自己翻译的Shibboleth官网的文章“How Shibboleth Works: Intermediate Concepts”,翻译得有问题的欢迎指出(本人英语四级而已,勿忘)
原文链接:
http://shibboleth.net/about/intermediate.html
How Shibboleth Works: Intermediate Concepts
Shibboleth如何工作: 媒介概念
In the previous section, Basic Concepts, we discussed the basic SSO process and defined terms like "federation" and "federated services". This page introduces three additional concepts: Identity Provider Discovery, User Attributes and Metadata. The concepts build on the basic SSO process, without superseding it in any way. These terms are often used without explanation, so you may already have heard them being used without quite understanding what was meant.
在上一章节中,基本概念,我们讨论了基本的SSO流程和关于联盟以及联盟服务的定义。现在,我们介绍三个额外的概念:Identity Provider Discovery(身份提供者发现服务),User Attributes(用户属性) 和 Metadata(元数据)。毫无疑问这些概念建立在基础的SSO流程上。这些术语经常使用但很少有关于它们的解释,所以你有可能在不理解它们是什么意思的情况下使用了它们。
Identity Provider Discovery
身份提供者发现服务
If after reading through the Basic Concepts you took our recommendation to re-read things you may have asked yourself the following question: "In step 2, if a service provider works with multiple identity providers, how does it know to which it should send the authentication request and the user?" This question has a very straightforward answer: you ask the user and that prompt is known as identity provider discovery.
在阅读过基本概念以后你也许会有一下几个疑问:在第二步中,如果一个Service Provider与多个Identity Provider一起工作,这个Service Provider怎么知道将认证请求和用户发送到那个Identity Provider?这个问题最直接的回答是:直接询问用户和搜集Identity Provider。
The Shibboleth project offers two products that can be used to perform identity provider discover. The Embedded Discovery Service works with the Shibboleth Service Provider in order to display an identity provider selector UI that integrates with your site. The Centralized Discovery Service is a standalone application that can be deployed centrally and to which service providers can delegate the work of presenting a selector UI. Because it offers a far better user experience we strongly encourage service providers to use the Embedded Discovery Service.
Shibboleth提供了两个产品用于发现Identity Provider。Embedded Discovery Service结合Service Provider使用可以提供一个选择器UI结合到你的网站中。Centralized Discovery Service是一个独立的应用程序,它可以集中的为Service Provider提供选择器UI。因为Embedded Discovery Service提供了更好的用户体验,所以我们强烈推荐使用Embedded Discovery Service。
User Attributes
用户属性
Another feature that most services take advantage of when using Shibboleth is the ability to receive data about the user from the identity provider. These data, called user attributes or just attributes, can be anything that the identity provider knows about the user and that may be helpful to the service provider. Some examples of this type of data are:
另外一个功能是大多数服务利用Shibboleth来获取Identity Provider返回给用户的数据。这些数据我们称之为用户属性,或者直接称为属性,这些数据可以是Identity Provider知道的任何关于这个用户对于Service Provider来说有用的东西。这些数据可以是一下内容:
the user's email address or phone number
用户邮箱地址或者电话号码
groups to which the user belongs
用户所属的组织
information about the user's role in the organization
用户在这个组织中的角色的信息
specific privileges a user has been granted
用户被授予的指定权限
The ability to preserve a user's privacy is a principal concern within all of the Shibboleth products. Both the identity provider and service provider allow the deployer to set attribute filter policies to address these concerns. Within the identity provider this policy controls which attributes will be released to which service providers. Within the service provider this policy controls what information will be accepted from which identity providers.
保护用户隐私的能力是所有Shibboleth产品最注重的。Identity Provider和Service Provider都允许开发者设置属性过滤策略来加强隐私保护。在Identity Provider中有关于哪些属性开放给哪些Service Provider的控制策略。在Service Provider中会有策略控制哪些Identity Provider发送过来的信息会被接受。
Metadata
元数据
Another question you may have asked yourself when reading the Basic Concepts is: "If this SSO process is all done over HTTP, how do the identity provider and service provider know which URLs to use when communicating with each other?". This function is accomplished by a metadata document that describes various technical aspects of an identity provider or service provider.
当你在阅读基本概念时另外一个你可能会问到的问题是:如果SSO流程都是通过HTTP完成,当Identity Provider和Service Provider通信的时候它们怎么知道用哪个URL进行交流?这个功能的实现需要通过元数据文档来为Identity Provider或者Service Provider来描述它们多种多样的技术实现。
The metadata for an identity provider or service provider usually contains the following information:
Identity Provider或者Service Provider的元数据往往包括以下信息:
a unique identifier, known as an entity id
一个唯一的标识符,常说的实体ID(entity id)
a human-readable name and description
一个可读的名字和介绍
a list of URLs to which messages should be delivered and some information about when to use each
一个关于哪些消息会被传递以及何时被使用的信息的URL表单
cryptographic information used when creating and verifying messages
创建和验证消息时的加密信息
A common function of a federation is to publish a file containing all the metadata for the identity providers and service providers that have agreed to work together. Each participant then consumes this data. In this way a service provider does not need to contact every identity provider when it changes its metadata (or vice versa) but simply provides it to the federation.The federation aggregate is then updated and every participant periodically refreshes their copy.
联盟最常用的一个功能是发布一个包含所有协同工作的Identity Provider和Service Provider元数据的文件。任何参与者都会享用这份数据。这种方式可以使得当一个Service Provider改变自己的元数据配置的时候不需要一一的去通知所有的Identity Provider(反之亦然),仅仅需要提供这些修改给联盟就可以。联盟搜集并更新这些修改,任何一个参与者都可以定期的更新从联盟它们的备份文件。
Wrap Up
小结
So, that's identity provider discovery, user attributes, and metadata. Again, you'll likely run in to these items fairly soon after you start working with federated services but it's important to remember that they are just building on top of the basic SSO process. They can be added one at a time as you build up comfortability with the system.
这就是Identity Provider Discovery(身份提供者发现服务), User Attributes(用户属性), 和Metadata(元数据)。你会很期待尽快在联盟工作中使用这些组件,但是重要的是你铭记他们都是建立在基础的的SSO流程之上。你可以在你构建好的系统中将它们加入进你的系统中。
Next up are a pair of advanced concepts: profiles and bindings. Although you don't need detailed knowledge of these to understand Shibboleth, you should have a basic definition. So, proceed to the next page.
接下来是另外两个高级的概念:配置文件和绑定。虽然你不需要关于这些概念很详细的知识来理解Shibboleth,但是你还是需要理解它们基本的定义。现在,我们进入下一章节
分享到:
相关推荐
Shibboleth IdP目录 概述用于管理Shibboleth IdP的人偶模块 模块说明这 ... 设置 IdP会产生什么影响... 设置要求只需要安装模块 从IdP开始最小设置: class { 'shibboleth_idp' : } 用法 自定义IdP选项 class { '...
Shibboleth是一款广泛用于身份验证和授权的开源软件,主要在教育和研究机构中用于实现单点登录(Single Sign-On, SSO)服务。它分为两个主要组件:Identity Provider (IdP) 和 Service Provider (SP)。在这个场景中...
希博莱斯该模块管理 shibboleth。 它最初是从 Aethylred/shibboleth 的模块中分拆出来的,但最终重新编写了它。 我创建这个模块主要是为了与我的另一个模块 jefferyb/kualicoeus 一起工作,但正在考虑将它扩展到其他...
2. **Shibboleth会话cookie**:设置用于存储Shibboleth会话的cookie: ``` location /Shibboleth.sso { ShibRequestSetting requireSession true; } ``` 3. **认证请求**:定义需要身份验证的路径: ``` ...
安装SHIBBOLETH产品的可用代码 要求 已通过Ansible v2.9.1测试 安装Shibboleth IdP v3.x / v4.x(8个“ jessie”或9个“ stretch”)的Debian服务器/虚拟机 安装和配置Shibboleth IdP的简单流程 成为根: sudo su -...
护照-Shibboleth 这是的身份验证提供程序该代码最初基于@drstearns安装 npm install passport-shibboleth --save用法配置策略 passport.use(new ShibbolethStrategy({ }, function(profile, done) { findByEmail...
根据给定文件内容,本文将详细介绍Shibboleth技术、高校身份认证联盟CARSI、CALIS统一认证云服务以及它们之间的跨域认证集成模式。 Shibboleth技术: Shibboleth是一个开源项目,属于Internet2/MACE项目的一部分。...
shibboleth.part1 Shibboleth是一个针对SSO的开源项目。
主厨shibboleth-idp描述安装/配置Shibboleth身份提供程序(IdP)。要求平台类CentOS的6 红帽6 Ubuntu 12.04(精确)食谱所需的必需的第三方食谱属性这些属性位于node['shibboleth-idp']命名空间下。 属性描述类型...
编译Cas5 缺失jar 文件
DokuWiki Shibboleth身份验证插件 主页: 许可证: 作者: 介绍 是一个用PHP编写的灵活而简单的Wiki系统。 是SAML的广泛使用的开源实现。 DokuWiki支持不同的身份验证插件,并且很容易编写替代身份验证插件以将自己...
《Shibboleth安装与配置CAS验证源详解》 Shibboleth和CAS(Central Authentication Service)是两个在身份认证领域广泛使用的系统。Shibboleth是一个基于SAML(Security Assertion Markup Language)的身份提供者...
Cendari Liferay Shibboleth插件适用于CENDARI。 这些修改为Shibboleth插件添加了几个选项,以在首次登录时自动创建用户帐户,并将Shibboleth组映射到Liferay角色。 注意:此插件的更改版本还包含一种解决方法,用于...
描述中提到的“在Django中使用Shibboleth的中间件”进一步强调了django-shibboleth-remoteuser的功能,即它是一个用于处理Shibboleth认证信息的Django组件。中间件是Django框架中的一个关键概念,它们是轻量级的插件...
shibboleth.part2
**Laravel 开发与 Shibboleth 整合详解** 在现代 Web 应用开发中,安全性和用户身份验证是至关重要的部分。Laravel 作为一款流行的 PHP 框架,提供了一套强大的身份验证系统。然而,对于大型企业或教育机构,常常...
层autenticazione SPID basato su NGINX(Openresty)e Shibboleth 分层应用程序(在Question Esempio Node.js Express中) 在HTTP层和层级之间,应用层,后端层和层级之间的关系,框架协议的实现方式都受到了支持...
shibboleth-sp-2.5.3-win32.msi
带有Shibboleth Identity Provider 3文档的Azure Active Directory单一登录和讨论 当前文档以.docx格式提供,或通过将置于“下载”选项中。 如果您对使用Shibboleth Identity Provider 3实施Azure Active Directory...