,
(2) how the passport-samllibrary works in Node, and
(2) 该passport-saml库如何在 Node 中工作,以及
(3) how to configure the identity provider (OneLogin, Active Directory, or otherwise). What follows is my attempt at an "explain-like-I'm-five" explanation.
(3) 如何配置身份提供者(OneLogin、Active Directory或其他)。接下来是我尝试“像我五岁一样解释”的解释。
SAML
安全反洗钱
Security Assertion Markup Language (SAML) is an XML standard that allows users to log in based on their browser session. There's a lot to it, but basically, it enables a simpler authentication process. A user can click a button rather than submit a form with username and password.
安全断言标记语言 (SAML) 是一种 XML 标准,允许用户根据浏览器会话进行登录。它有很多功能,但基本上,它可以实现更简单的身份验证过程。用户可以单击按钮而不是提交带有用户名和密码的表单。
The way SAML works is a little more involved. I found this overview from OneLoginand the accompanying diagram helpful:
SAML 的工作方式有点复杂。我发现OneLogin 的概述和随附的图表很有帮助:
The diagram represents the following process:
该图表示以下过程:
- User clicks a button to authenticate for a given application (sometimes called service provider) using SAML. A request is made (to Node or otherwise) to build a SAML authorization request.
- An authorization request is constructed. This authorization request is XML (see more on OneLogin), encoded and/or encrypted, and appended to a URL as a query param. Node redirects the browser to this URL (something like https://domain.onelogin.com/trust/saml2/http-post/sso/123456?SAMLRequest=...encodedXML...).
- OneLogin, as identity provider, determines from the browser session whether the user is already logged in. If not, the user is prompted with OneLogin's login form. If so, the browser POSTs a SAML response back to the application (service provider). This SAML response (again XML) includes certain properties about the user, like NameID.
- Back in Node, the application verifies the SAML response and completes authentication.
- 用户单击按钮以使用 SAML 对给定应用程序(有时称为服务提供商)进行身份验证。发出请求(向 Node 或其他方式)以构建 SAML 授权请求。
- 构造授权请求。此授权请求是 XML(有关 OneLogin 的更多信息),经过编码和/或加密,并作为查询参数附加到 URL。Node 将浏览器重定向到这个 URL(类似于https://domain.onelogin.com/trust/saml2/http-post/sso/123456?SAMLRequest=...encodedXML...)。
- OneLogin作为身份提供者,从浏览器会话中确定用户是否已经登录。如果没有,系统会提示用户使用 OneLogin 的登录表单。如果是这样,浏览器会将 SAML 响应 POST 回应用程序(服务提供商)。此 SAML 响应(同样是 XML)包含有关用户的某些属性,例如 NameID。
- 返回 Node,应用程序验证 SAML 响应并完成身份验证。
Node and passport-saml
节点和 passport-saml
Passport.js is authentication middleware for Node. It requires a strategy, which could be something like passport-localor, in our case, passport-saml.
Passport.js 是 Node 的身份验证中间件。它需要一个策略,可能是这样的,passport-local或者,在我们的例子中,passport-saml。
As the passport-localstrategy enables Passport authentication using username/password, the passport-samlstrategy enables Passport authentication using the browser session and configurable identity provider values.
由于该passport-local策略使用用户名/密码passport-saml启用 Passport 身份验证,因此该策略使用浏览器会话和可配置的身份提供程序值启用 Passport 身份验证。
While passport-samlserved my purposes really well, its docs were difficult to reason through. The configuration example doesn't work due since the OpenIdp identity provider is inactive and there are lotsof configurable parameters.
虽然passport-saml非常适合我的目的,但它的文档很难理解。由于 OpenIdp 身份提供者处于非活动状态并且有许多可配置参数,因此配置示例不起作用。
The main one I cared about: entryPointand path(or callbackURL). I only needed these two, which do the following:
我关心的主要是:entryPoint和path(或callbackURL)。我只需要这两个,它们执行以下操作:
entryPointis the URL to redirect to with the authorization request (see #2 above).path/callbackURLset the URL/route in Node for the SAML response to be POSTed to (see #3 above).
entryPoint是使用授权请求重定向到的 URL(参见上面的 #2)。path/callbackURL在 Node 中设置 URL/路由,以便将 SAML 响应发布到(参见上面的 #3)。
There's a ton of other parameters that are important and valuable, but it's possible to configure SAML SSO using just these two.
还有大量其他重要且有价值的参数,但可以仅使用这两个参数来配置 SAML SSO。
Identity Provider configuration
身份提供者配置
Finally, the identity provider itself needs to be configured so that, given a SAML authorization request, it knows where to send the SAML response. In the case of OneLogin, that means setting an ACS (Consumer) URLand an ACS (Consumer) URL Validator, both of which should match the path/callbackURLconfigured for passport-saml.
最后,身份提供者本身需要进行配置,以便在给定 SAML 授权请求时,它知道将 SAML 响应发送到何处。在 OneLogin 的情况下,这意味着设置 anACS (Consumer) URL和 an ACS (Consumer) URL Validator,两者都应与为passport-saml 配置的path/匹配callbackURL。
Other things can be configured (to support logout and other features), but this is the bare minimum to authenticate.
可以配置其他东西(以支持注销和其他功能),但这是验证的最低要求。
Summary
概括
There were two parts to the original question: (1) how to implement SAML/ADFS integration and (2) high-level SAML node.js implementation guide. This answer addresses the second.
原始问题有两个部分:(1) 如何实现 SAML/ADFS 集成和 (2) 高级 SAML node.js 实现指南。这个答案针对第二个。
As for specifically integrating with Active Directory, I recommend passport-saml's docs on ADFS, keeping in mind that there's two parts: configuring passport-saml to use an ADFS identity provider AND configuring your ADFS server to respond back to Node.
至于与 Active Directory 的具体集成,我建议在 ADFS 上使用passport-saml 的文档,请记住有两个部分:配置passport-saml 以使用ADFS 身份提供程序和配置您的ADFS 服务器以响应Node.js。
回答by akanieski
I could be wrong here but I believe it comes from the ADFS servers XML found at https://servername/FederationMetadata/2007-06/FederationMetadata.xml.
我在这里可能是错的,但我相信它来自于https://servername/FederationMetadata/2007-06/FederationMetadata.xml.
Pull out the X509Certificate. I have the same issues going on and I'm going to try that next.
拉出 X509Certificate。我遇到了同样的问题,接下来我要尝试一下。
回答by PhiNessa
As for the first part of your question, the certificate comes from the provider. Please have a look at the passport-samldocumentation.
至于您问题的第一部分,证书来自提供商。请查看passport-saml文档。
Simply pull out the Identity Provider's public signing certificate (X.509) and make sure to format it to the PEM encoding. The correctly formatted PEM-encoded certificate will begin with -----BEGIN CERTIFICATE-----and end with -----END CERTIFICATE-----.
只需提取身份提供者的公共签名证书 (X.509) 并确保将其格式化为 PEM 编码。格式正确的PEM编码的证书将开始-----BEGIN CERTIFICATE-----和结束-----END CERTIFICATE-----。
