2.9. 其他功能

2.9.1. SAML 断言加密
复制链接

除了在 Is 和 SP 之间提供 SSL/TLS 加密外，SAML 断言本身也可进行加密。这可用于保护以不安全方式传输的 SAML v2 断言，例如不使用 SSL/TLS。

要直接在 IDP 和 SP 中对安全断言进行加密，必须在 IDP 和 SP picket link.xml 文件中执行以下步骤：

启用 加密 和支持系统.

要启用加密，必须更新 <PicketLinkIDP> 和 <PicketLinkSP>。

对于 IDP，将 <PicketLinkIDP> 中的 Encrypt 和 SupportsSignatures 属性 添加或更新为 true：

<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
  ...
  <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1" Encrypt="true" SupportsSignatures="true">
    ...
  </PicketLinkIDP>
</PicketLink>

<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
  ...
  <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1" Encrypt="true" SupportsSignatures="true">
    ...
  </PicketLinkIDP>
</PicketLink>

Copy to Clipboard

Toggle word wrap

对于 SP，添加或更新 <PicketLinkSP> 中的 SupportsSignatures 属性 为 true：

<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
  ...
  <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1" SupportsSignatures="true">
    ...
  </PicketLinkSP>
</PicketLink>

<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
  ...
  <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1" SupportsSignatures="true">
    ...
  </PicketLinkSP>
</PicketLink>

Copy to Clipboard

Toggle word wrap

添加处理程序.

此外，处理器必须添加到 <Handlers>。

对于 IDP，将 SAML2EncryptionHandler 和 SAML2SignatureValidationHandler 添加到 picketlink.xml 文件中：

<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
  ...
  <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" />
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2EncryptionHandler" />
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" />
  </Handlers>
</PicketLink>

<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
  ...
  <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" />
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2EncryptionHandler" />
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" />
  </Handlers>
</PicketLink>

Copy to Clipboard

Toggle word wrap

对于 SP，将 SAML2SignatureGenerationHandler 和 SAML2SignatureValidationHandler 添加到 picketlink.xml 文件中：

<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
  ...
  <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler" />
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" />
  </Handlers>
</PicketLink>

<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
  ...
  <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler" />
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" />
  </Handlers>
</PicketLink>

Copy to Clipboard

Toggle word wrap

警告

处理程序通过责任链来实施，每个处理程序按照 selectet link.xml 定义的顺序执行请求和响应的逻辑。务必要注意处理程序的配置顺序。

SAML2SignatureGenerationHandler 不能在与 SAML2EncryptoinHandler 相同的链中配置。这将导致 SAML 消息签名多次。

配置密钥提供程序.

最后，必须将 <KeyProvider> 元素添加到 BOTH picket link.xml 文件中。此元素提供用于访问用于加密和解密安全断言的 Java 密钥存储的位置和凭据。有关生成 Java 密钥存储的示例，请参阅 JBoss EAP如何配置服务器安全指南。

对于 IDP，该元素应添加到 <PicketLinkIDP> 中：

<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
  ...
  <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1" Encrypt="true" SupportsSignatures="true">
    ...
    <KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
      <Auth Key="KeyStoreURL" Value="/my_keystore.jks" />
      <Auth Key="KeyStorePass" Value="store123" />
      <Auth Key="SigningKeyPass" Value="test123" />
      <Auth Key="SigningKeyAlias" Value="servercert" />
      <ValidatingAlias Key="idp.example.com" Value="servercert" />
      <ValidatingAlias Key="localhost" Value="servercert" />
      <ValidatingAlias Key="sp1.example.com" Value="servercert" />
      <ValidatingAlias Key="sp2.example.com" Value="servercert" />
    </KeyProvider>
    ...
  </PicketLinkIDP>
  ...
<PicketLink>

<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
  ...
  <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1" Encrypt="true" SupportsSignatures="true">
    ...
    <KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
      <Auth Key="KeyStoreURL" Value="/my_keystore.jks" />
      <Auth Key="KeyStorePass" Value="store123" />
      <Auth Key="SigningKeyPass" Value="test123" />
      <Auth Key="SigningKeyAlias" Value="servercert" />
      <ValidatingAlias Key="idp.example.com" Value="servercert" />
      <ValidatingAlias Key="localhost" Value="servercert" />
      <ValidatingAlias Key="sp1.example.com" Value="servercert" />
      <ValidatingAlias Key="sp2.example.com" Value="servercert" />
    </KeyProvider>
    ...
  </PicketLinkIDP>
  ...
<PicketLink>

Copy to Clipboard

Toggle word wrap

对于 SP，该元素应添加到 <PicketLinkSP> 中：

<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
  ...
  <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1" SupportsSignatures="true">
    ...
    <KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
      <Auth Key="KeyStoreURL" Value="/my_keystore.jks" />
      <Auth Key="KeyStorePass" Value="store123" />
      <Auth Key="SigningKeyPass" Value="test123" />
      <Auth Key="SigningKeyAlias" Value="servercert" />
      <ValidatingAlias Key="idp.example.com" Value="servercert" />
      <ValidatingAlias Key="localhost" Value="servercert" />
    </KeyProvider>
    ...
  </PicketLinkSP>
</PicketLink>

<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
  ...
  <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1" SupportsSignatures="true">
    ...
    <KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
      <Auth Key="KeyStoreURL" Value="/my_keystore.jks" />
      <Auth Key="KeyStorePass" Value="store123" />
      <Auth Key="SigningKeyPass" Value="test123" />
      <Auth Key="SigningKeyAlias" Value="servercert" />
      <ValidatingAlias Key="idp.example.com" Value="servercert" />
      <ValidatingAlias Key="localhost" Value="servercert" />
    </KeyProvider>
    ...
  </PicketLinkSP>
</PicketLink>

Copy to Clipboard

Toggle word wrap

注意

为了正确加密和解密断言，IDP 需要生成签名，SP 需要验证这些签名并确定签名的来源。这通过 <ValidatingAlias> 元素来完成。对于受信任的每个可信服务器/域，需要有一个 <ValidatingAlias&gt;，这是 <Trust> 元素中的每个条目。SPS 需要 为每个包含 IDP 的服务器/域都有一个 <ValidatingAlias>。

2.9. 其他功能

2.9.1. SAML 断言加密
复制链接

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

2.9. 其他功能

2.9.1. SAML 断言加密复制链接链接已复制到粘贴板!

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

2.9.1. SAML 断言加密
复制链接