如何通过CREST API将IDP添加到OpenAM联合?

时间:2017-03-28 10:49:12

标签: saml-2.0 openam federation

我知道有一些REST API用于OpenAM,用于某些功能,如自助服务,身份验证等。但是,我无法找到适合添加远程身份提供商等的API。

由于某些原因,我错过了某些东西或者没有OpenAM的REST api。原因可能是他们没有计划,或者目前的版本还没有。

有没有办法在不使用OpenAM管理控制台或ssoadm命令的情况下在OpenAM中注册SAML IDP?

对于正确的代码组件的指针也将非常感激。

1 个答案:

答案 0 :(得分:1)

在Access Manager 5(OpenAM 14)中,您可以使用REST API管理SAML实体。要创建新的托管SAMLv2 IdP,您需要以下内容:

curl -X POST \
  'http://idp.example.com:8080/openam/json/realm-config/federation/entityproviders/saml2?_action=create' \
  -H 'content-type: application/json' \
  -H 'iplanetdirectorypro: <ADMIN_SESSION_ID>' \
  -d '{
      "_id": "http://idp.example.com:8080/openam",
      "metadata": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<EntityDescriptor entityID=\"http://idp.example.com:8080/openam\" xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\">\n    <IDPSSODescriptor WantAuthnRequestsSigned=\"false\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n        <KeyDescriptor use=\"signing\">\n            <ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n                <ds:X509Data>\n                    <ds:X509Certificate>MIIDaDCCAlCgAwIBAgIDcB/YMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNVBAYTAlVLMRAwDgYDVQQIEwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQKEwlGb3JnZVJvY2sxDzANBgNVBAsTBk9wZW5BTTENMAsGA1UEAxMEdGVzdDAeFw0xNjAzMTgxMTU2MjhaFw0yNjAzMTYxMTU2MjhaMGUxCzAJBgNVBAYTAlVLMRAwDgYDVQQIEwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQKEwlGb3JnZVJvY2sxDzANBgNVBAsTBk9wZW5BTTENMAsGA1UEAxMEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKNbl89eP6B8kZATNSPe3+OZ3esLx31hjX+dakHtPwXCAaCKqJFwjwKdxyRuPdsVG+8Dbk3PGhk26aJrSE93EpxeqmQqxNPMeD+N0/8pjkuVYWwPIQ/ts2iTiWOVn7wzlE4ASfvupqOR5pjuYMWNo/pd4L7QNjUCKoAt9H11HMyiP+6roo/EYgX4AH7OAhfUMncYsopWhkW/ze9z8wTXc8BAEgDmt8zFCez1CtqJB/MlSBUGDgk8oHYDsHKmx05baBaOBQ8LRGP5SULSbRtu34eLFootBIn0FvUZSnwTiSpbaHHRgWrMOVm07oSLWBuO3h/bj38zBuuqqVsAK8YuyoECAwEAAaMhMB8wHQYDVR0OBBYEFHxfAbr6PQ5Xgc+jVx+AGTPnnpWZMA0GCSqGSIb3DQEBCwUAA4IBAQAZBMJ29/2idv1ztC6ArHtB4kw/nHHwthXFwtWAN7sRPB8tLW7fD8aJ43RQr5107Bg1Lgkmt+FZxpafqUC/mukjIzGzbW0COMSOTcWUGss+HxK6M6Fl9aOzKJMct1uOSpPFgjItcGqydGZXR2FH93vXWoAotUwtZ119IixIdxpOJwYJg0HFn+GEfpU1PmiLfq2/uwqJ0hGCNfNcm9puagzhQrcDFOnolxjnYPSfSkU5wxlGo99yE5eJwoHXXU7csaZVttmx7sPj1lUENogXUM6JMqzSyEIm1XCOCL8rZJkZ781W5CwZhuJTNzV31sBREs8FaaCeksu7Y48BmkUqw6E9</ds:X509Certificate>\n                </ds:X509Data>\n            </ds:KeyInfo>\n        </KeyDescriptor>\n        <ArtifactResolutionService index=\"0\" isDefault=\"true\" Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\" Location=\"http://idp.example.com:8080/openam/ArtifactResolver/metaAlias/idp\"/>\n        <SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://idp.example.com:8080/openam/IDPSloRedirect/metaAlias/idp\" ResponseLocation=\"http://idp.example.com:8080/openam/IDPSloRedirect/metaAlias/idp\"/>\n        <SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"http://idp.example.com:8080/openam/IDPSloPOST/metaAlias/idp\" ResponseLocation=\"http://idp.example.com:8080/openam/IDPSloPOST/metaAlias/idp\"/>\n        <SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\" Location=\"http://idp.example.com:8080/openam/IDPSloSoap/metaAlias/idp\"/>\n        <ManageNameIDService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://idp.example.com:8080/openam/IDPMniRedirect/metaAlias/idp\" ResponseLocation=\"http://idp.example.com:8080/openam/IDPMniRedirect/metaAlias/idp\"/>\n        <ManageNameIDService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"http://idp.example.com:8080/openam/IDPMniPOST/metaAlias/idp\" ResponseLocation=\"http://idp.example.com:8080/openam/IDPMniPOST/metaAlias/idp\"/>\n        <ManageNameIDService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\" Location=\"http://idp.example.com:8080/openam/IDPMniSoap/metaAlias/idp\"/>\n        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>\n        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>\n        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>\n        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>\n        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</NameIDFormat>\n        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>\n        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>\n        <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://idp.example.com:8080/openam/SSORedirect/metaAlias/idp\"/>\n        <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"http://idp.example.com:8080/openam/SSOPOST/metaAlias/idp\"/>\n        <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\" Location=\"http://idp.example.com:8080/openam/SSOSoap/metaAlias/idp\"/>\n        <NameIDMappingService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\" Location=\"http://idp.example.com:8080/openam/NIMSoap/metaAlias/idp\"/>\n        <AssertionIDRequestService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\" Location=\"http://idp.example.com:8080/openam/AIDReqSoap/IDPRole/metaAlias/idp\"/>\n        <AssertionIDRequestService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:URI\" Location=\"http://idp.example.com:8080/openam/AIDReqUri/IDPRole/metaAlias/idp\"/>\n    </IDPSSODescriptor>\n</EntityDescriptor>\n\n",
      "entityConfig": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<EntityConfig entityID=\"http://idp.example.com:8080/openam\" hosted=\"true\" xmlns=\"urn:sun:fm:SAML:2.0:entityconfig\">\n    <IDPSSOConfig metaAlias=\"/idp\">\n        <Attribute name=\"description\">\n            <Value/>\n        </Attribute>\n        <Attribute name=\"signingCertAlias\">\n            <Value>test</Value>\n        </Attribute>\n        <Attribute name=\"encryptionCertAlias\">\n            <Value/>\n        </Attribute>\n        <Attribute name=\"basicAuthOn\">\n            <Value>false</Value>\n        </Attribute>\n        <Attribute name=\"basicAuthUser\">\n            <Value/>\n        </Attribute>\n        <Attribute name=\"basicAuthPassword\">\n            <Value/>\n        </Attribute>\n        <Attribute name=\"autofedEnabled\">\n            <Value>false</Value>\n        </Attribute>\n        <Attribute name=\"autofedAttribute\">\n            <Value/>\n        </Attribute>\n        <Attribute name=\"assertionEffectiveTime\">\n            <Value>600</Value>\n        </Attribute>\n        <Attribute name=\"idpAuthncontextMapper\">\n            <Value>com.sun.identity.saml2.plugins.DefaultIDPAuthnContextMapper</Value>\n        </Attribute>\n        <Attribute name=\"idpAuthncontextClassrefMapping\">\n            <Value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|0||default</Value>\n        </Attribute>\n        <Attribute name=\"idpAccountMapper\">\n            <Value>com.sun.identity.saml2.plugins.DefaultIDPAccountMapper</Value>\n        </Attribute>\n        <Attribute name=\"idpDisableNameIDPersistence\">\n            <Value>false</Value>\n        </Attribute>\n        <Attribute name=\"idpAttributeMapper\">\n            <Value>com.sun.identity.saml2.plugins.DefaultIDPAttributeMapper</Value>\n        </Attribute>\n        <Attribute name=\"assertionIDRequestMapper\">\n            <Value>com.sun.identity.saml2.plugins.DefaultAssertionIDRequestMapper</Value>\n        </Attribute>\n        <Attribute name=\"nameIDFormatMap\">\n            <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress=mail</Value>\n            <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName=</Value>\n            <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName=</Value>\n            <Value>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos=</Value>\n            <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified=</Value>\n        </Attribute>\n        <Attribute name=\"idpECPSessionMapper\">\n            <Value>com.sun.identity.saml2.plugins.DefaultIDPECPSessionMapper</Value>\n        </Attribute>\n        <Attribute name=\"attributeMap\"/>\n        <Attribute name=\"wantNameIDEncrypted\">\n            <Value/>\n        </Attribute>\n        <Attribute name=\"wantArtifactResolveSigned\">\n            <Value/>\n        </Attribute>\n        <Attribute name=\"wantLogoutRequestSigned\">\n            <Value/>\n        </Attribute>\n        <Attribute name=\"wantLogoutResponseSigned\">\n            <Value/>\n        </Attribute>\n        <Attribute name=\"wantMNIRequestSigned\">\n            <Value/>\n        </Attribute>\n        <Attribute name=\"wantMNIResponseSigned\">\n            <Value/>\n        </Attribute>\n        <Attribute name=\"cotlist\">\n            <Value>test</Value>\n        </Attribute>\n        <Attribute name=\"discoveryBootstrappingEnabled\">\n            <Value>false</Value>\n        </Attribute>\n        <Attribute name=\"assertionCacheEnabled\">\n            <Value>false</Value>\n        </Attribute>\n        <Attribute name=\"assertionNotBeforeTimeSkew\">\n            <Value>600</Value>\n        </Attribute>\n        <Attribute name=\"saeAppSecretList\"/>\n        <Attribute name=\"saeIDPUrl\">\n            <Value>http://idp.example.com:8080/openam/idpsaehandler/metaAlias/idp</Value>\n        </Attribute>\n        <Attribute name=\"AuthUrl\">\n            <Value/>\n        </Attribute>\n        <Attribute name=\"appLogoutUrl\">\n            <Value/>\n        </Attribute>\n        <Attribute name=\"idpSessionSyncEnabled\">\n            <Value>false</Value>\n        </Attribute>\n        <Attribute name=\"relayStateUrlList\"/>\n    </IDPSSOConfig>\n</EntityConfig>\n\n",
      "_type": {
        "_id": "saml2",
        "name": "Entity Descriptor ",
        "collection": true
      }
    }'
相关问题
最新问题