最近在落地cat(java开发的一款开源监控系统)接入公司的内部项目,其中有项需求是接入公司的sso单点登录系统。研究了公司之前java项目接入sso系统,大部分是采用spring框架,然后依赖spring-boot-security-saml包进行操作;那么非spring框架的纯java项目如何接入呢,我们可以利用OneLogin's SAML JAVA这个Toolkit来实现(github地址:https://github.com/onelogin/java-saml)
SAML协议简介
实现sso单点登录有多种方式,例如开源项目CAS,以及身份认证授权协议Oauth、openID、SAML等;相较而言,SAML协议应用更加广泛,功能也更加强大,支持认证、权限控制、用户属性(关于SAML协议可参考:https://www.cnblogs.com/shuidao/p/3463947.html)简言之,SAML协议的核心是: IDP(身份鉴别服务器)和SP(服务提供者)通过用户的浏览器的重定向访问来实现交换数据。
OneLogin's SAML JAVA Toolkit介绍
详细内容可参见上文的github地址。里面主要包含三个部分:core(包含主要的处理AuthNRequest, SAMLResponse, LogoutRequest等内容的核心方法)、toolkit(主要针对http请求对core的方法进行了一些封装)、samples(简单的例子)。
可以本地先用samples连接onelogin网站看看(需注册),看是否正常运行:https://developers.onelogin.com/saml/java
Java项目引入toolkit接入sso
1、引入pom依赖
<dependency>
<groupId>com.onelogin</groupId>
<artifactId>java-saml</artifactId>
<version>2.2.0</version>
</dependency>
2. onelogin.saml.properties配置。
SAML JAVA Toolkit已经封装的相对比较完善,所以关键点在于我们对自己的Java项目进行正确的配置就可以接入啦:
实际项目配置的onelogin.saml.properties如下:注解项除外保持默认值即可
# If 'strict' is True, then the Java Toolkit will reject unsigned
# or unencrypted messages if it expects them signed or encrypted
# Also will reject the messages if not strictly follow the SAML
onelogin.saml2.strict = false
# Enable debug mode (to print errors)
onelogin.saml2.debug = false
# Service Provider Data that we are deploying
#
# Identifier of the SP entity (must be a URI)
onelogin.saml2.sp.entityid = https://cat-dev.###.com/cat/jsp/sso/metadata.jsp
# Specifies info about where and how the <AuthnResponse> message MUST be
# returned to the requester, in this case our SP.
# URL Location where the <Response> from the IdP will be returned
onelogin.saml2.sp.assertion_consumer_service.url = https://cat-dev.###.com/cat/r
# SAML protocol binding to be used when returning the <Response>
# message. Onelogin Toolkit supports for this endpoint the
# HTTP-POST binding only
onelogin.saml2.sp.assertion_consumer_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
# Specifies info about where and how the <Logout Response> message MUST be
# returned to the requester, in this case our SP.
onelogin.saml2.sp.single_logout_service.url =
# SAML protocol binding to be used when returning the <LogoutResponse> or sending the <LogoutRequest>
# message. Onelogin Toolkit supports for this endpoint the
# HTTP-Redirect binding only
onelogin.saml2.sp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
# Specifies constraints on the name identifier to be used to
# represent the requested subject.
# Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
onelogin.saml2.sp.nameidformat = urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
# Usually x509cert and privateKey of the SP are provided by files placed at
# the certs folder. But we can also provide them with the following parameters
# test-----------------------------------------------------------
#此处的x509证书和下面的privatekey自己生成好以后,填入即可
onelogin.saml2.sp.x509cert = -----BEGIN CERTIFICATE-----\nMIICpDCCAYwCCQCaHqptRwiRkDANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMTgwNjEzMDYwNjE4WhcNMjgwNjEwMDYwNjE4WjAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQChL1RZp0wr7OgaAUk/n4woZgIv0i3ub7nLwgulK6TFYUUo66gKy/Pvpafwn4UklW0xv0Yfr2inyMjbTvmVAtUKWloPrEwvCw1N4w1Fo9KiPUkUt9mrAkiBgp7tbXE34wDT2qJZpx+3ne70nfIJcY3GUYx/FksKvo6s9yJ+GW4nZkMZEkAHD3AZwIF0OZwRicezbSsPOukE6Poc9q7bwoAjDrW8Ab3ll7U4F14ErKU/eesZ5lmTOKaEwZRkuq/1XwVQdFHySdUQuxdDsSNKbVOVBGL6r6ZAcyxX8KBunU6A3E55UWA2I4mg+rFRAEuXm6BAUOdkkS8yPyMkf+IeoIA7AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAFR7Zmoug2EBjRtgF8GjpNAg94rZEBB6vWkNJPsFE6Bc9v7jOULNUuJUF+jvVntSrvs024ONHbAqD/2j/uKpO6Np7LUDEy/lY6t3IpZAmymrWjoVnm1/VZYm2VRZmOSlrkIuZLwu3LWwd39zxL4mDLbZTTQHz3SdiZP6MGIUgZy5NERCmJnLwPrrgHu0JJqZtXiwqAQUlyT1cZXwiOulwQd/3TDwxPPY/zTbclZw3u9WskLgjO0M0mKlg20rZxLpiTSUBDHMGsETKW5k6Q2fwwRreKROUG0zL62Jlj4DIIvW6vDNL8NQSnhohLOfXQMaSZeiH1XUuxC1ZR4fq+yCl7o=\n-----END CERTIFICATE-----
# Requires Format PKCS#8 BEGIN PRIVATE KEY
# If you have PKCS#1 BEGIN RSA PRIVATE KEY convert it by openssl pkcs8 -topk8 -inform pem -nocrypt -in sp.rsa_key -outform pem -out sp.pem
# test-----------------------------------------------------------
onelogin.saml2.sp.privatekey = -----BEGIN PRIVATE KEY-----\nMIIEowIBAAKCAQEAoS9UWadMK+zoGgFJP5+MKGYCL9It7m+5y8ILpSukxWFFKOuoCsvz76Wn8J+FJJVtMb9GH69op8jI2075lQLVClpaD6xMLwsNTeMNRaPSoj1JFLfZqwJIgYKe7W1xN+MA09qiWacft53u9J3yCXGNxlGMfxZLCr6OrPcifhluJ2ZDGRJABw9wGcCBdDmcEYnHs20rDzrpBOj6HPau28KAIw61vAG95Ze1OBdeBKylP3nrGeZZkzimhMGUZLqv9V8FUHRR8knVELsXQ7EjSm1TlQRi+q+mQHMsV/Cgbp1OgNxOeVFgNiOJoPqxUQBLl5ugQFDnZJEvMj8jJH/iHqCAOwIDAQABAoIBADXOK9UlsJq1IaGUrlPruYi+zJoUCjse1qG669I+KGmvF7waNmUsQgjMfqwnQ/W7X9EMbackEcZ4kvwKd+wTHvSuxoOW23OUt+M5GPQXRLfdx2iAGswoHfYFmXHeZ73lLCCMSketLzxHHz5O/z3BxzbdgA3objJu/AenE7+OU6QYykjCn1zMi5yuYLPV8NytZCga4iGw8XS+H5KBfno4OQYPjyow+Q4itSlOJXdc6KFcbqzZXb5tZ+Q82J8qRUjQBgAqyQgOXTfDj/1IdwEn0yHlnjcT9tr+dNPAgeu8cknd9zcxl6xvYE1eYg620X0q5H3q0JJ2k+LRtxI6+Hr3BYkCgYEAzj/N1k53QfcOyCXq8afIGrFw51zeo3rv32AfkKSn6feN2Gy+9I3n9iOK2KTzemAjA3WbEboKK7l1rjUbU+3Svr3b7X1AnonyfBq2yvKWB4TVWkIWlpCy5pLRduY8OiJRtg0SJT8DPJMxESnkyZkqtZJL8LmT8Dw/eYVVY3ZakXcCgYEAyBC8G+8yMb+sgBfl7TAfTcLXk5n8F8nkpWKAcW4VFXtodrAXcLBClrJ+/BUkt/sqZA1IMjbUR094owGEyopJ1cnghRhmZx9dpJfwzgVPb53TOHTLrxm4A18jARaoLekfZ/PBhQOQiTE8akbPHbuwixcQEBS5jwgYJN2YM9A9mF0CgYBciUv1ByeCtTIworKS0dB6CXq6k3RgrNvKwPnoj7e2xZcir0fNuY2FZdT59qg3E8Mh3jZA8dN2YrNmAfXM5jtT0SNHnpbLiuD8xY+V5tlhbju7T0OLMkjSIrVQP2RuQM+geqTViTwOhYvSQ5WezdXXuVfRHbI+awmfoC77fTKNaQKBgQDCb6kyCOUifmMa1p8KRoOV4m/7LmNXh0qlBTdJhjANgbOD7h3J0jPVG8LYIYBfIkYPmOz6iFkEuRLIcThqU73wfdOr5ovXWx96UISi5XxPQPa/3pr6ISe6dyKg8zEd9XwlXjxMlqtI+kX6D7lI71ljxFVDG7E/diFo6sf6Sz8hrQKBgFyrZqsBgz0R6d9V0R0JWNpdt+WShl5Hb0HrG844ZJQZKZbEwJFDxi0I5GomCydfCEnyBS2+iLYdaNkAYPVjDynb5CZVPzy6shCE6T2GLG9Cc/IXhPMvNQz6RHx1HyM7TegIgQY4hh9ZHtDe8ROZrAucpOG0NHaT+gRuXe4bnedd\n-----END PRIVATE KEY-----
# Identity Provider Data that we want connect with our SP
#
# Identifier of the IdP entity (must be a URI)
# test-----------------------------------------------------------
onelogin.saml2.idp.entityid = https://sso.###.com/FederationMetadata/2007-06/FederationMetadata.xml
# SSO endpoint info of the IdP. (Authentication Request protocol)
# URL Target of the IdP where the SP will send the Authentication Request Message
# test-------------------------------------------------------------
onelogin.saml2.idp.single_sign_on_service.url = https://sso.###.com/adfs/ls
# SAML protocol binding to be used when returning the <Response>
# message. Onelogin Toolkit supports for this endpoint the
# HTTP-Redirect binding only
onelogin.saml2.idp.single_sign_on_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
# SLO endpoint info of the IdP.
# URL Location of the IdP where the SP will send the SLO Request
# test-----------------------------------------------------------
onelogin.saml2.idp.single_logout_service.url =
# Optional SLO Response endpoint info of the IdP.
# URL Location of the IdP where the SP will send the SLO Response. If left blank, same URL as onelogin.saml2.idp.single_logout_service.url will be used.
# Some IdPs use a separate URL for sending a logout request and response, use this property to set the separate response url
# test-----------------------------------------------------------
onelogin.saml2.idp.single_logout_service.response.url =
# SAML protocol binding to be used when returning the <Response>
# message. Onelogin Toolkit supports for this endpoint the
# HTTP-Redirect binding only
onelogin.saml2.idp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
# Public x509 certificate of the IdP
# test-----------------------------------------------------------
onelogin.saml2.idp.x509cert = MIIC6DCCAdCgAwIBAgIQZiRU+RFa9rRJO57iE1ib9DANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDEyVBREZTIFNpZ25pbmcgLSBkZXZvcHMueGlhb2hvbmdzaHUuY29tMB4XDTE3MDcyNTEzMDIxMFoXDTE4MDcyNTEzMDIxMFowMDEuMCwGA1UEAxMlQURGUyBTaWduaW5nIC0gZGV2b3BzLnhpYW9ob25nc2h1LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALfwBsXi/9Hlor/Q8W9ljtRk/Pqv91OPdS5K9f4SyQKs1idFi1fR94uCnbC3HxZeCo4/3iCYoiwpG7PZnuC/EIDIQ0Pdu2b7jOcgmTww6k2CsyZPMZxBWaFPWofwL7kJ+SEUxz0Vd93TV2J/V09Gy6QR6lTBtz2CJZXpkTSYuLnQMfkDiHJKeFsrBkiH5bqVyEriv7rgiFajb8gZdTiEEbWEqGgps++17oCpmz9dMi0Vjz31ij2YHWPh3Y7EJ/aVGBHcFD1KgIqfWeDxJ0e2EjIqM8bdDAq6MsAWll1++BIkKBMUdoFvu7S8jT5aszUnScQzEPCXJL0Cs6rmBhEDoCkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAhjhQbeaMJEYPC3ZwhfFAZMuuCOcFg3MgSh1fMDQ1iqtJ1uX7EpkX9NG0bJfFmyvU/5L/wjV41byg3N0HdHuO1VsFTV4q2XzFZJRBPb7Ta6OIQYw+qIX4RH18TSObguv3GgT7AbWHS8HDAmivmTWoL2fJL9sgIMnv/iL/EyG8iXf1fyZBP6Kr60d3xmPFyhlJ76/hBzqRGW6WrdAFunD1vIWr0u/zIs2GbY6A9CcLmpCTAgVTtytGmt+2iTm7trck1l8qOCQCkqX6iH6swHULLLZTUo6STQdTdsbtymf9GE396l6Pc3JwNXKG0Eq89/3l8o1vmyv7ikW1FdQUWTOs7w==
# Instead of use the whole x509cert you can use a fingerprint
# (openssl x509 -noout -fingerprint -in "idp.crt" to generate it,
# or add for example the -sha256 , -sha384 or -sha512 parameter)
#
# If a fingerprint is provided, then the certFingerprintAlgorithm is required in order to
# let the toolkit know which Algorithm was used. Possible values: sha1, sha256, sha384 or sha512
# 'sha1' is the default value.
# onelogin.saml2.idp.certfingerprint =
# onelogin.saml2.idp.certfingerprint_algorithm = sha1
# Security settings
#
# Indicates that the nameID of the <samlp:logoutRequest> sent by this SP
# will be encrypted.
onelogin.saml2.security.nameid_encrypted = false
# Indicates whether the <samlp:AuthnRequest> messages sent by this SP
# will be signed. [The Metadata of the SP will offer this info]
onelogin.saml2.security.authnrequest_signed = false
# Indicates whether the <samlp:logoutRequest> messages sent by this SP
# will be signed.
onelogin.saml2.security.logoutrequest_signed = false
# Indicates whether the <samlp:logoutResponse> messages sent by this SP
# will be signed.
onelogin.saml2.security.logoutresponse_signed = false
# Sign the Metadata
# Empty means no signature, or comma separate the keyFileName and the certFileName
onelogin.saml2.security.want_messages_signed =
# Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and
# <samlp:LogoutResponse> elements received by this SP to be signed.
onelogin.saml2.security.want_assertions_signed = false
# Indicates a requirement for the Metadata of this SP to be signed.
# Right now supported null (in order to not sign) or true (sign using SP private key)
onelogin.saml2.security.sign_metadata =
# Indicates a requirement for the Assertions received by this SP to be encrypted
onelogin.saml2.security.want_assertions_encrypted = false
# Indicates a requirement for the NameID received by this SP to be encrypted
onelogin.saml2.security.want_nameid = false
# Indicates a requirement for the NameID received by this SP to be encrypted
onelogin.saml2.security.want_nameid_encrypted = false
# Authentication context.
# Set Empty and no AuthContext will be sent in the AuthNRequest
# You can set multiple values (comma separated them)
onelogin.saml2.security.requested_authncontext = urn:oasis:names:tc:SAML:2.0:ac:classes:Password
# Allows the authn comparison parameter to be set, defaults to 'exact'
onelogin.saml2.security.onelogin.saml2.security.requested_authncontextcomparison = exact
# Indicates if the SP will validate all received xmls.
# (In order to validate the xml, 'strict' and 'wantXMLValidation' must be true).
onelogin.saml2.security.want_xml_validation = true
# Algorithm that the toolkit will use on signing process. Options:
# 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
# 'http://www.w3.org/2000/09/xmldsig#dsa-sha1'
# 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
# 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
# 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'
onelogin.saml2.security.signature_algorithm = http://www.w3.org/2000/09/xmldsig#rsa-sha1
3. 下载sP(即自己的java项目)的metadata文件,找运维上传metadata完成配置。
可以参考samples的metadata.jsp生成:完成相应的配置后,可以运行下metadata.jsp,copy出对应的metadata值,保存为xml格式即可。
4. Web项目加入对应的filter,取得sso传回来的用户信息,生成token,并对未包含token或token校验失败的页面进行过滤。
此处不再赘述, 主要在于调用auth.processResponse()方法,对返回回来的SAMLResponse验证成功以后,即可通过auth.getAttributes()拿到对应的用户属性。