如何使用ADFS 2.0和SAML/SSO来保护Tomcat的web应用程序？

Question

我想用ADFS SSO来保护我的webapps（在Tomcat 5.5上）。 webapps通过Apache2及其重写模块从外部访问。

有几个步骤，使其工作（不分先后）： 一个。 ADFS - ADDS b。 Shibboleth - ADFS c。 Apache2 - Shibboleth d。 XXXXX - Tomcat的

每个教程不清晰或有许多错误或过时了，所以我必须与所有上述步骤的问题。 ADFS和ADDS正在Windows Server 2008 R2上运行 Shibboleth，Apache2，Tomcat正在Centos 5.5上运行

请指教如何连接上述所有技术。

这里是Shibboleth的配置这对我来说工作：

<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" 
    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config" 
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"  
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
    clockSkew="180"> 

    <!-- 
    By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache 
    are used. See example-shibboleth2.xml for samples of explicitly configuring them. 
    --> 
    <!-- 
    To customize behavior for specific resources on Apache, and to link vhosts or 
    resources to ApplicationOverride settings below, use web server options/commands. 
    See https://spaces.internet2.edu/display/SHIB2/NativeSPConfigurationElements for help. 

    For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml 
    file, and the https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapHowTo topic. 
    --> 

    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. --> 
    <ApplicationDefaults entityID="https://centos.my.domain.com/" 
         REMOTE_USER="eppn persistent-id targeted-id" encryption="true" signing="true"> 

     <!-- 
     Controls session lifetimes, address checks, cookie handling, and the protocol handlers. 
     You MUST supply an effectively unique handlerURL value for each of your applications. 
     The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing 
     a relative value based on the virtual host. Using handlerSSL="true", the default, will force 
     the protocol to be https. You should also add a cookieProps setting of "; path=/; secure" 
     in that case. Note that while we default checkAddress to "false", this has a negative 
     impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled. 
     --> 
     <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="false"> 

      <!-- 
      Configures SSO for a default IdP. To allow for >1 IdP, remove 
      entityID property and adjust discoveryURL to point to discovery service. 
      (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.) 
      You can also override entityID on /Login query string, or in RequestMap/htaccess. 
      --> 
      <SSO entityID="http://WinServer2008.my.domain.com/adfs/services/trust" 
       discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF"> 
       SAML2 SAML1 
      </SSO> 

      <!-- SAML and local-only logout. --> 
      <Logout>SAML2 Local</Logout> 

      <!-- Extension service that generates "approximate" metadata based on SP configuration. --> 
      <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/> 

      <!-- Status reporting service. --> 
      <Handler type="Status" Location="/Status" acl="127.0.0.1"/> 

      <!-- Session diagnostic service. --> 
      <Handler type="Session" Location="/Session" showAttributeValues="false"/> 

      <!-- JSON feed of discovery information. --> 
      <Handler type="DiscoveryFeed" Location="/DiscoFeed"/> 
     </Sessions> 

     <!-- 
     Allows overriding of error template information/filenames. You can 
     also add attributes with values that can be plugged into the templates. 
     --> 
     <Errors supportContact="lgrzywacz@xtm-intl.com" 
      logoLocation="/shibboleth-sp/logo.jpg" 
      styleSheet="/shibboleth-sp/main.css"/> 

     <!-- Example of remotely supplied batch of signed metadata. --> 
<!-- 
     <MetadataProvider type="XML" uri="https://WinServer2008.my.domain.com/FederationMetadata/2007-06/FederationMetadata.xml" 
       backingFilePath="federation-metadata.xml" reloadInterval="7200"> 
      <MetadataFilter type="Signature" certificate="/etc/shibboleth/WinServer2008.my.domain.com.cer"/> 
     </MetadataProvider> 
--> 

     <!-- Example of locally maintained metadata. --> 
     <MetadataProvider type="XML" file="metadata.xml"/> 

     <!-- Map to extract attributes from SAML assertions. --> 
     <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/> 

     <!-- Use a SAML query if no attributes are supplied during SSO. --> 
     <AttributeResolver type="Query" subjectMatch="true"/> 

     <!-- Default filtering policy for recognized attributes, lets other data pass. --> 
     <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/> 

     <!-- Simple file-based resolver for using a single keypair. --> 
     <CredentialResolver type="File" key="/etc/pki/tls/private/ca.key" certificate="/etc/pki/tls/certs/ca.crt" password="PASSWORD"/> 

     <!-- 
     The default settings can be overridden by creating ApplicationOverride elements (see 
     the https://spaces.internet2.edu/display/SHIB2/NativeSPApplicationOverride topic). 
     Resource requests are mapped by web server commands, or the RequestMapper, to an 
     applicationId setting. 

     Example of a second application (for a second vhost) that has a different entityID. 
     Resources on the vhost would map to an applicationId of "admin": 
     --> 
     <!-- 
     <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/> 
     --> 
    </ApplicationDefaults> 

    <!-- Policies that determine how to process and authenticate runtime messages. --> 
    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/> 

    <!-- Low-level configuration about protocols and bindings available for use. --> 
    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/> 

</SPConfig> 

这里是Apache的配置：

# 
# Load the Shibboleth module. 
# 
LoadModule mod_shib /usr/lib/shibboleth/mod_shib_22.so 

# 
# Used for example logo and style sheet in error templates. 
# 
<IfModule mod_alias.c> 
    <Location /shibboleth-sp> 
    Allow from all 
    </Location> 
    Alias /shibboleth-sp/main.css /usr/share/doc/shibboleth-2.4.3/main.css 
    Alias /shibboleth-sp/logo.jpg /usr/share/doc/shibboleth-2.4.3/logo.jpg 
</IfModule> 

# 
# Configure the module for content. 
# 
# You MUST enable AuthType shibboleth for the module to process 
# any requests, and there MUST be a require command as well. To 
# enable Shibboleth but not specify any session/access requirements 
# use "require shibboleth". 
# 
<Location /> 
    AuthType shibboleth 
    ShibRequestSetting requireSession 1 
    require valid-user 
    ShibUseHeaders On 
</Location> 

<Location /Shibboleth.sso> 
     Satisfy Any 
</Location> 
<VirtualHost *:443> 

    ServerName centos.my.domain.com 
    ServerAlias www.centos.my.domain.com 
    ServerAlias www.centos.ad.xml-intl.com 
    ServerAlias centos.ad.xml-intl.com 
    SSLEngine on 
    SSLCertificateFile /etc/pki/tls/certs/ca.crt 
    SSLCertificateKeyFile /etc/pki/tls/private/ca.key 

    RewriteCond %{SERVER_NAME} !centos.my.domain.com 
    RewriteRule ^/(.*) https://centos.my.domain.com/$1 [R] 
</VirtualHost> 

我还添加了信赖方信任在ADFS 2.0具有这些特性：

Relying party identifiers = https://centos.my.domain.com/ 
Display name = Centos 
Encryption certificate = this is the ca.crt file mentioned in configs above 
Secure hash algorithm = SHA-1 

我还添加了SAML断言方终结有：

Binding = POST 
Index = 1 
URL = https://centos.my.domain.com/Shibboleth.sso/SAML2/POST 

我不知道如果我错过了什么。

现在我有新的问题。浏览器知道如果我登录，但我需要知道谁在登录的web应用端（有属性，例如HTTP_EMAIL，但所有这些都是空

Answer 1

你看到的Shibboleth - ADFS一步一步引导here？

Answer 2

好吧，我终于做到了。不幸的是MS网站忍不住。我发现每一个可能的组合检查后的解决方案。