1. 首頁
  2. 問答
  3. 如何驗證WS聯合SAML令牌與Java服務提供商

如何驗證WS聯合SAML令牌與Java服務提供商

2013-05-01 24 views
3

我對使用ws_federation和SAML驗證到.NET上運行的IIS服務器上運行的身份提供一個項目叫做thinktecture如何驗證WS聯合SAML令牌與Java服務提供商

我需要編寫一個Java服務提供程序,向身份提供程序發送SAML身份驗證請求,並在我的Java Web應用程序上獲取SAML響應。

我需要知道是否有任何好的庫來驗證SAML和mabye設置它的某些方向或鏈接到入門教程。我嘗試了spring_security-saml_extensions,但當我嘗試將我的Identitiy Providers元數據鏈接放入配置文件時,我不斷收到錯誤。

任何幫助將不勝感激!

另外:如果解決方案可以集成到現有的Java Web應用程序中,這將是非常棒的!

一些額外的信息:

下面是XML,我可以從我的工作我的印象是,這是一個SAML令牌下由IDP在我的SP返回的響應得到的。

<trust:RequestSecurityTokenResponseCollection xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> 
<trust:RequestSecurityTokenResponse Context="rm=0&amp;id=passive&amp;ru=%2fApplicant%2fMyAccount%2fHome"> 
    <trust:Lifetime> 
     <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2013-04-17T19:37:18.399Z</wsu:Created> 
     <wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2013-04-17T20:07:18.399Z</wsu:Expires> 
    </trust:Lifetime> 
    <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> 
     <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing"> 
      <wsa:Address>https://[SP Server]/</wsa:Address> 
     </wsa:EndpointReference> 
    </wsp:AppliesTo> 
    <trust:RequestedSecurityToken> 
     <Assertion ID="_b4c87094-9557-419f-92fd-714a2b9cd8af" IssueInstant="2013-04-17T19:37:18.399Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> 
      <Issuer>http://[IDP Server]/trust/idp</Issuer> 
      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> 
       <SignedInfo> 
        <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
        <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> 
        <Reference URI="#_b4c87094-9557-419f-92fd-714a2b9cd8af"> 
         <Transforms> 
          <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> 
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
         </Transforms> 
         <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> 
         <DigestValue>pVpyzVN6Cz7NRNsp+jSVQP4ILt1J8y/4KBPzAtbllMg=</DigestValue> 
        </Reference> 
       </SignedInfo> 
       <SignatureValue>NnTCfQE7p1FmrdbmYk+wRpbaZ5Rr4Opk67mI2Y6+PTdQlUErv5Bt8C/iBA398CwAgZyREqZfobd47QnxZYOvnFjiMSsQAndmPejZ9PEGwdu8hVrYyhV2VpcPtcaew/tOGWBvTdUKH5YjGmTHLtLxny0WaGYIquYVWoO3S68duy6DWXr/rxMzOEjNhY3s/3alCYMSYqDrhB8jKY8M9M2jruZa2KjIziumW6bzksizYSEFAcn4LfVhACaucrBAVch+r31vKAxO0BpkU7wSRBTaQV+/ALmA1HJAVO/mecujHJnhpizF4GDNdsnbIxck3r/2X9gt7WgMhfwBW+6Xvd2whQ==</SignatureValue> 
       <KeyInfo> 
        <X509Data> 
         <X509Certificate>MIIC5TCCAc2gAwIBAgIQSuU/gl5tP49ARSN2SkVRKzANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw9XTVN2Yy1VU0FKLURFVjEwHhcNMTAxMDAxMTI1MjUxWhcNMjAwOTI4MTI1MjUxWjAaMRgwFgYDVQQDEw9XTVN2Yy1VU0FKLURFVjEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgytRM5b2B35ydz+zxt59fklaT02z4AXUd9zm3h7Clq8LZYPMYvHOkzv7tgY38rD+NvmELAzeESBTbHN/wJyFkVbdD3mHVvE/vARGLxZB1lx+JN+gNjrrXT90FQtyWEchWoUcO6eFTAUdLgLonSn7SvI7lze2YUIS9BBc0OdpZzhDnWecUA1N0c5CeMZcjxroZYTuXH1YDGqOacphtZ7TMwCV2V5i7k9Jj4xY8uuSX92l7cW+EIqoqp26XTWmfon/jvDvWe3Dhe/mdtLXKQ2Lu8KCiN+zqA91fiGwezTkoeyDrWh/8/jqoz7Ep/4BN9cNLrbk75ngiryPlGLOCQK7vAgMBAAGjJzAlMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4GA1UdDwQHAwUAsAAAADANBgkqhkiG9w0BAQUFAAOCAQEAVTHuMl7Tr+ZAQOLf9nPbAlFabec8DFb+3jzbo4qUfGD/DYGuDg4gFNfr09s2Ft82DzXf1BQJDprRIRtrQOE8hDpOeM6c5sOXk7xKh0QjPzqE4n7ZJUP8X+NW+Zu9D7OaFSJ0/mUffw/PugoYTusfCEudrKzo2CDgtrQjaTrm7zkxksJdH/DY+YCF1g+ljpUDKR9SYwRaGQ5fj9dn+SMibhcXqDXod+BGKW9xaTo3CLFKSbMRt97LjF+P8sfnq8IGTpHqHR3pFDjdbIQ4ixRCygEpbVZJgXPvcTk2Nnvi3SyLZPeTRTGnZM0R7KMhLji2JnHYEXArC46fVwHtjLGbGw==</X509Certificate> 
        </X509Data> 
       </KeyInfo> 
      </Signature> 
      <Subject> 
       <NameID>e8f279d7-cbd8-468d-a6df-97419729fe59</NameID> 
       <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" /> 
      </Subject> 
      <Conditions NotBefore="2013-04-17T19:37:18.399Z" NotOnOrAfter="2013-04-17T20:07:18.399Z"> 
       <AudienceRestriction> 
        <Audience>https://[SP Server]</Audience> 
       </AudienceRestriction> 
      </Conditions> 
      <AttributeStatement> 
       <!-- Data from my database--> 
      </AttributeStatement> 
      <AuthnStatement AuthnInstant="2013-04-17T19:37:18.337Z"> 
       <AuthnContext> 
        <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef> 
       </AuthnContext> 
      </AuthnStatement> 
     </Assertion> 
    </trust:RequestedSecurityToken> 
    <trust:RequestedAttachedReference> 
     <SecurityTokenReference d4p1:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" xmlns:d4p1="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> 
      <KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_b4c87094-9557-419f-92fd-714a2b9cd8af</KeyIdentifier> 
     </SecurityTokenReference> 
    </trust:RequestedAttachedReference> 
    <trust:RequestedUnattachedReference> 
     <SecurityTokenReference d4p1:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" xmlns:d4p1="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> 
      <KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_b4c87094-9557-419f-92fd-714a2b9cd8af</KeyIdentifier> 
     </SecurityTokenReference> 
    </trust:RequestedUnattachedReference> 
    <trust:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</trust:TokenType> 
    <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType> 
    <trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType> 
</trust:RequestSecurityTokenResponse>

來源

2013-05-01 Calvin

+0

您使用的是weblogic服務器嗎? – 2013-05-01 02:02:38

+0

@VKSingla不,它不是。它運行在一個開源的thinktecture上.net產品 – Calvin 2013-05-01 02:16:58

+0

您是否看到下面的答案?它有幫助嗎? – Michael 2013-05-03 12:37:49

回答

3

我發現在GitHub上一個偉大的圖書館,無論處理SAML令牌的確認,如果你喜歡冒險是關於如何使用OpenSAML一個很好的教程。 該庫被稱爲Auth10-Java,它在分解SAML令牌驗證方面做得很好。僅供參考,它也處理WS-Federation協議。

Public List<Claim> validateAuthenticationResponse(String yourToken){ 
    SamlTokenValidator validator = new SamlTokenValidator(); 

    validator.setThumbprint("thumbprint from the thinktecture idp server or what ever idp you are using"); 

    validator.getAudienceUris().add(new URI(「http://localhost:8080/javafederationtest」); 

    //validator.setValidateExpiration(false); //This can be used to stop validation of the expiration fields in the token. 

    List<Claim> claims = validator.validate(yourToken); //A Federation Exception is thrown if the token is invalid 

    System.out.println(claims.toString()); //This will show the claims asserted by the token! 
}

這對我來說很好,但是我更喜歡從這個庫中學習關於SAML和OpenSAML的堆!只要確保在項目構建路徑中包含所有依賴項即可!

來源

2013-05-07 15:44:50 Calvin

2

好消息是,有開源的Java SAML作爲Java Oracle OpenSSO Fedlet棧等。

壞消息是您使用的IdentityServer產品不支持SAML。

它支持SAML 令牌但不支持SAML 協議

來源

2013-05-01 02:44:14 nzpcmad

+0

是否意味着我無法從身份服務器驗證saml令牌? – Calvin 2013-05-01 03:38:52

+0

否 - IdentityServer可以驗證令牌,但令牌將使用WS-Fed而非SAML發送。 – nzpcmad 2013-05-01 18:42:49

2

請看Shibboleth:http://shibboleth.net/products/service-provider.html。 將Java與Shibboleth集成的最簡單方法是使用Shibboleth設置Apache httpd,並從請求中獲取HTTP REMOTE_USER標頭:https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall。 Shibboleth是偉大的框架,完全支持SAML協議。

您也可以使用Java代碼並使用OpenSAML代碼自行創建SP代碼。 OpenSAML是Shibboleth使用的庫(上面的鏈接)。 的說明如何開始開發:https://wiki.shibboleth.net/confluence/display/OpenSAML/OSTwoDeveloperManual

來源

2013-05-01 10:58:41 Michael

+0

感謝您的回答!這對現有的Java網站如何工作?如果Java Web應用程序在Tomcat或Glassfish上運行,它是否需要第二個Web服務器? – Calvin 2013-05-01 12:52:18

+0

不幸的是,Shibboleth沒有與Tomcat或Glassfish進行整合。您將需要安裝Apache httpd服務器。 – Michael 2013-05-01 14:05:50

相關問題

 相關問題