3.Spring Security SAML 词汇表
3.词汇表
表3.1。本手册中使用的术语定义
术语 | 定义 |
---|---|
Assertion-断言 | SAML消息(XML文档)的一部分,它提供有关断言主题的事实(通常是关于经过身份验证的用户)。断言可以包含有关身份验证,关联属性或授权决策的信息。 |
Artifact | 标识符,可用于使用反向通道绑定从身份或服务提供商检索完整的SAML消息。 |
Binding-捆绑 | 用于传递SAML消息的机制。绑定分为前通道绑定,使用用户的Web浏览器进行消息传递(例如HTTP-POST或HTTP-Redirect)和反向通道绑定,其中身份提供者和服务提供者直接通信(例如,在Artifact绑定中使用SOAP调用) )。 |
Discovery | 用于确定应使用哪个身份提供程序来验证当前与服务提供者进行交互的用户的机制。 |
Metadata-元数据 | 描述一个或多个身份和服务提供者的文档。元数据通常包括实体标识符,公钥,端点URL,支持的绑定和配置文件以及其他功能或要求。身份和服务提供商之间的元数据交换通常是建立联盟的第一步。 |
Profile | 用于实现特定用例的协议,断言,绑定和处理指令的标准化组合,例如单点登录,单点注销,发现,工件解析。 |
Protocol-协议 | 用于实现特定功能的SAML消息的格式(模式)的定义,例如从IDP请求身份验证,执行单一注销或从IDP请求属性。 |
Identity provider (IDP)-身份提供者(IDP) | 知道如何验证用户并使用联合协议向服务提供商/中继方提供有关其身份的信息的实体。 |
Service provider (SP)-服务提供商(SP) | 您的应用程序与身份提供者进行通信,以获取有关与其交互的用户的信息。诸如认证状态和用户属性之类的用户信息以安全断言的形式提供。 |
Single Sign-On (SSO)-单点登录(SSO) | 处理允许访问多个网站而无需重复提供身份验证所需的凭据。各种联合协议(如SAML,WS-Federation,OpenID或OAuth)可用于实现SSO用例。诸如认证手段,用户属性,授权决策或安全令牌之类的信息通常作为单点登录的一部分提供给服务提供商。 |
Single Logout (SLO)-单点注销(SLO) | 进程在使用单点登录访问的所有资源上终止经过身份验证的会话。通常使用诸如将用户重定向到每个SSO参与者或发送注销SOAP消息的技术。 |
Term | Definition |
---|---|
Assertion | A part of SAML message (an XML document) which provides facts about subject of the assertion (typically about the authenticated user). Assertions can contain information about authentication, associated attributes or authorization decisions. |
Artifact | Identifier which can be used to retrieve a complete SAML message from identity or service provider using a back-channel binding. |
Binding | Mechanism used to deliver SAML message. Bindings are divided to front-channel bindings which use web-browser of the user for message delivery (e.g. HTTP-POST or HTTP-Redirect) and back-channel bindings where identity provider and service provider communicate directly (e.g. using SOAP calls in Artifact binding). |
Discovery | Mechanism used to determine which identity provider should be used to authenticate user currently interacting with the service provider. |
Metadata | Document describing one or multiple identity and service providers. Metadata typically includes entity identifier, public keys, endpoint URLs, supported bindings and profiles, and other capabilities or requirements. Exchange of metadata between identity and service providers is typically the first step for establishment of federation. |
Profile | Standardized combination of protocols, assertions, bindings and processing instructions used to achieve a particular use-case such as single sign-on, single logout, discovery, artifact resolution. |
Protocol | Definition of format (schema) for SAML messages used to achieve particular functionality such as requesting authentication from IDP, performing single logout or requesting attributes from IDP. |
Identity provider (IDP) | Entity which knows how to authenticate users and provides information about their identity to service providers/relaying parties using federation protocols. |
Service provider (SP) | Your application which communicates with the identity provider in order to obtain information about the user it interacts with. User information such as authentication state and user attributes is provided in form of security assertions. |
Single Sign-On (SSO) | Process enabling access to multiple web sites without need to repeatedly present credentials necessary for authentication. Various federation protocols such as SAML, WS-Federation, OpenID or OAuth can be used to achieve SSO use-cases. Information such as means of authentication, user attributes, authorization decisions or security tokens are typically provided to the service provider as part of single sign-on. |
Single Logout (SLO) | Process terminating authenticated sessions at all resources which were accessed using single sign-on. Techniques such as redirecting user to each of the SSO participants or sending a logout SOAP messages are typically used. |
赞(1)
赏