附上大佬文章:
https://www.jianshu.com/p/d041935641b4
https://www.jianshu.com/p/6f61fa7be0b6
https://www.jianshu.com/p/6c72408fa480
看了大佬的文章和demo基本能搞出来一套本地可用的saml2.0。
在我开发过程中主要是我们作为IDP,做统一登录后发送给第三方SP做免登录。
主要就几个过程:
1.SP通过发送SAML AuthnRequest到IDP,来请求鉴别用户身份
2.IDP验证身份,然后通过SAML产物响应(SAML Artifact Response)发送回SP
其中几个点:
1.记得初始化SAML,否则会出现NPE
2.如果有需要POST请求,可通过简单form表单自动提交
<html>
<body>
<form method="post" action="${url}" id="myForm">
<input type="hidden" name="SAMLResponse" value="${responseValue}"/>
<input type="hidden" name="RelayState" value="${xxx}"/>
<input type="submit" value="Submit SAML2 Login Response"/></form>
</body>
</html>
<script type="text/javascript">
window.onload= function(){
document.getElementById('myForm').submit();
}
</script>
3.responseValue是response的base64加密
4.opensaml 3 默认加密算法是sha256,如果需要sha1可能需要降低到opensaml 2
5.opensaml 3 采用的是分开打包maven的方式,需要引入很多个模块,参考大佬文章,opensaml 2 是整体maven直接引入即可。例如:
<!-- opensaml start -->
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml</artifactId>
<version>2.6.4</version>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-core</artifactId>
<version>1.1.7</version>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<version>1.1.7</version>
</dependency>
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.2</version>
</dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>xmltooling</artifactId>
<version>1.4.4</version>
</dependency>
<!-- opensaml end -->
6.断言可以对assertion做,也可以对整个response做签名。根据需要自选。
这个签名主要是idp端用证书私钥做签名,sp端用公钥做验签。
我采用的是pfx的方式,把文件流读入,然后获取私钥,公钥。做签名
public class CertificateUtils {
private static final Logger LOGGER = LoggerFactory.getLogger(CertificateUtils.class);
private static final String PFX_CERT_FILE_SUFFIX = ".pfx";
public static X509CertificateWrapper getCertByFile(String fileName, String pfxOpenPwd) {
if (isPfxCertFileName(fileName)) {
return getPfxCert(fileName, pfxOpenPwd);
} else {
LOGGER.error("get pfx certificate info failed");
throw new Exception(xxx);
}
}
private static boolean isPfxCertFileName(String fileName) {
return fileName.endsWith(PFX_CERT_FILE_SUFFIX);
}
private static X509CertificateWrapper getPfxCert(String fileName, String pfxOpenPwd){
Assert.hasText(pfxOpenPwd, "pfx file open pwd missing");
InputStream fileInputStream = getResourceAsStreamByFileName(fileName);
return getPfxCertificate(fileInputStream, pfxOpenPwd);
}
//fileName 相对路径 比如resource/cert/xxx.pfx fileName="cert/xxx.pfx"
private static InputStream getResourceAsStreamByFileName(String fileName) {
return Thread.currentThread().getContextClassLoader().getResourceAsStream(fileName);
}
private static char[] getFileOpenPwdChars(String fileOpenPwd) {
if (StringUtils.isBlank(fileOpenPwd) || StringUtils.isBlank(StringUtils.trim(fileOpenPwd))) {
return null;
}
return fileOpenPwd.toCharArray();
}
private static X509CertificateWrapper getPfxCertificate(InputStream inputStream, String pfxOpenPwd){
X509CertificateWrapper x509CertificateWrapper = new X509CertificateWrapper(null, null) ;
try {
KeyStore ks = KeyStore.getInstance("PKCS12");
char[] nPassword = getFileOpenPwdChars(pfxOpenPwd);
ks.load(inputStream, nPassword);
String keyAlias = getKeyAlias(ks);
PrivateKey privateKey = (PrivateKey) ks.getKey(keyAlias, nPassword);
X509Certificate cert = (X509Certificate) ks.getCertificate(keyAlias);
String certStr = convertCertObj2certStr(cert);
x509CertificateWrapper.setX509Certificate(cert);
x509CertificateWrapper.setContent(certStr);
x509CertificateWrapper.setPrivateKey(privateKey);
} catch (KeyStoreException e) {
throw new RuntimeException("Error occurred when read the pfx file stream", e);
} catch (IOException e) {
throw new RuntimeException("Error occurred when read the pfx file stream", e);
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException("Error occurred when read the pfx file stream", e);
} catch (CertificateException e) {
throw new RuntimeException("Error occurred when read the pfx file stream", e);
} catch (UnrecoverableKeyException e) {
throw new RuntimeException("Error occurred when read the pfx file stream", e);
} finally {
try {
inputStream.close();
} catch (IOException e) {
throw new RuntimeException("Error occurred when read the pfx file stream", e);
}
}
return x509CertificateWrapper;
}
private static String getKeyAlias(KeyStore ks) throws KeyStoreException {
Enumeration<String> aliases = ks.aliases();
// we are read just one certificate.
if (aliases.hasMoreElements()) {
return aliases.nextElement();
}
return null;
}
public static String convertCertObj2certStr(Certificate certificate) {
if (certificate == null) {
return "";
}
try {
String certStr = Base64.getEncoder().encodeToString(certificate.getEncoded());
return certStr;
} catch (CertificateEncodingException e) {
LOGGER.error("convertCertObj2certStr error, CertificateEncodingException {}", e);
return "";
}
}
public class X509CertificateWrapper {
private X509Certificate x509Certificate;
private PrivateKey privateKey;
private String content;
public X509CertificateWrapper(X509Certificate x509Certificate, String content) {
this.content = content;
this.x509Certificate = x509Certificate;
}
public X509Certificate getX509Certificate() {
return x509Certificate;
}
public void setX509Certificate(X509Certificate x509Certificate) {
this.x509Certificate = x509Certificate;
}
public String getContent() {
return content;
}
public PrivateKey getPrivateKey() {
return privateKey;
}
public void setPrivateKey(PrivateKey privateKey) {
this.privateKey = privateKey;
}
public void setContent(String content) {
this.content = content;
}
}
demo两个:
opensaml 3.2.0
https://github.com/sunrongxin7666/OpenSAML-ref-project-demo-v3
opensaml 2.2.3
https://github.com/xiaosiyuan/saml
