如何在spring-security中为ADFS设置IdentedAuthenticationContext？

zsohkypk 于 2024-01-09 发布在 Spring

关注(0)|答案(2)|浏览(268)

我用this工具测试了它，我发现我需要身份验证类型：Form和令牌请求：SAML-P（SAML2.0），但我不知道如何配置spring-security在SAML请求中将AuthenticationContext发送为urn：oasis：names：tc：SAML：2.0：ac：classes：PasswordProtectedTransport而不是urn：oasis：names：tc：SAML：2.0：ac：classes：Password。
所以，与之相反的是：

*认证类型：Windows集成认证
***令牌请求：**SAML-P（SAML 2.0）
***对IdP的请求：**GET https://ospa.company.com/adfs/ls/IdpInitiatedSignOn？LoginToRP=urn：microsoft：adfs：claimsxray& claimtedAuthenticationContext =urn：oasis：names：tc：SAML：2.0：ac：classes：URL
*来自IdP的响应：

<samlp:Response ID="..."
                Version="2.0"
                IssueInstant="..."
                Destination="https://adfshelp.microsoft.com/ClaimsXray/TokenResponse"
                Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    ...
        <AuthnStatement AuthnInstant="..." SessionIndex="...">
            <AuthnContext>
     <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos</AuthnContextClassRef>
            </AuthnContext>
        </AuthnStatement>
    </Assertion>
</samlp:Response>

字符串
我需要这个：

*认证类型：表单
***令牌请求：**SAML-P（SAML 2.0）
***对IdP的请求：**GET https://ospa.company.com/adfs/ls/IdpInitiatedSignOn？LoginToRP=urn：microsoft：adfs：claimsxray& appliedAuthenticationContext =urn：oasis：names：tc：SAML：2.0：ac：classes：PasswordProtectedTransport
*来自IdP的响应：

<samlp:Response ID="..."
                Version="2.0"
                IssueInstant="..."
                Destination="https://adfshelp.microsoft.com/ClaimsXray/TokenResponse"
                Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    ...
        <AuthnStatement AuthnInstant="..." SessionIndex="...">
            <AuthnContext>
     <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
            </AuthnContext>
        </AuthnStatement>
    </Assertion>
</samlp:Response>

型

**更新：**我们使用spring-boot 2.5.5

spring-security

来源：https://stackoverflow.com/questions/69465308/how-can-i-set-requestedauthenticationcontext-in-spring-security-for-adfs

2条答案

按热度按时间

mm5n2pyu1#

您需要的是AuthenticationEntryPoint。AuthenticationEntryPoint是您在需要身份验证时告诉Spring Security重定向到何处的方式。
由于您只需要在需要身份验证时重定向，因此可以像这样使用LoginUrlAuthenticationEntryPoint：

@Bean
SecurityFilterChain app(HttpSecurity http) throws Exception {
    String url = "https://ospa.company.com/adfs/ls/IdpInitiatedSignOn? LoginToRP=urn:microsoft:adfs:claimsxray& RequestedAuthenticationContext=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport";
    AuthenticationEntryPoint entryPoint = 
            new LoginUrlAuthenticationEntryPoint(url);
    http
        .authorizeHttpRequests((authorize) -> authorize
            .anyRequest().authenticated()
        )
        .saml2Login(withDefaults())
        .exceptionHandling((exceptions) -> exceptions
            .authenticationEntryPoint(entryPoint)
        );
    
    return http.build();
}

字符串
还请确保使用IdP的相应元数据配置应用程序。

展开查看全部

赞(0）回复(0）举报 2024-01-09

bq3bfh9z2#

以下配置对我有效：

@Configuration
public class SamlConfiguration {
    @Bean
    Saml2AuthenticationRequestResolver authenticationRequestResolver(RelyingPartyRegistrationRepository registrations) {
        RelyingPartyRegistrationResolver registrationResolver = new DefaultRelyingPartyRegistrationResolver(registrations);
        OpenSaml4AuthenticationRequestResolver authenticationRequestResolver = new OpenSaml4AuthenticationRequestResolver(registrationResolver);
        authenticationRequestResolver.setAuthnRequestCustomizer((context) -> context.getAuthnRequest().setRequestedAuthnContext(buildRequestedAuthnContext()));
        return authenticationRequestResolver;
    }
    private RequestedAuthnContext buildRequestedAuthnContext() {
        // Create AuthnContextClassRef
        AuthnContextClassRefBuilder authnContextClassRefBuilder = new AuthnContextClassRefBuilder();
        AuthnContextClassRef authnContextClassRef = authnContextClassRefBuilder.buildObject(SAMLConstants.SAML20_NS, AuthnContextClassRef.DEFAULT_ELEMENT_LOCAL_NAME, SAMLConstants.SAML20_PREFIX);
        authnContextClassRef.setURI(AuthnContext.PPT_AUTHN_CTX);
        // Create RequestedAuthnContext
        RequestedAuthnContextBuilder requestedAuthnContextBuilder = new RequestedAuthnContextBuilder();
        RequestedAuthnContext requestedAuthnContext = requestedAuthnContextBuilder.buildObject();
        requestedAuthnContext.setComparison(AuthnContextComparisonTypeEnumeration.EXACT);
        requestedAuthnContext.getAuthnContextClassRefs().add(authnContextClassRef);
        return requestedAuthnContext;
    }
}

字符串
它生成以下SAML请求：

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                     AssertionConsumerServiceURL="..."
                     Destination="..."
                     ForceAuthn="false"
                     ID="..."
                     IsPassive="false"
                     IssueInstant="..."
                     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                     Version="2.0"
                     >
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">...</saml2:Issuer>
    <saml2p:RequestedAuthnContext Comparison="exact">
        <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
    </saml2p:RequestedAuthnContext>
</saml2p:AuthnRequest>

型
使用Sping Boot 2.7.17进行测试，包括OpenSAML 4.0.1。

展开查看全部

赞(0）回复(0）举报 2024-01-09

我来回答

如何在spring-security中为ADFS设置IdentedAuthenticationContext？

2条答案

相关问题

热门标签

最新问答