红帽全球峰会2.9. 其他功能
2.9.1. SAML 断言加密
除了在 Is 和 SP 之间提供 SSL/TLS 加密外,SAML 断言本身也可进行加密。这可用于保护以不安全方式传输的 SAML v2 断言,例如不使用 SSL/TLS。
要直接在 IDP 和 SP 中对安全断言进行加密,必须在 IDP 和 SP picket link.xml 文件中执行以下步骤:
启用
加密和支持系统.要启用加密,必须更新
<PicketLinkIDP>和<PicketLinkSP>。对于 IDP,将
<PicketLinkIDP>中的Encrypt和SupportsSignatures 属性添加或更新为 true:<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> ... <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1" Encrypt="true" SupportsSignatures="true"> ... </PicketLinkIDP> </PicketLink>对于 SP,添加或更新
<PicketLinkSP>中的SupportsSignatures 属性为 true:<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> ... <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1" SupportsSignatures="true"> ... </PicketLinkSP> </PicketLink>添加处理程序.
此外,处理器必须添加到
<Handlers>。对于 IDP,将
SAML2EncryptionHandler和SAML2SignatureValidationHandler添加到picketlink.xml文件中:<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> ... <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1"> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2EncryptionHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" /> </Handlers> </PicketLink>对于 SP,将
SAML2SignatureGenerationHandler和SAML2SignatureValidationHandler添加到picketlink.xml文件中:<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> ... <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1"> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" /> </Handlers> </PicketLink>警告处理程序通过责任链来实施,每个处理程序按照 selectet
link.xml定义的顺序执行请求和响应的逻辑。务必要注意处理程序的配置顺序。SAML2SignatureGenerationHandler不能在与SAML2EncryptoinHandler相同的链中配置。这将导致 SAML 消息签名多次。配置密钥提供程序.
最后,必须将
<KeyProvider>元素添加到 BOTH picketlink.xml文件中。此元素提供用于访问用于加密和解密安全断言的 Java 密钥存储的位置和凭据。有关生成 Java 密钥存储的示例,请参阅 JBoss EAP如何配置服务器安全指南 。对于 IDP,该元素应添加到
<PicketLinkIDP>中:<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> ... <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1" Encrypt="true" SupportsSignatures="true"> ... <KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager"> <Auth Key="KeyStoreURL" Value="/my_keystore.jks" /> <Auth Key="KeyStorePass" Value="store123" /> <Auth Key="SigningKeyPass" Value="test123" /> <Auth Key="SigningKeyAlias" Value="servercert" /> <ValidatingAlias Key="idp.example.com" Value="servercert" /> <ValidatingAlias Key="localhost" Value="servercert" /> <ValidatingAlias Key="sp1.example.com" Value="servercert" /> <ValidatingAlias Key="sp2.example.com" Value="servercert" /> </KeyProvider> ... </PicketLinkIDP> ... <PicketLink>对于 SP,该元素应添加到
<PicketLinkSP>中:<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> ... <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1" SupportsSignatures="true"> ... <KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager"> <Auth Key="KeyStoreURL" Value="/my_keystore.jks" /> <Auth Key="KeyStorePass" Value="store123" /> <Auth Key="SigningKeyPass" Value="test123" /> <Auth Key="SigningKeyAlias" Value="servercert" /> <ValidatingAlias Key="idp.example.com" Value="servercert" /> <ValidatingAlias Key="localhost" Value="servercert" /> </KeyProvider> ... </PicketLinkSP> </PicketLink>注意为了正确加密和解密断言,IDP 需要生成签名,SP 需要验证这些签名并确定签名的来源。这通过
<ValidatingAlias>元素来完成。对于受信任的每个可信服务器/域,需要有一个 <ValidatingAlias>,这是<Trust>元素中的每个条目。SPS 需要为每个包含 IDP 的服务器/域都有一个 <ValidatingAlias>。
2.9.2. 断言中的数字签名
数字签名允许 IDP 为 SAML v2 安全断言签名,并让 SP 验证这些签名和断言。这对于验证断言的真实性非常有用,特别是对于以不安全的方式传输的断言(例如不使用 SSL/TLS)时。
要在安全断言中直接在 IDP 和 SP 中启用数字签名,必须在 IDP 和 SP picket link.xml 文件中执行以下步骤:
启用
SupportsSignatures。要启用数字签名,必须更新
<PicketLinkIDP>和<PicketLinkSP>元素。对于 IDP 和 SP,添加或更新
<PicketLinkSP>中的SupportsSignatures 属性为 true:<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> ... <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1" SupportsSignatures="true"> ... </PicketLinkIDP> </PicketLink><PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> ... <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1" SupportsSignatures="true"> ... </PicketLinkSP> </PicketLink>添加处理程序.
此外,处理器必须添加到
<Handlers>。对于 IDP 和 SP,将
SAML2SignatureGenerationHandler和SAML2SignatureValidationHandler添加到picketlink.xml文件中:IDP picketlink.xml
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> ... <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1"> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" /> </Handlers> </PicketLink>SP picketlink.xml
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> ... <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1"> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" /> </Handlers> </PicketLink>警告处理程序通过责任链来实施,每个处理程序按照 selectet
link.xml定义的顺序执行请求和响应的逻辑。务必要注意处理程序的配置顺序。SAML2SignatureGenerationHandler不能在与SAML2EncryptionHandler相同的链中配置。这将导致 SAML 消息签名多次。配置密钥提供程序.
最后,必须将
<KeyProvider>元素添加到 BOTH picketlink.xml文件中。此元素提供访问用于签署安全断言的 Java 密钥存储的位置和凭据。有关生成 Java 密钥存储的示例,请参阅 JBoss EAP如何配置服务器安全指南 。对于 IDP,该元素应添加到
<PicketLinkIDP>中:<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> ... <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1" SupportsSignatures="true"> ... <KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager"> <Auth Key="KeyStoreURL" Value="/my_keystore.jks" /> <Auth Key="KeyStorePass" Value="store123" /> <Auth Key="SigningKeyPass" Value="test123" /> <Auth Key="SigningKeyAlias" Value="servercert" /> <ValidatingAlias Key="idp.example.com" Value="servercert" /> <ValidatingAlias Key="localhost" Value="servercert" /> <ValidatingAlias Key="sp1.example.com" Value="servercert" /> <ValidatingAlias Key="sp2.example.com" Value="servercert" /> </KeyProvider> ... </PicketLinkIDP> ... <PicketLink>对于 SP,该元素应添加到
<PicketLinkSP>中:<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> ... <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1" SupportsSignatures="true"> ... <KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager"> <Auth Key="KeyStoreURL" Value="/my_keystore.jks" /> <Auth Key="KeyStorePass" Value="store123" /> <Auth Key="SigningKeyPass" Value="test123" /> <Auth Key="SigningKeyAlias" Value="servercert" /> <ValidatingAlias Key="idp.example.com" Value="servercert" /> <ValidatingAlias Key="localhost" Value="servercert" /> </KeyProvider> ... </PicketLinkSP> </PicketLink>注意为了正确加密和解密断言,IDP 需要生成签名,SP 需要验证这些签名并确定签名的来源。这通过
<ValidatingAlias>元素来完成。对于受信任的每个可信服务器/域,需要有一个 <ValidatingAlias>,这是<Trust>元素中的每个条目。SPS 需要为每个包含 IDP 的服务器/域都有一个 <ValidatingAlias>。
2.9.3. 配置动态帐户 Chooser
如果一个服务提供商配置了多个身份提供程序,您可以将该服务提供商配置为提示用户选择用于验证其凭证的 IDP。要使用动态帐户选择器配置服务提供商,必须执行以下操作:
配置所有身份提供程序。
配置
WEB-INF/idpmap.properties文件。您需要创建一个
WEB-INF/idpmap.properties文件,该文件使用name=url列出所有可用身份供应商。WEB-INF/idpmap.properties示例Domain=http://localhost:8080/idp/ Domain-Alt=http://localhost:8080/idp-alt/创建帐户选择者登录页面。
要让用户选择要进行身份验证的身份提供商,您必须创建一个帐户选择者登录页面,并将其包含在您的服务提供商中。此页面应包含指向您希望允许其进行身份验证的所有身份供应商的链接。
accountChooser.html示例<html> <head>...</head> <body> <h1>Account Chooser</h1> <ul> <li><a href="?idp=Domain">Domain</a> <li><a href="?idp=Domain-Alt">Domain Alt</a> </ul> </body> </html>在 picket
link.xml 中配置IdentityURL元素。您还需要在 picket
link.xml中配置IdentityURL元素来引用帐户选择器登录页面。有关为服务提供商配置其余picketlink.xml的详情,请参考 设置 SP 部分。picket
link.xml示例<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1" BindingType="REDIRECT"> <IdentityURL> <Provider Page="/accountChooser.html"/> </IdentityURL> ... </PicketLinkSP> <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1"> ... </Handlers> </PicketLink>您可以使用
Provider元素中提供的属性为动态帐户选择器配置附加选项。Expand 表 2.4. Provider Element Attributes 选项 类型 默认值 描述 页面
字符串
/accountChooser.html
用于列出不同 IDP 帐户的 HTML/Jakarta 服务器页面名称。
过期
整数
-1
Cookie 到期时间以秒为单位。默认为
-1,这意味着 Cookie 在浏览器关闭时过期。DefaultURL
字符串
默认 IDP 的 URL。
域
字符串
发送到用户的浏览器的 cookie 的域名。
类型
字符串
用于替换默认实现的 IDP 映射的完全限定实施名称。此实现必须实施
org.picketlink.identity.federation.web.config.IdentityURLConfigurationProvider。默认实施使用 SP Web 应用程序中的WEB-INF/idpmap.properties文件。重要不支持使用 picket
link-federation子系统配置动态帐户选择器。
2.9.4. 处理 AJAX 请求
在某些情况下,SP 可能需要接收对安全资源的 AJAX 请求。这会自动处理,无需任何其他配置,并且使经过身份验证的和获得授权的用户能够进行 AJAX 调用。
这可以通过检查请求中是否存在 X-Requested-With 标头来完成。AJAX 请求由 X- 值标识。此外,如果用户未经身份验证,并使用 AJAX 向 IDP 和 SP 发送请求,PicketLink 将用 Requested-With 标头中的 XMLHttp Request403 HTTP 状态代码而不是登录页面进行响应。
更新于 2024-02-09
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}