Методы аутентификации обработчиков входа в Shibboleth

Question

Методы аутентификации обработчиков входа в Shibboleth

Я использую следующие обработчики входа в файл handler.xml, я не знаю, почему эти многие входы в систему: Обработчики поддерживаются, так как я знаю, что мы используем обработчик входа "externalAuthn", но я не знаю, почему мы используя оставшиеся обработчики. Могу ли я знать, что мы должны использовать оставшегося удаленного пользователя и IP-адрес вместе с ExternalAuthN.

Handler.xml

    <?xml version="1.0" encoding="UTF-8"?>

<ph:ProfileHandlerGroup xmlns:ph="urn:mace:shibboleth:2.0:idp:profile-handler" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                        xsi:schemaLocation="urn:mace:shibboleth:2.0:idp:profile-handler classpath:/schema/shibboleth-2.0-idp-profile-handler.xsd">

    <!-- Error Handler -->
    <ph:ErrorHandler xsi:type="ph:JSPErrorHandler" jspPagePath="/error.jsp"/>

    <!-- Profile Handlers -->
    <!-- 
        All profile handlers defined below are accessed via the Servlet path "/profile" so if your profile 
        handler's request path is "/Status" then the full path is "<servletContextName>/profile/Status"
     -->
    <ph:ProfileHandler xsi:type="ph:Status">
        <ph:RequestPath>/Status</ph:RequestPath>
    </ph:ProfileHandler>

    <ph:ProfileHandler xsi:type="ph:SAMLMetadata" metadataFile="D:/SDC-Builds/SRDM2.3.0.6904.10/SRDM/Svr/IdP/IdPserver/metadata/idp-metadata.xml">
        <ph:RequestPath>/Metadata/SAML</ph:RequestPath>
    </ph:ProfileHandler>    

    <ph:ProfileHandler xsi:type="ph:ShibbolethSSO" inboundBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" 
                       outboundBindingEnumeration="urn:oasis:names:tc:SAML:1.0:profiles:browser-post
                                                   urn:oasis:names:tc:SAML:1.0:profiles:artifact-01">
        <ph:RequestPath>/Shibboleth/SSO</ph:RequestPath>
    </ph:ProfileHandler>

    <ph:ProfileHandler xsi:type="ph:SAML1AttributeQuery" inboundBinding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
                       outboundBindingEnumeration="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding">
        <ph:RequestPath>/SAML1/SOAP/AttributeQuery</ph:RequestPath>
    </ph:ProfileHandler>

    <ph:ProfileHandler xsi:type="ph:SAML1ArtifactResolution" inboundBinding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" 
                       outboundBindingEnumeration="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding">
        <ph:RequestPath>/SAML1/SOAP/ArtifactResolution</ph:RequestPath>
    </ph:ProfileHandler>

    <!-- urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign -->
    <ph:ProfileHandler xsi:type="ph:SAML2SSO" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                       outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
                                                   urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
                                                   urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
        <ph:RequestPath>/SAML2/POST/SSO</ph:RequestPath>
    </ph:ProfileHandler>

    <ph:ProfileHandler xsi:type="ph:SAML2SSO" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" 
                       outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
                                                   urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
                                                   urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
        <ph:RequestPath>/SAML2/POST-SimpleSign/SSO</ph:RequestPath>
    </ph:ProfileHandler>

    <ph:ProfileHandler xsi:type="ph:SAML2SSO" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                       outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
                                                   urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
                                                   urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
        <ph:RequestPath>/SAML2/Redirect/SSO</ph:RequestPath>
    </ph:ProfileHandler>

    <ph:ProfileHandler xsi:type="ph:SAML2SSO" inboundBinding="urn:mace:shibboleth:2.0:profiles:AuthnRequest" 
                       outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
                                                   urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
                                                   urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
        <ph:RequestPath>/SAML2/Unsolicited/SSO</ph:RequestPath>
    </ph:ProfileHandler>

    <ph:ProfileHandler xsi:type="ph:SAML2ECP" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
                       outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:SOAP">
        <ph:RequestPath>/SAML2/SOAP/ECP</ph:RequestPath>
    </ph:ProfileHandler>

    <ph:ProfileHandler xsi:type="ph:SAML2SLO" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                       outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
                                                   urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
                                                   urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
                                                   urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
        <ph:RequestPath>/SAML2/Redirect/SLO</ph:RequestPath>
    </ph:ProfileHandler>

    <ph:ProfileHandler xsi:type="ph:SAML2SLO" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                       outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
                                                   urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
                                                   urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
                                                   urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
        <ph:RequestPath>/SAML2/POST/SLO</ph:RequestPath>
    </ph:ProfileHandler>

    <ph:ProfileHandler xsi:type="ph:SAML2SLO" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" 
                       outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
                                                   urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
                                                   urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
                                                   urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
        <ph:RequestPath>/SAML2/POST-SimpleSign/SLO</ph:RequestPath>
    </ph:ProfileHandler>

    <ph:ProfileHandler xsi:type="ph:SAML2SLO" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
                       outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:SOAP">
        <ph:RequestPath>/SAML2/SOAP/SLO</ph:RequestPath>
    </ph:ProfileHandler>

    <ph:ProfileHandler xsi:type="ph:SAML2SLO" inboundBinding="urn:mace:shibboleth:2.0:profiles:LocalLogout">
        <ph:RequestPath>/Logout</ph:RequestPath>
    </ph:ProfileHandler>

    <ph:ProfileHandler xsi:type="ph:SAML2AttributeQuery" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
                       outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:SOAP">
        <ph:RequestPath>/SAML2/SOAP/AttributeQuery</ph:RequestPath>
    </ph:ProfileHandler>

    <ph:ProfileHandler xsi:type="ph:SAML2ArtifactResolution" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
                       outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:SOAP">
        <ph:RequestPath>/SAML2/SOAP/ArtifactResolution</ph:RequestPath>
    </ph:ProfileHandler>

    <!-- Login Handlers -->
    <ph:LoginHandler xsi:type="ph:RemoteUser">
        <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod>
    </ph:LoginHandler>

    <!-- Login handler that delegates the act of authentication to an external system. -->
    <!-- This login handler and the RemoteUser login handler will be merged in the next major release. -->
    <!--
    <ph:LoginHandler xsi:type="ph:ExternalAuthn">
        <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod>
        <ph:QueryParam name="foo" value="bar" />
    </ph:LoginHandler>
    -->
   <ph:LoginHandler xsi:type="ph:ExternalAuthn"
                 externalAuthnPath="/external/login"
                 supportsForcedAuthentication="true" >
    <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
</ph:LoginHandler>

   <ph:LoginHandler xsi:type="ph:IPAddress" username="ip-user" defaultDeny="true">
    <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol</ph:AuthenticationMethod>
    <ph:IPEntry>127.0.0.1/16</ph:IPEntry>
</ph:LoginHandler>
    <!-- 
    <ph:LoginHandler xsi:type="ph:IPAddress" username="ip-user" defaultDeny="true">
    <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol</ph:AuthenticationMethod>
    <ph:IPEntry>127.0.0.1/16</ph:IPEntry>
</ph:LoginHandler>  -->
    <!-- 
        Removal of this login handler will disable SSO support, that is it will require the user to authenticate 
        on every request.
         <ph:LoginHandler xsi:type="ph:PreviousSession">
        <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</ph:AuthenticationMethod>
    </ph:LoginHandler>

     <ph:LoginHandler xsi:type="ph:PreviousSession">
        <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</ph:AuthenticationMethod>
    </ph:LoginHandler>
   -->

</ph:ProfileHandlerGroup>

0

java authentication shibboleth

Источник

user4294563 26 ноя '14 в 09:26

1 ответ

Другие вопросы по тегам java authentication shibboleth

user70665 28 ноя '14 в 16:01 2014-11-28 16:01 · Answer 1 · 2014-11-28 16:01

Внешний обработчик входа предназначен для "аутентификации контейнера" - обычно это некоторая форма базовой аутентификации в защите Apache. /external/login и заселение REMOTE_USER который затем читается IdP. Единственный другой механизм аутентификации, который вам, вероятно, небезразличен, - это предыдущий сеанс, который фактически позволяет SSO происходить.

Для чего стоит, по умолчанию, есть большой XML-комментарий вокруг большинства из них, когда вы начинаете со свежей копии файла конфигурации IdP. Может быть, вы упускаете из виду, что они на самом деле уже отключены?