时间戳

首页 > 解决方案 > 使用 uaa.yml 配置 UAA cloudfoundry

single-sign-on - 使用 uaa.yml 配置 UAA cloudfoundry

问题描述

我尝试只使用没有 cf 的 UAA 服务和其他服务。使用快速入门,我已经在 Cent OS 7 的 vmware vSphere 虚拟机上安装了 UAA 服务。我将主机名设置为 vm。我使用以下方法运行它:

 CLOUD_FOUNDRY_CONFIG_PATH=/tmp/config/ ./gradlew run

uaa:
  url: http://uaa-sp.intra.mydomain.com:8080/uaa
  host: uaa-sp.intra
aplications:
  host: uaa-sp.intra
  env:
    UAA_URL: http://uaa-sp.intra.mydomain.com:8080/uaa/
    LOGIN_URL: http://uaa-sp.intra.mydomain.com:8080/uaa/
scim:
  users:
    - admin@mydomain.com|123456|uaa.admin,clients.secret,scim.write,scim.read,openid
login:
  serviceProviderKey: |
    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----
  serviceProviderCertificate: |
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----

我可以访问它,但如果我尝试获取 SP saml 元数据,它会使用位置“ localhost ”生成它

<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="cloudfoundry-saml-login" entityID="cloudfoundry-saml-login"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#cloudfoundry-saml-login"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>nEMzJnjHoN4jIZSP+a1Jk01SbJA=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>XosmlNR5OckP7gUUrl6VVdDxs38kHO5Hq6PfMMJJG7xKT1UtYbes0tmLZR4cTOVwlZrFAyBY9liHq9heq0Q/zg5NAfP2hBmckvtkRTJlNXAJzlIkcFgoOmqFjCQ4EFhF5uK6JrnTHdoEEBWrhc53nGu++w1FqbeE4QkOm8B52no=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>...</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>...</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>...</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/uaa/saml/SingleLogout/alias/cloudfoundry-saml-login"/><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8080/uaa/saml/SingleLogout/alias/cloudfoundry-saml-login"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/uaa/saml/SSO/alias/cloudfoundry-saml-login" index="0" isDefault="true"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" Location="http://localhost:8080/uaa/oauth/token/alias/cloudfoundry-saml-login" index="1"/>
</md:SPSSODescriptor></md:EntityDescriptor>

同时,如果我执行 uaac 上下文,我会得到正确的地址

[root@uaa-sp ~]# uaac context
[0]*[http://uaa-sp.intra.mydomain.com:8080/uaa]

如何正确配置 uaa.yml 以便获得正确的 sp 元数据?我找不到有关 uaa.yml 的信息。或者如果没有整个 CloudFoundry 服务,就无法配置此服务?

标签: single-sign-oncloud-foundrysaml-2.0cloudfoundry-uaa

解决方案

弄清楚:你需要设置 login.entityBaseURL: http://uaa-sp.intra.mydomain.com:8080/uaa

推荐阅读