问题:
如何使用Spring Security SAML配置远程发现?
扈阳辉
我正在尝试配置Spring Security SAML 1.0.1以访问位于https://discovery.renater.fr/test的远程发现服务。而是到达“CachingMetadataManager”的属性defaultidp中指定的IDP。
以下是我如何生成SP元数据:
<!-- Filter automatically generates default SP metadata -->
<b:bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<b:constructor-arg>
<b:bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<b:property name="includeDiscoveryExtension" value="true"/>
<b:property name="extendedMetadata">
<b:bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<b:property name="idpDiscoveryEnabled" value="true"/>
<b:property name="idpDiscoveryURL" value="https://discovery.renater.fr/test"/>
<b:property name="idpDiscoveryResponseURL" value="http://acem.u-bretagneloire.fr/ACEM/saml/login/alias/defaultAlias?disco=true"/>
</b:bean>
</b:property>
</b:bean>
</b:constructor-arg>
</b:bean>
可以看到,我已经将属性includeDiscoveryExtension设置为beanmetadatagenerator中的true。我还在beanExtendedMetadata中设置了属性IDPDiscoveryEnabled、IDPDiscoveryURL和IDPDiscoveryResponseURL。但是,当我将应用程序的日志级别设置为“trace”时,idpDiscoveryURL值从不显示。
问题:在我的配置中缺少什么以到达发现URL?
<?xml version="1.0" encoding="UTF-8" ?>
<b:beans xmlns:b="http://www.springframework.org/schema/beans"
xmlns="http://www.springframework.org/schema/security"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
<!-- Enable auto-wiring -->
<context:annotation-config/>
<!-- Scan for auto-wiring classes in spring saml packages -->
<context:component-scan base-package="org.springframework.security.saml"/>
<!--
<http security="none" pattern="/favicon.ico"/>
<http security="none" pattern="/images/**"/>
<http security="none" pattern="/css/**"/>
<http security="none" pattern="/logout.jsp"/>
-->
<!-- Security for the administration UI -->
<http pattern="/saml/web/**" use-expressions="false">
<access-denied-handler error-page="/saml/web/metadata/login"/>
<form-login login-processing-url="/saml/web/login" login-page="/saml/web/metadata/login" default-target-url="/saml/web/metadata"/>
<intercept-url pattern="/saml/web/metadata/login" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/saml/web/**" access="ROLE_ADMIN"/>
<custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
</http>
<!-- Secured pages with SAML as entry point -->
<!--
<http entry-point-ref="samlEntryPoint" use-expressions="false">
<intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
<custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
<custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
</http>
-->
<http entry-point-ref="samlEntryPoint" use-expressions="true" auto-config="true">
<!-- For Spring Security 4.x, we need to disable csrf, otherwise AJAX requests get 403:-->
<csrf disabled="true"/>
<intercept-url access="permitAll" pattern="/" /><!-- To permit "/" allows the use of web.xml's <welcome-file> -->
<intercept-url access="permitAll" pattern="/home" />
<intercept-url access="permitAll" pattern="/pages/exceptions/**" />
<intercept-url access="permitAll" pattern="/javax.faces.resource/**" />
<intercept-url access="permitAll" pattern="/resources/**" />
<intercept-url access="hasRole('ROLE_ADMIN')" pattern="/administration/**" />
<intercept-url access="hasRole('ROLE_ADMIN')" pattern="/rest/**" />
<intercept-url access="isAuthenticated()" pattern="/**"/><!-- When the user is authentificated by the IDP, but doesn't exist in the application database -->
<form-login login-page="/login-page-should-not-be-generated-when-using-saml" />
<logout logout-url="/logout" logout-success-url="/home"/>
<custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
<custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
</http>
<!-- Filters for processing of SAML messages -->
<b:bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
<filter-chain-map request-matcher="ant">
<filter-chain pattern="/saml/login/**" filters="samlEntryPoint"/>
<filter-chain pattern="/saml/logout/**" filters="samlLogoutFilter"/>
<filter-chain pattern="/saml/metadata/**" filters="metadataDisplayFilter"/>
<filter-chain pattern="/saml/SSO/**" filters="samlWebSSOProcessingFilter"/>
<filter-chain pattern="/saml/SSOHoK/**" filters="samlWebSSOHoKProcessingFilter"/>
<filter-chain pattern="/saml/SingleLogout/**" filters="samlLogoutProcessingFilter"/>
<filter-chain pattern="/saml/discovery/**" filters="samlIDPDiscovery"/>
</filter-chain-map>
</b:bean>
<!-- Handler deciding where to redirect user after successful login -->
<b:bean id="successRedirectHandler"
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<b:property name="defaultTargetUrl" value="/"/>
<b:property name="alwaysUseDefaultTargetUrl" value="true"/>
</b:bean>
<!--
Use the following for interpreting RelayState coming from unsolicited response as redirect URL:
<b:bean id="successRedirectHandler" class="org.springframework.security.saml.SAMLRelayStateSuccessHandler">
<b:property name="defaultTargetUrl" value="/" />
</b:bean>
-->
<!-- Handler deciding where to redirect user after failed login -->
<b:bean id="failureRedirectHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<b:property name="useForward" value="true"/>
<b:property name="defaultFailureUrl" value="/error.jsp"/>
</b:bean>
<!-- Handler for successful logout -->
<b:bean id="successLogoutHandler" class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler">
<b:property name="defaultTargetUrl" value="/logout.jsp"/>
</b:bean>
<authentication-manager alias="authenticationManager">
<!-- Register authentication manager for SAML provider -->
<authentication-provider ref="authProvider"/>
<!-- Register authentication manager for administration UI -->
<authentication-provider>
<user-service id="adminInterfaceService">
<user name="admin" password="admin" authorities="ROLE_ADMIN"/>
</user-service>
</authentication-provider>
</authentication-manager>
<!-- Logger for SAML messages and events -->
<b:bean id="samlLogger" class="org.springframework.security.saml.log.SAMLDefaultLogger"/>
<!-- Central storage of cryptographic keys -->
<b:bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<b:constructor-arg value="classpath:security/samlKeystore.jks"/>
<b:constructor-arg type="java.lang.String" value="nalle123"/>
<b:constructor-arg>
<b:map>
<b:entry key="apollo" value="nalle123"/>
</b:map>
</b:constructor-arg>
<b:constructor-arg type="java.lang.String" value="apollo"/>
</b:bean>
<!-- Entry point to initialize authentication, default values taken from properties file -->
<b:bean id="samlEntryPoint" class="org.springframework.security.saml.SAMLEntryPoint">
<b:property name="defaultProfileOptions">
<b:bean class="org.springframework.security.saml.websso.WebSSOProfileOptions">
<b:property name="includeScoping" value="false"/>
</b:bean>
</b:property>
</b:bean>
<!-- IDP Discovery Service -->
<b:bean id="samlIDPDiscovery" class="org.springframework.security.saml.SAMLDiscovery">
<b:property name="idpSelectionPath" value="/WEB-INF/security/idpSelection.jsp"/>
</b:bean>
<!-- Filter automatically generates default SP metadata -->
<b:bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<b:constructor-arg>
<b:bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<b:property name="includeDiscoveryExtension" value="true"/>
<b:property name="extendedMetadata">
<b:bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<b:property name="idpDiscoveryEnabled" value="true"/>
<b:property name="idpDiscoveryURL" value="https://discovery.renater.fr/test"/>
<b:property name="idpDiscoveryResponseURL" value="http://acem.u-bretagneloire.fr/ACEM/saml/login/alias/defaultAlias?disco=true"/>
</b:bean>
</b:property>
</b:bean>
</b:constructor-arg>
</b:bean>
<!-- The filter is waiting for connections on URL suffixed with filterSuffix and presents SP metadata there -->
<b:bean id="metadataDisplayFilter" class="org.springframework.security.saml.metadata.MetadataDisplayFilter"/>
<!-- Configure HTTP Client to accept certificates from the keystore for HTTPS verification -->
<!--
<b:bean class="org.springframework.security.saml.trust.httpclient.TLSProtocolConfigurer">
<b:property name="sslHostnameVerification" value="default"/>
</b:bean>
-->
<!-- IDP Metadata configuration - paths to metadata of IDPs in circle of
trust is here -->
<b:bean id="metadata"
class="org.springframework.security.saml.metadata.CachingMetadataManager">
<b:constructor-arg>
<b:list>
<b:bean
class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<b:constructor-arg>
<b:bean
class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
<!-- URL containing the metadata -->
<b:constructor-arg>
<b:value type="java.lang.String">https://federation.renater.fr/test/renater-test-metadata.xml</b:value>
</b:constructor-arg>
<!-- Timeout for metadata loading in ms -->
<b:constructor-arg>
<b:value type="int">15000</b:value>
</b:constructor-arg>
<b:property name="parserPool" ref="parserPool" />
</b:bean>
</b:constructor-arg>
<b:constructor-arg>
<!-- Default extended metadata for entities not specified in the map -->
<b:bean
class="org.springframework.security.saml.metadata.ExtendedMetadata">
</b:bean>
</b:constructor-arg>
<b:constructor-arg>
<!-- Extended metadata for specific IDPs -->
<b:map>
<b:entry key="http://idp.ssocircle.com">
<b:bean
class="org.springframework.security.saml.metadata.ExtendedMetadata" />
</b:entry>
</b:map>
</b:constructor-arg>
</b:bean>
</b:list>
</b:constructor-arg>
<!-- OPTIONAL used when one of the metadata files contains information
about this service provider -->
<!-- <b:property name="hostedSPName" value=""/> -->
<!-- OPTIONAL property: can tell the system which IDP should be used for
authenticating user by default. -->
<b:property name="defaultIDP" value="https://ident-shib-test.univ-rennes1.fr/idp/shibboleth"/>
</b:bean>
<!--
NOTE: In a real application you should not use an in memory implementation. You will also want
to ensure to clean up expired tickets by calling ProxyGrantingTicketStorage.cleanup()
-->
<b:bean id="pgtStorage" class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl"/>
<!-- SAML Authentication Provider responsible for validating of received SAML messages -->
<b:bean id="authProvider" class="org.springframework.security.saml.SAMLAuthenticationProvider">
<!-- OPTIONAL property: can be used to store/load user data after login -->
<b:property name="userDetails">
<b:bean class="eu.ueb.acem.services.auth.SamlAuthenticationUserDetailsService"/>
</b:property>
</b:bean>
<!-- Provider of default SAML Context -->
<b:bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl"/>
<!-- Processing filter for WebSSO profile messages -->
<b:bean id="samlWebSSOProcessingFilter" class="org.springframework.security.saml.SAMLProcessingFilter">
<b:property name="authenticationManager" ref="authenticationManager"/>
<b:property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
<b:property name="authenticationFailureHandler" ref="failureRedirectHandler"/>
</b:bean>
<!-- Processing filter for WebSSO Holder-of-Key profile -->
<b:bean id="samlWebSSOHoKProcessingFilter" class="org.springframework.security.saml.SAMLWebSSOHoKProcessingFilter">
<b:property name="authenticationManager" ref="authenticationManager"/>
<b:property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
<b:property name="authenticationFailureHandler" ref="failureRedirectHandler"/>
</b:bean>
<!-- Logout handler terminating local session -->
<b:bean id="logoutHandler"
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
<b:property name="invalidateHttpSession" value="false"/>
</b:bean>
<!-- Override default logout processing filter with the one processing SAML messages -->
<b:bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter">
<b:constructor-arg index="0" ref="successLogoutHandler"/>
<b:constructor-arg index="1" ref="logoutHandler"/>
<b:constructor-arg index="2" ref="logoutHandler"/>
</b:bean>
<!-- Filter processing incoming logout messages -->
<!-- First argument determines URL user will be redirected to after successful global logout -->
<b:bean id="samlLogoutProcessingFilter" class="org.springframework.security.saml.SAMLLogoutProcessingFilter">
<b:constructor-arg index="0" ref="successLogoutHandler"/>
<b:constructor-arg index="1" ref="logoutHandler"/>
</b:bean>
<!-- Class loading incoming SAML messages from httpRequest stream -->
<b:bean id="processor" class="org.springframework.security.saml.processor.SAMLProcessorImpl">
<b:constructor-arg>
<b:list>
<b:ref bean="redirectBinding"/>
<b:ref bean="postBinding"/>
<b:ref bean="artifactBinding"/>
<b:ref bean="soapBinding"/>
<b:ref bean="paosBinding"/>
</b:list>
</b:constructor-arg>
</b:bean>
<!-- SAML 2.0 WebSSO Assertion Consumer -->
<b:bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl"/>
<!-- SAML 2.0 Holder-of-Key WebSSO Assertion Consumer -->
<b:bean id="hokWebSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>
<!-- SAML 2.0 Web SSO profile -->
<b:bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfileImpl"/>
<!-- SAML 2.0 Holder-of-Key Web SSO profile -->
<b:bean id="hokWebSSOProfile" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>
<!-- SAML 2.0 ECP profile -->
<b:bean id="ecpprofile" class="org.springframework.security.saml.websso.WebSSOProfileECPImpl"/>
<!-- SAML 2.0 Logout Profile -->
<b:bean id="logoutprofile" class="org.springframework.security.saml.websso.SingleLogoutProfileImpl"/>
<!-- Bindings, encoders and decoders used for creating and parsing messages -->
<b:bean id="postBinding" class="org.springframework.security.saml.processor.HTTPPostBinding">
<b:constructor-arg ref="parserPool"/>
<b:constructor-arg ref="velocityEngine"/>
</b:bean>
<b:bean id="redirectBinding" class="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding">
<b:constructor-arg ref="parserPool"/>
</b:bean>
<b:bean id="artifactBinding" class="org.springframework.security.saml.processor.HTTPArtifactBinding">
<b:constructor-arg ref="parserPool"/>
<b:constructor-arg ref="velocityEngine"/>
<b:constructor-arg>
<b:bean class="org.springframework.security.saml.websso.ArtifactResolutionProfileImpl">
<b:constructor-arg>
<b:bean class="org.apache.commons.httpclient.HttpClient">
<b:constructor-arg>
<b:bean class="org.apache.commons.httpclient.MultiThreadedHttpConnectionManager"/>
</b:constructor-arg>
</b:bean>
</b:constructor-arg>
<b:property name="processor">
<b:bean class="org.springframework.security.saml.processor.SAMLProcessorImpl">
<b:constructor-arg ref="soapBinding"/>
</b:bean>
</b:property>
</b:bean>
</b:constructor-arg>
</b:bean>
<b:bean id="soapBinding" class="org.springframework.security.saml.processor.HTTPSOAP11Binding">
<b:constructor-arg ref="parserPool"/>
</b:bean>
<b:bean id="paosBinding" class="org.springframework.security.saml.processor.HTTPPAOS11Binding">
<b:constructor-arg ref="parserPool"/>
</b:bean>
<!-- Initialization of OpenSAML library-->
<b:bean class="org.springframework.security.saml.SAMLBootstrap"/>
<!-- Initialization of the velocity engine -->
<b:bean id="velocityEngine" class="org.springframework.security.saml.util.VelocityFactory" factory-method="getEngine"/>
<!-- XML parser pool needed for OpenSAML parsing -->
<b:bean id="parserPool" class="org.opensaml.xml.parse.StaticBasicParserPool" init-method="initialize">
<b:property name="builderFeatures">
<b:map>
<b:entry key="http://apache.org/xml/features/dom/defer-node-expansion" value="false"/>
</b:map>
</b:property>
</b:bean>
<b:bean id="parserPoolHolder" class="org.springframework.security.saml.parser.ParserPoolHolder"/>
共有1个答案
白念
我终于找到了解决方案,可以到达发现URL(它返回一个错误,但这将是另一个问题)。
对我的问题的解释是:
<b:property name="idpDiscoveryEnabled" value="true"/>
<b:property name="idpDiscoveryURL" value="https://discovery.renater.fr/test"/>
必须在IDP元数据中设置(在注释为“映射中未指定的实体的默认扩展元数据”的部分中),而不是像我所做的那样在SP元数据中设置。
为了启用外部IDP发现服务,请将本地SP扩展元数据中的属性IDPDiscoveryURL配置为外部发现URL。确保属性IDPDiscoveryEnabled设置为true。远程发现服务需要支持标识提供程序发现服务协议和配置文件。
根据我的经验,粗体字体的部分可能是错误的。
类似资料:
-
我希望我的Terraform配置预配服务器并在最后通过调用命令启动服务并继续运行它。我尝试使用nohup并使用Remote-exec进行屏幕: nohup: 屏幕: 我通过手动登录来检查命令是否正在运行。但他们并没有保持流程运行。如果我手动尝试这些命令,并且使用ssh调用它们,这些命令确实有效。 如何使用Terraform预配来启动命令并在返回控制流时保持其运行?
-
我在主机上安装了Windows,在VirtualBox上安装了访客Ubuntu服务器。项目代码位于guest上,RubyMine位于host上。我已经配置了远程Ruby SDK并共享了项目文件夹。这很好。现在我需要配置Git。现在它运行本地(主机)可执行文件。我想通过SSH在guest上运行Git。它只允许设置本地路径(设置 知道如何集成远程Git可执行文件供RubyMine使用吗?
-
使用Firebase,在我获取并激活远程配置值之后,调用将给出来自远程源的值。我知道我可以调用或来获取默认值。但是,如何重置已激活的数据,以便调用再次给出默认值? 此外,持久化的激活值是否会被清除?
-
我将从描述我正在工作的架构体系开始。它包含多个代理服务器,这些服务器使用负载均衡器将用户身份验证转发到直接绑定到活动目录的适当代理。身份验证使用用于登录请求来自的计算机的凭据和源IP。服务器将IP和凭据缓存60分钟。我正在使用专门用于此过程的测试帐户,并且仅在单元测试服务器上使用。 我正在使用docker容器在远程服务器上实现selenium webdriver的自动化。我使用python作为脚本
-
问题内容: Jenkins提供了不错的Remote Access API,可用于获取很多信息,例如作业和视图。 我想知道是否或如何从远程访问API获取系统(全局)配置。 这些信息在网页http://your.jenkins.url/manage中 问题答案: 您可以通过以下方式获取主节点/节点的配置 这样对你够好吗? 注意:自2014年中以来,发布已被禁用。 要查找有关API的更多信息,请尝试在某
-
我明白了。错误和不理解缺少的部分。 在nod和chromedriver上安装了chromehttps://github.com/SeleniumHQ/selenium/wiki/ChromeDriver 用Chrome驱动程序测试 消息:测试方法SeleniumGridSimkeTest.单元测试1.引发异常:System.无效操作异常:无法创建新服务: ChromeDriverService构建