Identity Brokering
定义
An Identity Broker is an intermediary service that connects multiple service providers with different identity providers. As an intermediary service, the identity broker is responsible for creating a trust relationship with an external identity provider in order to use its identities to access internal services exposed by service providers.
一个中间层服务,通过多个不同的身份验证服务,来连接多个系统间的业务服务。
它负责和外部系统身份验证提供者建立信任关系,获取外部系统的安全令牌,从而给内部系统访问外部系统服务资源创造信任授权。
An identity provider is usually based on a specific protocol that is used to authenticate and communicate authentication and authorization information to their users. It can be a social provider such as Facebook, Google or Twitter. It can be a business partner whose users need to access your services. Or it an be a cloud-based identity service that you want to integrate with.
身份验证提供者一般基于专用协议和用户交换验证和授权信息。它可以是社交服务供应商,像Facebook,Google或者Twitter。也可以是访问你内部服务的业务伙伴。或者是你想集成的云端的身份认证服务。
常用协议如下,
- SAML v2.0
- OpenID Connect v1.0
- OAuth v2.0
概览
Identity Broker Flow
- User is not authenticated and requests a protected resource in a client application.
- The client applications redirects the user to Red Hat Single Sign-On to authenticate.
- At this point the user is presented with the login page where there is a list of identity providers supported by a realm.
- User selects one of the identity providers by clicking on its respective button or link.
- Red Hat Single Sign-On issues an authentication request to the target identity provider asking for authentication and the user is redirected to the login page of the identity provider. The connection properties and other configuration options for the identity provider were previously set by the administrator in the Admin Console.
- User provides his credentials or consent in order to authenticate in the identity provider.
- Upon a successful authentication by the identity provider, the user is redirected back to Red Hat Single Sign-On with an authentication response. Usually this response contains a security token that will be used by Red Hat Single Sign-On to trust the authentication performed by the identity provider and retrieve information about the user.
- Now Red Hat Single Sign-On is going to check if the response from the identity provider is valid. If valid, it will import and create a new user or just skip that if the user already exists. If it is a new user, Red Hat Single Sign-On may ask the identity provider for information about the user if that info doesn’t already exist in the token. This is what we call identity federation. If the user already exists Red Hat Single Sign-On may ask him to link the identity returned from the identity provider with his existing account. We call this process account linking. What exactly is done is configurable and can be specified by setup of First Login Flow . At the end of this step, Red Hat Single Sign-On authenticates the user and issues its own token in order to access the requested resource in the service provider.
- Once the user is locally authenticated, Red Hat Single Sign-On redirects the user to the service provider by sending the token previously issued during the local authentication.
- The service provider receives the token from Red Hat Single Sign-On and allows access to the protected resource.
Note
Different protocols may require different authentication flows. At this moment, all the identity providers supported by Red Hat Single Sign-On use a flow just like described above. However, despite the protocol in use, user experience should be pretty much the same.
不同的协议类型可能用到不同的认证流程
As you may notice, at the end of the authentication process Red Hat Single Sign-On will always issue its own token to client applications. What this means is that client applications are completely decoupled from external identity providers. They don’t need to know which protocol (eg.: SAML, OpenID Connect, OAuth, etc) was used or how the user’s identity was validated. They only need to know about Red Hat Single Sign-On.
客户端应用程序和外部身份认证提供商完全的解耦,它们不需要知道认证是通过什么协议类型完成的。因为这一切都由Identity Broker代理做了,和认证供应商的沟通都由其完成。
实例
- Employee enters their username and password.
- The application calls an identity broker. Then broker captures username and password.
- The identity broker make use of the organization's LDAP directory to validate the employee's identity.
- The identity broker calls the new GetFederationToken function using IAM user Credentials. The call must include an IAM policy and a duration (1 to 36 hours), along with a policy that specifies the permissions to be granted to the temporary security credentials.
- The Security Token Service confirms that the policy of the IAM user making the call to GetFederationToken gives the permission to create new tokens and then return 4 values to the application: An access key, a secret access key, a token, and a duration (the token's lifetime)
- The identity broker returns the temporary security credentials to the reporting application.
- The data storage application uses the temporary credentials (including the token) to make request to Amazon S3.
- Amazon S3 uses IAM to verify that the credentials allow the requested operation on the given S3 bucket and key.
- IAM provides S3 with the go-ahead to perform the requested operation.
配置
参考
Red Hat Single Sign-On -> 7.0 -> Server Administration GuideChapter -> 12. Identity Brokering
AWS STS
Identity Brokering相关推荐
- 统一Portal门户和IAM平台(单点登录、统一用户资源和权限管理)实践
一.背景和目的 解决如下问题: 打通所有系统的账户密码,只需要记住一个就行,而且登录一个系统后,打开其他系统不需要再登录. 不需要记住多个系统的地址,甚至不需要在多个系统页面跳来跳去,通过一个门户网站 ...
- Keycloak服务开发-认证服务SPI
Keycloak提供了一系列不同的认证机制:kerberos.密码.otp等.这些机制可能不适合你的需求,而你希望实现自定义的机制.keycloak提供了认证SPI帮助用户自定义插件.并且用户可以在控 ...
- Keycloak 基本功能
Keycloak是一个致力于解决应用和服务身份验证与访问管理的开源工具.可以通过简单的配置达到保护应用和服务的目的. 用户管理 你的应用不需要开发登录模块,验证用户和保存用户.Keycloak开发了用 ...
- SQL Server中Identity标识列
SQL Server中,经常会用到Identity标识列,这种自增长的字段操作起来的确是比较方便.但它有时还会带来一些麻烦. SQL Server中,经常会用到Identity标识列,这种自增长的字段 ...
- ASP.NET MVC Identity 兩個多個連接字符串問題解決一例
按照ASP.NET MVC Identity建立了一個用戶權限管理模塊,由于還要加自己已有的數據庫,所以建立了一個實體模型,建立了之后,發現登錄不了: 一直顯示"Login in faile ...
- [转]Membership 到 .NET4.5 之 ASP.NET Identity
本文转自:http://www.cnblogs.com/jesse2013/p/membership-part3.html 我们前面已经讨论过了如何在一个网站中集成最基本的Membership功能,然 ...
- Java连接数据库警告WARN: Establishing SSL connection without server's identity ......
今天搭了个框架,发现数据库发出了警告 Fri Mar 23 13:49:33 CST 2018 WARN: Establishing SSL connection without server's i ...
- 使用Identity Server 4建立Authorization Server (2)
第一部分: http://www.cnblogs.com/cgzl/p/7780559.html 第一部分主要是建立了一个简单的Identity Server. 接下来继续: 建立Web Api项目 ...
- 使用Identity Server 4建立Authorization Server (3)
预备知识: http://www.cnblogs.com/cgzl/p/7746496.html 第一部分: http://www.cnblogs.com/cgzl/p/7780559.html 第二 ...
最新文章
- zabbix setup.php出错,apache配置zabbix下setup.php无法显示
- 自适应浮动表单填充布局脚本
- 吴恩达深度学习 —— 3.2 神经网络表示
- JavaScript中必须掌握的10个难点(必看)
- 喜大普奔,微软Microsoft JDBC Driver For SQL Server已发布到maven中央仓库
- Asp.Net无刷新分页( jquery.pagination.js)
- 安卓自动滑屏脚本_【按键精灵】开发抖音全自动养号脚本!可实现自动滑屏
- 9个元素换6次达到排序序列_面试题精选(排序算法类)c/c++版 上篇
- 如何使用cmd进入打印机选项_用命令添加打印机
- 现代信号处理 张贤达_著名科学家、清华大学张贤达教授逝世,享年 74岁
- 贝叶斯分析之利用线性回归模型理解并预测数据(三)
- 浅谈渗透中的黑盒测试白盒测试
- 【Nodejs】使用request批量下载MP3,文件数量内容都没问题
- 单目标跟踪——常用数据集和指标
- 黑苹果系统升级OC引导升级简单
- 鱼和熊掌兼得:C++代码在编译时完成白盒测试
- php 页码,php页码怎么实现
- Python中的File(文件)操作
- 期货、股票资管分仓软件分账户系统APP开发需要用到哪些技术?
- kindle运行linux命令,Kindle4: 编译并运行官方linux kernel – v2.6.31