如何使用ADFS2.0和SAML/SSO来保护Tomcat的and应用程序？

Question

我想用ADFS SSO保护我的SSO应用程序(在Tomcat 5.5上)。通过Apache2及其重写模块从外部访问这些are应用程序。

要使其工作(随机顺序)有几个步骤: a. ADFS -添加b. Shibboleth - ADFS c. Apache2 - Shibboleth d. XXXXX - Tomcat

每个教程都不是很清楚，或者有很多错误，或者已经过时了，所以我对上述所有步骤都有问题。ADFS和and运行在Windows 2008 R2 Shibboleth、Apache2、Tomcat上

请提供如何连接上述所有技术的建议。

下面是为我工作的Shibboleth config：

<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    clockSkew="180">

    <!--
    By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
    are used. See example-shibboleth2.xml for samples of explicitly configuring them.
    -->
    <!--
    To customize behavior for specific resources on Apache, and to link vhosts or
    resources to ApplicationOverride settings below, use web server options/commands.
    See https://spaces.internet2.edu/display/SHIB2/NativeSPConfigurationElements for help.

    For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
    file, and the https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapHowTo topic.
    -->

    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
    <ApplicationDefaults entityID="https://centos.my.domain.com/"
                         REMOTE_USER="eppn persistent-id targeted-id" encryption="true" signing="true">

        <!--
        Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
        You MUST supply an effectively unique handlerURL value for each of your applications.
        The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
        a relative value based on the virtual host. Using handlerSSL="true", the default, will force
        the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
        in that case. Note that while we default checkAddress to "false", this has a negative
        impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
        -->
        <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="false">

            <!--
            Configures SSO for a default IdP. To allow for >1 IdP, remove
            entityID property and adjust discoveryURL to point to discovery service.
            (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
            You can also override entityID on /Login query string, or in RequestMap/htaccess.
            -->
            <SSO entityID="http://WinServer2008.my.domain.com/adfs/services/trust"
                 discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
              SAML2 SAML1
            </SSO>

            <!-- SAML and local-only logout. -->
            <Logout>SAML2 Local</Logout>

            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>

            <!-- Status reporting service. -->
            <Handler type="Status" Location="/Status" acl="127.0.0.1"/>

            <!-- Session diagnostic service. -->
            <Handler type="Session" Location="/Session" showAttributeValues="false"/>

            <!-- JSON feed of discovery information. -->
            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
        </Sessions>

        <!--
        Allows overriding of error template information/filenames. You can
        also add attributes with values that can be plugged into the templates.
        -->
        <Errors supportContact="lgrzywacz@xtm-intl.com"
            logoLocation="/shibboleth-sp/logo.jpg"
            styleSheet="/shibboleth-sp/main.css"/>

        <!-- Example of remotely supplied batch of signed metadata. -->
<!--
        <MetadataProvider type="XML" uri="https://WinServer2008.my.domain.com/FederationMetadata/2007-06/FederationMetadata.xml"
              backingFilePath="federation-metadata.xml" reloadInterval="7200">
            <MetadataFilter type="Signature" certificate="/etc/shibboleth/WinServer2008.my.domain.com.cer"/>
        </MetadataProvider>
-->

        <!-- Example of locally maintained metadata. -->
        <MetadataProvider type="XML" file="metadata.xml"/>

        <!-- Map to extract attributes from SAML assertions. -->
        <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>

        <!-- Use a SAML query if no attributes are supplied during SSO. -->
        <AttributeResolver type="Query" subjectMatch="true"/>

        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>

        <!-- Simple file-based resolver for using a single keypair. -->
        <CredentialResolver type="File" key="/etc/pki/tls/private/ca.key" certificate="/etc/pki/tls/certs/ca.crt" password="PASSWORD"/>

        <!--
        The default settings can be overridden by creating ApplicationOverride elements (see
        the https://spaces.internet2.edu/display/SHIB2/NativeSPApplicationOverride topic).
        Resource requests are mapped by web server commands, or the RequestMapper, to an
        applicationId setting.

        Example of a second application (for a second vhost) that has a different entityID.
        Resources on the vhost would map to an applicationId of "admin":
        -->
        <!--
        <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
        -->
    </ApplicationDefaults>

    <!-- Policies that determine how to process and authenticate runtime messages. -->
    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>

    <!-- Low-level configuration about protocols and bindings available for use. -->
    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>

</SPConfig>

下面是Apache配置

#
# Load the Shibboleth module.
#
LoadModule mod_shib /usr/lib/shibboleth/mod_shib_22.so

#
# Used for example logo and style sheet in error templates.
#
<IfModule mod_alias.c>
  <Location /shibboleth-sp>
    Allow from all
  </Location>
  Alias /shibboleth-sp/main.css /usr/share/doc/shibboleth-2.4.3/main.css
  Alias /shibboleth-sp/logo.jpg /usr/share/doc/shibboleth-2.4.3/logo.jpg
</IfModule>

#
# Configure the module for content.
#
# You MUST enable AuthType shibboleth for the module to process
# any requests, and there MUST be a require command as well. To
# enable Shibboleth but not specify any session/access requirements
# use "require shibboleth".
#
<Location />
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require valid-user
  ShibUseHeaders On
</Location>

<Location /Shibboleth.sso>
        Satisfy Any
</Location>
<VirtualHost *:443>

    ServerName centos.my.domain.com
    ServerAlias www.centos.my.domain.com
    ServerAlias www.centos.ad.xml-intl.com
    ServerAlias centos.ad.xml-intl.com
    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/ca.crt
    SSLCertificateKeyFile /etc/pki/tls/private/ca.key

    RewriteCond %{SERVER_NAME} !centos.my.domain.com
    RewriteRule ^/(.*) https://centos.my.domain.com/$1 [R]
</VirtualHost>

我还在ADFS2.0中添加了依赖方信任，具有以下属性：

Relying party identifiers = https://centos.my.domain.com/
Display name = Centos
Encryption certificate = this is the ca.crt file mentioned in configs above
Secure hash algorithm = SHA-1

我还添加了SAML断言消费者终结点：

Binding = POST
Index = 1
URL = https://centos.my.domain.com/Shibboleth.sso/SAML2/POST

我不确定我是不是漏了什么东西。

现在我有了新问题。浏览器知道我是否登录，但我需要知道谁是在who应用程序端登录的(有一些属性，如HTTP_EMAIL，但所有这些属性都是空的。

Answer 1

您是否看到了Shibboleth - ADFS逐步指南这里

Answer 2

好吧，我终于做到了。不幸的是，MS站点帮不上忙。我在所有可能的组合检查之后找到了解决方案。