有沒有辦法使用彈簧安全SAML,包括在依賴方的元數據響應要求索賠要求RP元索賠?包括使用彈簧安全SAML
理想我想提供一個聯合元數據URL各種國內流離失所者也規定了什麼要求,我們需要爲RP(即電子郵件地址,名字,姓氏等)類型。我目前正在使用ADFS作爲身份提供者進行測試。使用RP元數據URL嚮導添加信賴方信任時,除「接受的聲明」選項卡外,大多數信息都已預先填寫。
我試圖手動修改元數據XML(在the docs指定的)包括ClaimTypesRequired或內RoleDescriptor ClaimTypesRequested元素,雖然我不知道要添加什麼...我也如果可能,更願意堅持使用自動生成的元數據。
是我RP的元數據網址的理解是否正確?或者,我是否會更好地向URL提供URL,然後告訴他們添加額外的聲明。
還有所請求的索賠中自動生成的春SAML元數據不亂的開箱即用支持。但是,您可以根據需要擴展MetadataGenerator class以導出附加數據。
得益於弗拉基米爾建議我延長MetadataGenerator類以添加AttributeConsumingService和RequestedAttribute內容如下。我在這裏發佈它,以防萬一它幫助任何人。
public class MySAMLMetadataGenerator extends MetadataGenerator
{
@Override
protected SPSSODescriptor buildSPSSODescriptor(String entityBaseURL, String entityAlias, boolean requestSigned, boolean wantAssertionSigned, Collection<String> includedNameID)
{
SPSSODescriptor descriptor = super.buildSPSSODescriptor(entityBaseURL, entityAlias, requestSigned, wantAssertionSigned, includedNameID);
descriptor.getAttributeConsumingServices().add(generateConsumingService());
return descriptor;
}
private AttributeConsumingService generateConsumingService()
{
SAMLObjectBuilder<AttributeConsumingService> builder = (SAMLObjectBuilder<AttributeConsumingService>) builderFactory.getBuilder(AttributeConsumingService.DEFAULT_ELEMENT_NAME);
AttributeConsumingService service = builder.buildObject();
SAMLObjectBuilder<ServiceName> builder2 = (SAMLObjectBuilder<ServiceName>) builderFactory.getBuilder(ServiceName.DEFAULT_ELEMENT_NAME);
ServiceName serviceName = builder2.buildObject();
serviceName.setName(new LocalizedString("application name", "en"));
service.getNames().add(serviceName);
SAMLObjectBuilder<ServiceDescription> builder3 = (SAMLObjectBuilder<ServiceDescription>) builderFactory.getBuilder(ServiceDescription.DEFAULT_ELEMENT_NAME);
ServiceDescription serviceDescription = builder3.buildObject();
serviceDescription.setDescription(new LocalizedString("Application description", "en"));
service.getDescriptions().add(serviceDescription);
SAMLObjectBuilder<RequestedAttribute> builder4 = (SAMLObjectBuilder<RequestedAttribute>) builderFactory.getBuilder(RequestedAttribute.DEFAULT_ELEMENT_NAME);
RequestedAttribute nameId = builder4.buildObject();
nameId.setIsRequired(true);
nameId.setFriendlyName("Name ID");
nameId.setName("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier");
nameId.setNameFormat("urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
service.getRequestAttributes().add(nameId);
RequestedAttribute email = builder4.buildObject();
email.setIsRequired(true);
email.setFriendlyName("E-Mail Address");
email.setName("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress");
email.setNameFormat("urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
service.getRequestAttributes().add(email);
RequestedAttribute givenName = builder4.buildObject();
givenName.setIsRequired(true);
givenName.setFriendlyName("Given Name");
givenName.setName("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname");
givenName.setNameFormat("urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
service.getRequestAttributes().add(givenName);
RequestedAttribute surname = builder4.buildObject();
//surname.setIsRequired(true);
surname.setFriendlyName("Surname");
surname.setName("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname");
surname.setNameFormat("urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
service.getRequestAttributes().add(surname);
service.setIndex(1);
return service;
}
}
不幸的是,Microsoft ADFS服務器doesn't seem to support這些屬性用於自動設置聲明。所以,不要浪費你的時間,試圖像我一樣工作!