WSO2碳SSO设置

时间:2017-04-27 14:23:33

标签: security ssl wso2 single-sign-on wso2carbon

我正在接触所有这些安全问题,我无法使用WSO2 Carbon Server和公司软件(CS)配置SSO。

我已经使用自己的密钥库和信任库设置了WSO2,它具有客户端的自签名证书,启用了响应签名和断言加密

我使用WSO2 Server Samlsso URL和客户端证书构建了一个metadaIDP XML文件。

我已经附加了CS的客户端密钥库和IDPmetadata.xml以与WSO2服务器通信。

当我将登录凭据用于访问应用程序时,WSO2将设置回调URL发布到允许登录时附加客户端证书的authenticathion,但公司软件将其视为不受信任,并且它们开始无限循环身份验证请求 - 响应。

有任何想法或帮助吗?

IDP元数据文件: 

<?xml version="1.0" encoding="UTF-8"?>
<md:EntitiesDescriptor Name="urn:mace:shibboleth:testshib:two" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" >
    <md:EntityDescriptor entityID="https://localhost:9443/samlsso">
        <md:IDPSSODescriptor WantAuthnRequestsSigned="true"
                             protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
            <md:KeyDescriptor use="signing">
                <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#&quot;&gt;">
                    <ds:X509Data>
                        <ds:X509Certificate>
                            <ServerCertificate>
                        </ds:X509Certificate>
                    </ds:X509Data>
                </ds:KeyInfo>
            </md:KeyDescriptor>
            <md:KeyDescriptor use="encryption">
                <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#&quot;&gt;">
                    <ds:X509Data>
                        <ds:X509Certificate>
                          <Server.certificate>
                        </ds:X509Certificate>
                    </ds:X509Data>
                </ds:KeyInfo>
            </md:KeyDescriptor>
            <md:KeyDescriptor>
                <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#&quot;&gt;">
                    <ds:X509Data>
                        <ds:X509Certificate>
                          <ServerCertificate>
                        </ds:X509Certificate>
                    </ds:X509Data>
                </ds:KeyInfo>
            </md:KeyDescriptor>
            <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
            <md:SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
                                 Location="https://localhost:9443/samlsso" />
            <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                 Location="https://localhost:9443/samlsso" />
            <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                                 Location="https://localhost:9443/samlsso" />
        </md:IDPSSODescriptor>
        <md:Organization>
            <md:OrganizationName xml:lang="en">Docucom AG</md:OrganizationName>
            <md:OrganizationDisplayName xml:lang="en">Docucom AG</md:OrganizationDisplayName>
            <md:OrganizationURL xml:lang="en">http://www.docucom.ch</md:OrganizationURL>
        </md:Organization>
        <md:ContactPerson contactType="technical">
            <md:GivenName>Its</md:GivenName>
            <md:SurName>Me</md:SurName>
            <md:EmailAddress>its.me@docucom.ch</md:EmailAddress>
        </md:ContactPerson>
    </md:EntityDescriptor>
</md:EntitiesDescriptor>

CS SSO连接类: 

private Client createSAML2Client(AuthenticationDTO authentication)
        throws ServiceBeanException, GeneralSecurityException {

    if(authentication.getKeyStore() == null) {
        throw new NullPointerException(TM.encode("Error.null.s", "App.key.store"));
    }

    AccessKeyStore keyStore = accessKeyDTOService.getAccessKeyStore(authentication.getKeyStore().getName());
    if(keyStore == null) {
        throw new KeyException(TM.encode("Error.record.s.not.found.in.s",
                authentication.getKeyStore().getName(), "App.access.keys"));
    }

    SAML2ClientConfiguration saml2Configuration = new SAML2ClientConfiguration(
            ":" + keyStore.getKeyFile().getAbsolutePath(),
            new String(keyStore.getKeyFilePassword()), new String(keyStore.getKeyPassword()),
            ":" + authentication.getIdpMetadataFileName());

    saml2Configuration.setServiceProviderEntityId(authentication.getEntityId());
    saml2Configuration.setWantsAssertionsSigned(authentication.getAssertionsSigned());
    saml2Configuration.setServiceProviderMetadataPath("resource:temp-sp-metadata.xml");
    saml2Configuration.setMaximumAuthenticationLifetime(authentication.getLifetime().intValue());

    SAML2Client saml2Client = new SAML2Client(saml2Configuration);
    saml2Client.setName(authentication.getDomainName());

    return saml2Client;
}

0 个答案:

没有答案
相关问题
最新问题