如何在spring-security中为ADFS设置IdentedAuthenticationContext?

zsohkypk  于 11个月前  发布在  Spring
关注(0)|答案(2)|浏览(169)

我用this工具测试了它,我发现我需要身份验证类型:Form和令牌请求:SAML-P(SAML2.0),但我不知道如何配置spring-security在SAML请求中将AuthenticationContext发送为urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport而不是urn:oasis:names:tc:SAML:2.0:ac:classes:Password
所以,与之相反的是:

*认证类型:Windows集成认证
***令牌请求:**SAML-P(SAML 2.0)
***对IdP的请求:**GET https://ospa.company.com/adfs/ls/IdpInitiatedSignOn?LoginToRP=urn:microsoft:adfs:claimsxray& claimtedAuthenticationContext =urn:oasis:names:tc:SAML:2.0:ac:classes:URL
*来自IdP的响应:

<samlp:Response ID="..."
                Version="2.0"
                IssueInstant="..."
                Destination="https://adfshelp.microsoft.com/ClaimsXray/TokenResponse"
                Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    ...
        <AuthnStatement AuthnInstant="..." SessionIndex="...">
            <AuthnContext>

     <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos</AuthnContextClassRef>

            </AuthnContext>
        </AuthnStatement>
    </Assertion>
</samlp:Response>

字符串
我需要这个:

*认证类型:表单
***令牌请求:**SAML-P(SAML 2.0)
***对IdP的请求:**GET https://ospa.company.com/adfs/ls/IdpInitiatedSignOn?LoginToRP=urn:microsoft:adfs:claimsxray& appliedAuthenticationContext =urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
*来自IdP的响应:

<samlp:Response ID="..."
                Version="2.0"
                IssueInstant="..."
                Destination="https://adfshelp.microsoft.com/ClaimsXray/TokenResponse"
                Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    ...
        <AuthnStatement AuthnInstant="..." SessionIndex="...">
            <AuthnContext>

     <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>

            </AuthnContext>
        </AuthnStatement>
    </Assertion>
</samlp:Response>

**更新:**我们使用spring-boot 2.5.5

mm5n2pyu

mm5n2pyu1#

您需要的是AuthenticationEntryPointAuthenticationEntryPoint是您在需要身份验证时告诉Spring Security重定向到何处的方式。
由于您只需要在需要身份验证时重定向,因此可以像这样使用LoginUrlAuthenticationEntryPoint

@Bean
SecurityFilterChain app(HttpSecurity http) throws Exception {
    String url = "https://ospa.company.com/adfs/ls/IdpInitiatedSignOn? LoginToRP=urn:microsoft:adfs:claimsxray& RequestedAuthenticationContext=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport";

    AuthenticationEntryPoint entryPoint = 
            new LoginUrlAuthenticationEntryPoint(url);

    http
        .authorizeHttpRequests((authorize) -> authorize
            .anyRequest().authenticated()
        )
        .saml2Login(withDefaults())
        .exceptionHandling((exceptions) -> exceptions
            .authenticationEntryPoint(entryPoint)
        );
    
    return http.build();
}

字符串
还请确保使用IdP的相应元数据配置应用程序。

bq3bfh9z

bq3bfh9z2#

以下配置对我有效:

@Configuration
public class SamlConfiguration {

    @Bean
    Saml2AuthenticationRequestResolver authenticationRequestResolver(RelyingPartyRegistrationRepository registrations) {
        RelyingPartyRegistrationResolver registrationResolver = new DefaultRelyingPartyRegistrationResolver(registrations);
        OpenSaml4AuthenticationRequestResolver authenticationRequestResolver = new OpenSaml4AuthenticationRequestResolver(registrationResolver);
        authenticationRequestResolver.setAuthnRequestCustomizer((context) -> context.getAuthnRequest().setRequestedAuthnContext(buildRequestedAuthnContext()));
        return authenticationRequestResolver;
    }

    private RequestedAuthnContext buildRequestedAuthnContext() {
        // Create AuthnContextClassRef
        AuthnContextClassRefBuilder authnContextClassRefBuilder = new AuthnContextClassRefBuilder();
        AuthnContextClassRef authnContextClassRef = authnContextClassRefBuilder.buildObject(SAMLConstants.SAML20_NS, AuthnContextClassRef.DEFAULT_ELEMENT_LOCAL_NAME, SAMLConstants.SAML20_PREFIX);
        authnContextClassRef.setURI(AuthnContext.PPT_AUTHN_CTX);

        // Create RequestedAuthnContext
        RequestedAuthnContextBuilder requestedAuthnContextBuilder = new RequestedAuthnContextBuilder();
        RequestedAuthnContext requestedAuthnContext = requestedAuthnContextBuilder.buildObject();
        requestedAuthnContext.setComparison(AuthnContextComparisonTypeEnumeration.EXACT);
        requestedAuthnContext.getAuthnContextClassRefs().add(authnContextClassRef);

        return requestedAuthnContext;
    }
}

字符串
它生成以下SAML请求:

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                     AssertionConsumerServiceURL="..."
                     Destination="..."
                     ForceAuthn="false"
                     ID="..."
                     IsPassive="false"
                     IssueInstant="..."
                     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                     Version="2.0"
                     >
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">...</saml2:Issuer>
    <saml2p:RequestedAuthnContext Comparison="exact">
        <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
    </saml2p:RequestedAuthnContext>
</saml2p:AuthnRequest>


使用Sping Boot 2.7.17进行测试,包括OpenSAML 4.0.1。

相关问题