Java 如何实施 SAML SSO
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/806131/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to implement SAML SSO
提问by A_M
How is SAML SSO typically implemented?
SAML SSO 通常如何实施?
I've read this(n.b. obsolete) about using SAML with Google Apps, and the wikipedia entry on SAML.
我已经阅读了有关将 SAML 与 Google Apps 结合使用的这篇(nb 过时)以及SAML上的维基百科条目。
The wikipedia entry talks about responding with forms containing details of the SAMLRequest and SAMLResponse. Does this mean that the user has to physically submit the form in order to proceed with the single sign on?
维基百科条目讨论了使用包含 SAMLRequest 和 SAMLResponse 详细信息的表单进行响应。这是否意味着用户必须亲自提交表单才能继续进行单点登录?
The google entry talks about using redirects, which seems more seemless to me. However, it also talks about using a form for the response which the user must submit (although it does talk about using JavaScript to automatically submit the form).
谷歌条目谈到了使用重定向,这对我来说似乎更无意义。然而,它也谈到了使用表单作为用户必须提交的响应(尽管它确实谈到了使用 JavaScript 来自动提交表单)。
Is this the standard way of doing this? Using redirects and JavaScript for form submission?
这是这样做的标准方法吗?使用重定向和 JavaScript 提交表单?
Does anyone know of any other good resources about how to go about implementing SSO between a Windows Domain and a J2EE web application. The web application is on a separate network/domain. My client wants to use CA Siteminder(with SAML).
有谁知道关于如何在 Windows 域和 J2EE Web 应用程序之间实现 SSO 的任何其他好的资源。Web 应用程序位于单独的网络/域中。我的客户想要使用CA Siteminder(使用 SAML)。
采纳答案by metadaddy
The way this works is that, after authenticating the user, the SAML identity provider (IdP) renders a form to the browser containing the SAML response - the form's 'action' (i.e. target) is the service provider (SP). In the HTML, there is a JavaScript onLoad event that submits the form, so the net effect is that the user is automatically taken from the IdP to the SP, SAML response in hand.
其工作方式是,在对用户进行身份验证后,SAML 身份提供者 (IdP) 将包含 SAML 响应的表单呈现给浏览器 - 表单的“操作”(即目标)是服务提供者 (SP)。在 HTML 中,有一个用于提交表单的 JavaScript onLoad 事件,因此最终效果是用户自动从 IdP 转到 SP,SAML 响应在手。
The only time a user would have to click anything to submit the form is if they have JavaScript disabled. In this case, SAML implementations typically provide a message with a button to press in the <noscript>tag.
用户必须单击任何内容才能提交表单的唯一时间是他们禁用了 JavaScript。在这种情况下,SAML 实现通常会提供一条消息,其中包含要按下<noscript>标签的按钮。
For more detail see this article I wrote a few years ago- but note, 'Lightbulb' is long obsolete now - for PHP SAML see simpleSAMLphp.
有关更多详细信息,请参阅我几年前写的这篇文章- 但请注意,“灯泡”现在已经过时了 - 对于 PHP SAML,请参阅simpleSAMLphp。
It's a shame your client wants to use CA SiteMinder - the open source OpenAM(formerly known as OpenSSO) does this pretty easily.
很遗憾您的客户想要使用 CA SiteMinder - 开源OpenAM(以前称为 OpenSSO)很容易做到这一点。
回答by McGovernTheory
If Siteminder is the relying party, then you would need to write a custom agent to take a SAML artifact and create an SM-Session. Otherwise, you will need to purchase a product that has this functionality already built.
如果 Siteminder 是依赖方,那么您需要编写一个自定义代理来获取 SAML 工件并创建一个 SM-Session。否则,您将需要购买已经构建了此功能的产品。
回答by Farhan
This articleexplains is very well. There are examples for different platforms too.
这篇文章解释的很好。也有不同平台的示例。
