有没有办法使用弹簧安全SAML,包括在依赖方的元数据响应要求索赔要求RP元索赔?包括使用弹簧安全SAML
理想我想提供一个联合元数据URL各种国内流离失所者也规定了什么要求,我们需要为RP(即电子邮件地址,名字,姓氏等)类型。我目前正在使用ADFS作为身份提供者进行测试。使用RP元数据URL向导添加信赖方信任时,除“接受的声明”选项卡外,大多数信息都已预先填写。
我试图手动修改元数据XML(在the docs指定的)包括ClaimTypesRequired或内RoleDescriptor ClaimTypesRequested元素,虽然我不知道要添加什么...我也如果可能,更愿意坚持使用自动生成的元数据。
是我RP的元数据网址的理解是否正确?或者,我是否会更好地向URL提供URL,然后告诉他们添加额外的声明。
还有所请求的索赔中自动生成的春SAML元数据不乱的开箱即用支持。但是,您可以根据需要扩展MetadataGenerator class以导出附加数据。
得益于弗拉基米尔建议我延长MetadataGenerator类以添加AttributeConsumingService和RequestedAttribute内容如下。我在这里发布它,以防万一它帮助任何人。
public class MySAMLMetadataGenerator extends MetadataGenerator
{
@Override
protected SPSSODescriptor buildSPSSODescriptor(String entityBaseURL, String entityAlias, boolean requestSigned, boolean wantAssertionSigned, Collection<String> includedNameID)
{
SPSSODescriptor descriptor = super.buildSPSSODescriptor(entityBaseURL, entityAlias, requestSigned, wantAssertionSigned, includedNameID);
descriptor.getAttributeConsumingServices().add(generateConsumingService());
return descriptor;
}
private AttributeConsumingService generateConsumingService()
{
SAMLObjectBuilder<AttributeConsumingService> builder = (SAMLObjectBuilder<AttributeConsumingService>) builderFactory.getBuilder(AttributeConsumingService.DEFAULT_ELEMENT_NAME);
AttributeConsumingService service = builder.buildObject();
SAMLObjectBuilder<ServiceName> builder2 = (SAMLObjectBuilder<ServiceName>) builderFactory.getBuilder(ServiceName.DEFAULT_ELEMENT_NAME);
ServiceName serviceName = builder2.buildObject();
serviceName.setName(new LocalizedString("application name", "en"));
service.getNames().add(serviceName);
SAMLObjectBuilder<ServiceDescription> builder3 = (SAMLObjectBuilder<ServiceDescription>) builderFactory.getBuilder(ServiceDescription.DEFAULT_ELEMENT_NAME);
ServiceDescription serviceDescription = builder3.buildObject();
serviceDescription.setDescription(new LocalizedString("Application description", "en"));
service.getDescriptions().add(serviceDescription);
SAMLObjectBuilder<RequestedAttribute> builder4 = (SAMLObjectBuilder<RequestedAttribute>) builderFactory.getBuilder(RequestedAttribute.DEFAULT_ELEMENT_NAME);
RequestedAttribute nameId = builder4.buildObject();
nameId.setIsRequired(true);
nameId.setFriendlyName("Name ID");
nameId.setName("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier");
nameId.setNameFormat("urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
service.getRequestAttributes().add(nameId);
RequestedAttribute email = builder4.buildObject();
email.setIsRequired(true);
email.setFriendlyName("E-Mail Address");
email.setName("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress");
email.setNameFormat("urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
service.getRequestAttributes().add(email);
RequestedAttribute givenName = builder4.buildObject();
givenName.setIsRequired(true);
givenName.setFriendlyName("Given Name");
givenName.setName("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname");
givenName.setNameFormat("urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
service.getRequestAttributes().add(givenName);
RequestedAttribute surname = builder4.buildObject();
//surname.setIsRequired(true);
surname.setFriendlyName("Surname");
surname.setName("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname");
surname.setNameFormat("urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
service.getRequestAttributes().add(surname);
service.setIndex(1);
return service;
}
}
不幸的是,Microsoft ADFS服务器doesn't seem to support这些属性用于自动设置声明。所以,不要浪费你的时间,试图像我一样工作!