We have a website running on Caucho Resin. The great majority of the site is JSP/Java. We have our own custom authentication on the site, meaning we aren't using any third party authentication frameworks. We host the website, not our clients.
Our large clients want to have their users log into our site with their active directory credentials. For this I'm assuming I will be talking to ADFS with SAML, please correct me if that is wrong.
So my question is how do I go about doing that with Java? from what I can tell there is OpenSAML which sounds like it doesn't do everything, and if I want more then I need to use Shibboleth. Are there other alternatives? if all I want is for the users to be able to log in, what is my best option?
Any information would help. Thank you.
EDIT: I've just found out that another option would be OAuth. Pros? Cons?
解决方案
Your application needs to act as a SAML SP, either directly (from your code), or indirectly (e.g. through SAML SP support on reverse proxy, application server, ...).
For direct options (which require more modifications to your application) you can:
code the SAML SP yourself (most likely with OpenSAML, you can find examples in sources of existing products)
use a ready-made product to integrate into your application, such as Spring SAML or OpenAM Fedlet
For indirect options (which require less modifications to your application) you can:
use Shibboleth SAML SP plugins on your Apache reverse proxy (if you use one)
deploy SAML SP as another application on your container (e.g. Spring SAML or OpenAM) and make it communicate with your application - so SAML SP performs authentication with ADFS and communicates this to your application e.g. through a shared cookie, or a custom token
You can find more comparison details and considerations in this thread.
ADFS 3 should have support for OAuth Authorization Server and it might well be an easier way to integrate, see here and here. Implementing authentication using OAuth is generally significantly easier than SAML, with no relevant disadvantages.
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
