自己翻译的Shibboleth官网的文章“How Shibboleth Works: Intermediate Concepts”,翻译得有问题的欢迎指出(本人英语四级而已,勿忘)
原文链接:
http://shibboleth.net/about/intermediate.html
How Shibboleth Works: Intermediate Concepts
Shibboleth如何工作: 媒介概念
In the previous section, Basic Concepts, we discussed the basic SSO process and defined terms like "federation" and "federated services". This page introduces three additional concepts: Identity Provider Discovery, User Attributes and Metadata. The concepts build on the basic SSO process, without superseding it in any way. These terms are often used without explanation, so you may already have heard them being used without quite understanding what was meant.
在上一章节中,基本概念,我们讨论了基本的SSO流程和关于联盟以及联盟服务的定义。现在,我们介绍三个额外的概念:Identity Provider Discovery(身份提供者发现服务),User Attributes(用户属性) 和 Metadata(元数据)。毫无疑问这些概念建立在基础的SSO流程上。这些术语经常使用但很少有关于它们的解释,所以你有可能在不理解它们是什么意思的情况下使用了它们。
Identity Provider Discovery
身份提供者发现服务
If after reading through the Basic Concepts you took our recommendation to re-read things you may have asked yourself the following question: "In step 2, if a service provider works with multiple identity providers, how does it know to which it should send the authentication request and the user?" This question has a very straightforward answer: you ask the user and that prompt is known as identity provider discovery.
在阅读过基本概念以后你也许会有一下几个疑问:在第二步中,如果一个Service Provider与多个Identity Provider一起工作,这个Service Provider怎么知道将认证请求和用户发送到那个Identity Provider?这个问题最直接的回答是:直接询问用户和搜集Identity Provider。
The Shibboleth project offers two products that can be used to perform identity provider discover. The Embedded Discovery Service works with the Shibboleth Service Provider in order to display an identity provider selector UI that integrates with your site. The Centralized Discovery Service is a standalone application that can be deployed centrally and to which service providers can delegate the work of presenting a selector UI. Because it offers a far better user experience we strongly encourage service providers to use the Embedded Discovery Service.
Shibboleth提供了两个产品用于发现Identity Provider。Embedded Discovery Service结合Service Provider使用可以提供一个选择器UI结合到你的网站中。Centralized Discovery Service是一个独立的应用程序,它可以集中的为Service Provider提供选择器UI。因为Embedded Discovery Service提供了更好的用户体验,所以我们强烈推荐使用Embedded Discovery Service。
User Attributes
用户属性
Another feature that most services take advantage of when using Shibboleth is the ability to receive data about the user from the identity provider. These data, called user attributes or just attributes, can be anything that the identity provider knows about the user and that may be helpful to the service provider. Some examples of this type of data are:
另外一个功能是大多数服务利用Shibboleth来获取Identity Provider返回给用户的数据。这些数据我们称之为用户属性,或者直接称为属性,这些数据可以是Identity Provider知道的任何关于这个用户对于Service Provider来说有用的东西。这些数据可以是一下内容:
the user's email address or phone number
用户邮箱地址或者电话号码
groups to which the user belongs
用户所属的组织
information about the user's role in the organization
用户在这个组织中的角色的信息
specific privileges a user has been granted
用户被授予的指定权限
The ability to preserve a user's privacy is a principal concern within all of the Shibboleth products. Both the identity provider and service provider allow the deployer to set attribute filter policies to address these concerns. Within the identity provider this policy controls which attributes will be released to which service providers. Within the service provider this policy controls what information will be accepted from which identity providers.
保护用户隐私的能力是所有Shibboleth产品最注重的。Identity Provider和Service Provider都允许开发者设置属性过滤策略来加强隐私保护。在Identity Provider中有关于哪些属性开放给哪些Service Provider的控制策略。在Service Provider中会有策略控制哪些Identity Provider发送过来的信息会被接受。
Metadata
元数据
Another question you may have asked yourself when reading the Basic Concepts is: "If this SSO process is all done over HTTP, how do the identity provider and service provider know which URLs to use when communicating with each other?". This function is accomplished by a metadata document that describes various technical aspects of an identity provider or service provider.
当你在阅读基本概念时另外一个你可能会问到的问题是:如果SSO流程都是通过HTTP完成,当Identity Provider和Service Provider通信的时候它们怎么知道用哪个URL进行交流?这个功能的实现需要通过元数据文档来为Identity Provider或者Service Provider来描述它们多种多样的技术实现。
The metadata for an identity provider or service provider usually contains the following information:
Identity Provider或者Service Provider的元数据往往包括以下信息:
a unique identifier, known as an entity id
一个唯一的标识符,常说的实体ID(entity id)
a human-readable name and description
一个可读的名字和介绍
a list of URLs to which messages should be delivered and some information about when to use each
一个关于哪些消息会被传递以及何时被使用的信息的URL表单
cryptographic information used when creating and verifying messages
创建和验证消息时的加密信息
A common function of a federation is to publish a file containing all the metadata for the identity providers and service providers that have agreed to work together. Each participant then consumes this data. In this way a service provider does not need to contact every identity provider when it changes its metadata (or vice versa) but simply provides it to the federation.The federation aggregate is then updated and every participant periodically refreshes their copy.
联盟最常用的一个功能是发布一个包含所有协同工作的Identity Provider和Service Provider元数据的文件。任何参与者都会享用这份数据。这种方式可以使得当一个Service Provider改变自己的元数据配置的时候不需要一一的去通知所有的Identity Provider(反之亦然),仅仅需要提供这些修改给联盟就可以。联盟搜集并更新这些修改,任何一个参与者都可以定期的更新从联盟它们的备份文件。
Wrap Up
小结
So, that's identity provider discovery, user attributes, and metadata. Again, you'll likely run in to these items fairly soon after you start working with federated services but it's important to remember that they are just building on top of the basic SSO process. They can be added one at a time as you build up comfortability with the system.
这就是Identity Provider Discovery(身份提供者发现服务), User Attributes(用户属性), 和Metadata(元数据)。你会很期待尽快在联盟工作中使用这些组件,但是重要的是你铭记他们都是建立在基础的的SSO流程之上。你可以在你构建好的系统中将它们加入进你的系统中。
Next up are a pair of advanced concepts: profiles and bindings. Although you don't need detailed knowledge of these to understand Shibboleth, you should have a basic definition. So, proceed to the next page.
接下来是另外两个高级的概念:配置文件和绑定。虽然你不需要关于这些概念很详细的知识来理解Shibboleth,但是你还是需要理解它们基本的定义。现在,我们进入下一章节