红帽全球峰会2.9. 其他功能
2.9.1. SAML 断言加密
除了在 Is 和 SP 之间提供 SSL/TLS 加密外,SAML 断言本身也可进行加密。这可用于保护以不安全方式传输的 SAML v2 断言,例如不使用 SSL/TLS。
要直接在 IDP 和 SP 中对安全断言进行加密,必须在 IDP 和 SP picket link.xml 文件中执行以下步骤:
启用
加密和支持系统.要启用加密,必须更新
<PicketLinkIDP>和<PicketLinkSP>。对于 IDP,将
<PicketLinkIDP>中的Encrypt和SupportsSignatures 属性添加或更新为 true:<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> ... <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1" Encrypt="true" SupportsSignatures="true"> ... </PicketLinkIDP> </PicketLink>对于 SP,添加或更新
<PicketLinkSP>中的SupportsSignatures 属性为 true:<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> ... <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1" SupportsSignatures="true"> ... </PicketLinkSP> </PicketLink>添加处理程序.
此外,处理器必须添加到
<Handlers>。对于 IDP,将
SAML2EncryptionHandler和SAML2SignatureValidationHandler添加到picketlink.xml文件中:<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> ... <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1"> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2EncryptionHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" /> </Handlers> </PicketLink>对于 SP,将
SAML2SignatureGenerationHandler和SAML2SignatureValidationHandler添加到picketlink.xml文件中:<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> ... <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1"> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" /> </Handlers> </PicketLink>警告处理程序通过责任链来实施,每个处理程序按照 selectet
link.xml定义的顺序执行请求和响应的逻辑。务必要注意处理程序的配置顺序。SAML2SignatureGenerationHandler不能在与SAML2EncryptoinHandler相同的链中配置。这将导致 SAML 消息签名多次。配置密钥提供程序.
最后,必须将
<KeyProvider>元素添加到 BOTH picketlink.xml文件中。此元素提供用于访问用于加密和解密安全断言的 Java 密钥存储的位置和凭据。有关生成 Java 密钥存储的示例,请参阅 JBoss EAP如何配置服务器安全指南 。对于 IDP,该元素应添加到
<PicketLinkIDP>中:<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> ... <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1" Encrypt="true" SupportsSignatures="true"> ... <KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager"> <Auth Key="KeyStoreURL" Value="/my_keystore.jks" /> <Auth Key="KeyStorePass" Value="store123" /> <Auth Key="SigningKeyPass" Value="test123" /> <Auth Key="SigningKeyAlias" Value="servercert" /> <ValidatingAlias Key="idp.example.com" Value="servercert" /> <ValidatingAlias Key="localhost" Value="servercert" /> <ValidatingAlias Key="sp1.example.com" Value="servercert" /> <ValidatingAlias Key="sp2.example.com" Value="servercert" /> </KeyProvider> ... </PicketLinkIDP> ... <PicketLink>对于 SP,该元素应添加到
<PicketLinkSP>中:<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> ... <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1" SupportsSignatures="true"> ... <KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager"> <Auth Key="KeyStoreURL" Value="/my_keystore.jks" /> <Auth Key="KeyStorePass" Value="store123" /> <Auth Key="SigningKeyPass" Value="test123" /> <Auth Key="SigningKeyAlias" Value="servercert" /> <ValidatingAlias Key="idp.example.com" Value="servercert" /> <ValidatingAlias Key="localhost" Value="servercert" /> </KeyProvider> ... </PicketLinkSP> </PicketLink>注意为了正确加密和解密断言,IDP 需要生成签名,SP 需要验证这些签名并确定签名的来源。这通过
<ValidatingAlias>元素来完成。对于受信任的每个可信服务器/域,需要有一个 <ValidatingAlias>,这是<Trust>元素中的每个条目。SPS 需要为每个包含 IDP 的服务器/域都有一个 <ValidatingAlias>。
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}