SP具有用于签名和解密的本地自签名证书:
RSAPrivateKey k = RsaKeyConverters.pkcs8().convert(new FileInputStream(privateKeyResource));
log.info("certificate path:"+certificateResource.getAbsolutePath());
log.info("private key path:"+privateKeyResource.getAbsolutePath());
X509Certificate certificate = X509Support.decodeCertificate(certificateResource);
Saml2X509Credential credential = Saml2X509Credential.signing(k, certificate);
Saml2X509Credential decryptCredential = Saml2X509Credential.decryption(k, certificate);
RelyingPartyRegistration registration = RelyingPartyRegistrations
.fromMetadataLocation("classpath:saml/metadata.xml").registrationId(relyingPartyEntityId)
.authnRequestsSigned(true)
.signingX509Credentials(c -> c.add(credential))
.decryptionX509Credentials(c -> c.add(decryptCredential))
.assertingPartyDetails(party -> party
.entityId(relyingPartyEntityId)
).assertionConsumerServiceLocation(virtuACSLocation)
.entityId(relyingPartyEntityId)
.build();
您可能必须构建一个HTTP META解析器,该元解析器配置为看到代理后面的IDP:
BasicParserPool parserPool = new BasicParserPool();
parserPool.initialize();
HTTPMetadataResolver httpMetadataResolver =
new HTTPMetadataResolver( createHttpClient(), idpMetadataUrl ); // <-- the client should have setProxy being set.
httpMetadataResolver.setId("httpMetadataResolver");
httpMetadataResolver.setParserPool( parserPool );
httpMetadataResolver.initialize();
OpenSaml4AssertingPartyMetadataRepository openSaml4AssertingPartyMetadataRepository =
new OpenSaml4AssertingPartyMetadataRepository( httpMetadataResolver );
RelyingPartyRegistration registration = RelyingPartyRegistrations
.withRegistrationId(registrationId)
.entityId(entityId)
.assertingPartyMetadata( builder ->
openSaml4AssertingPartyMetadataRepository
.findByEntityId(entityId)
)
.build();
在这里检查以获取更多信息:
https://docs.spring.io/spring-security/reference/servlet/saml2/metadata.html