因为要做一个SAML2的项目,但是第一次接触SAML,欠缺很多计算机安全基础知识,用英文实在难以理解,想先把他翻成中文再来理解。网上搜了一下,但是有的文章是用机器翻译的,更难理解,例如Claims被翻成声明和索赔,洋不洋中不中,实在是受不了,比英语还难理解。实在是受不了,只好自己动手翻译。下面的文章转自http://www.16kan.com/article/detail/318024.html,原文翻译是机器翻的,错误百出,及其拗口,难以理解。我把它逐句翻译。暂时没翻完。

我觉得有两个专业术语翻得还行,欢迎拍砖!

Claims:我翻成用户信息

Cookie:客户端跟踪信息,还有翻成饼干的,我真想骂他妈!

Security is really a deceptively simple problem of merely two parts, Authenticating and Authorizing users.安全(用户保护)真的看上去像一个只有两部分简单的问题,用户认证和授权。

The problem is that there's been an absence of standards and interoperability is really impossible without them.问题是很长时间缺乏标准,导致互操作性是不可能的。 

However there's been quite a few advancements recently that I wanted to point out and discuss in this article.然而最近有不少进步,我想在这篇文章中指出和讨论他们。

Standard Challenges标准挑战

In a typical security scenario, an application either contains a custom forms based authenticating systems (web) that uses a username-email/password combination to authenticate the user or it relies on the corporate authenticating system (intranet) to do the same.在一个典型的安全情景下,一个应用程序要么包含一个自定义的基于表单的身份验证系统(互联网),它使用一个username-email/password组合来验证用户,要么依赖于企业的认证系统(Intranet)中来验证用户 

The application then queries their user repository to retrieve user information to determine their level of access, preferences and anything else that might be needed.应用程序然后查询自己的用户存储库来检索用户信息,以确定其访级别,偏好和其他任何可能需要的。

 The user repository is typically local to the application (a database for example), or the user directory managed by the authenticating system (active directory) if minimal information needs to be stored (role information for example).用户存储库通常相对于应用程序而言是本地的(例如数据库),或者如果需要最低限度的信息被储存起来(例如角色信息),那么用户信息库身份验证系统管理的用户目录(活动目录)。

 This information is then used to authorize the users level of access to the system.然后,此信息被用于把对系统的访问级别授权于用户。

Most applications require more information than just a username and password to customize the user experience.大多数应用程序需要不只用户名和密码,而是更多的信息来量身打造用户体验。

 In order to provide the convenience of pre-filling forms, information such as the personal, business and shipping address are also usually needed.为了提供方便的预填表格,通常需要个人,企业及送货地址等信息。 

Business applications typically need role information that is more fine grained than the roles stored in the directory.企业应用程序通常需要比存储在目录中的角色更精细的角色信息。 

These roles are used to customize access and provide the right features to enhance the user experience and ensure that the right users have access to the features they need to do their work efficiently.这些角色被用于量身打造访问和提供正确的功能,以提高用户体验,并确保正确的用户可以使用他们需要的能有效地工作的功能。

Querying a repository each time this information is needed can be cumbersome especially when that directory is not local to the system.每次在资料库查询必要的信息可能会很麻烦,尤其是当该目录对于系统不是本地。 

The other option is to store specific user information within the applications native repository.另一种选项是在应用程序的原生存储库里存储特定的用户信息。

 The problem with that is that this information is typically duplicated and distributed in the various places this information is needed.问题是,这个信息通常被复制和分发到各个需要此信息中的地方。

 Managing this distributed system can be quite a challenge.管理这种分布式系统可能是相当大的挑战。

Claims Based Identity Model 基于用户信息的身份验证模型

Claims based security is based on the concept that the identity of a person can be represented by a set of claims about that person.基于用户信息的用户保护是基于用户的身份可以用一组用户信息来代表的概念上。

 A claim is a bit of information that describes the person in a way that is digitally useful.一个用户信息是一些被数字化的用以描述用户的信息。

Claims typically contain the usual user name, or email, but they can include much more information such as roles, phone numbers, zip codes, addresses, anything that is typically used by applications to customize the user experience..用户信息通常含有常用的用户名或电子邮件,但他们能包括更多,例如角色,电话号码,邮政编码,地址,任何通常被应用程序使用的用于量身打造用户体验的信息。

 An authenticating system creates a security token containing those claims and applications can customize their applications using the content contained in those claims.身份验证系统创建一个包含哪些用户信息的安全令牌,应用程序可以使用这些包含于那些用户信息中的内容去定制自己的应用程序。

 Such a system is especially beneficial in a federated environment, the federated system can construct the claims token within the local network and make that information available to a system external to that network.这样的系统在联合验证环境中是特别有用,联合验证系统可以在本地网络内构建的带有用户信息的令牌,使这些信息可以被外部的系统使用。

There are several token standards such as the Simple Web Token (SWT), or the XML-based Security Markup Language (SAML), there's currently a proposal out to create a standard JSON formatted security token called the JSON Web Token (JWT).现有几个令牌标准如简单互联网令牌(SWT),或基于XML的(SAML)安全标记语言,目前有一个创建一个标准的JSON格式的安全性令牌(称为JSON的互联网令牌(JWT))的建议。

 There were several drivers for creating these standards, cookies were proving insufficient to contain all of this information due to their size limitations.过去有几个驱动程序用于建立这些标准,客户端跟踪信息(Cookie)被证明不足以容纳所有的这些信息,因为它们的大小有限。 

Federation requires a standard way to communicate security information across network boundaries and Web Services need a common security language to communicate between the communicating parties.联合验证需要一种标准的方式来交流跨越网络边界的安全信息,Web服务需要一个共同的关于安全的语言来在通信双方之间交流。

So who issues these tokens?那么谁签发这些令牌呢? 

There are many systems that issue these tokens, they are as far ranging as the Kerberos driven domain controllers in your windows network to the Facebook token that's generated when you log in to facebook.有许多系统发出这些令牌,从Windows网络里的Kerberos驱动的域控制器到当你登录到Facebook生成的Facebook令牌。 

Google, Yahoo, Microsoft Live all generate claims based security tokens.谷歌,雅虎,微软Live都生成基于用户信息的安全令牌。

These tokens are digitally signed by the issuing authority, and it's up to the application to determine if it trusts the issuer.这些令牌由签发机构数字签名,应用程序自己确定是否信任这些签发人。

The System系统

The systems that issue these tokens are called security token services (STS) , they build the token, sign it and then return it to calling application.签发这些令牌的系统被称为安全令牌服务(STS),它们创建令牌,签名,然后返回到调用应用程序。

 They systems follows these steps to generate the token:

系统按照以下步骤生成令牌:

  1. In this step, the user interacts with an application.在此步骤中,用户与应用程序进行交互。
  2. The application requests an Claims based token from the STS. 应用程序向STS请求一个基于用户信息的令牌。
  3. The STS authenticates the user and queries the directory for claims relating to the user. STS对用户进行身份验证和在目录里查询相关的用户信息。
  4. The STS builds the Token and returns it to the application, the application uses the claims to authorize the user. STS创建令牌,并返回给应用程序,应用程序根据令牌上的用户信息授权用户。

The application can be configured to accept tokens from various trusted issuers.应用程序可以被配置为接受令牌从各种受信任的发行人。 If the application trusts the issuer, it can assume that the claims contained in the token are correct and authorize the users level of access.如果应用程序信任的发行者,也可以认为是正确的令牌中包含的声明和授权用户的访问级别。 The benefit of this is that the responsibility of authenticating and assembling user information is removed from the application.这样做的好处是,用户信息的认证和装配的责任是从应用程序中删除。 The user information is centralized and easier to manage.用户信息集中,更易于管理。 This does assume that an administrator or administrative system has to configured STS to with the claims the application will need.这假定的管理员或行政系统的声称,该应用程序将需要配置STS。This is not an extra step in the system, because this would have had to be done anyway, the difference is the place that this is done.这是在系统中的一个额外的步骤,因为这将有反正做,所不同的是,这是做的地方。 The information is centralized and in a complex system, easy to manage.信息集中在一个复杂的系统,易于管理。

By organizing the system in this way, STS becomes an expert system that knows everything about users, knows how to secure the user information and knows how to secure the transmission of that information.通过这种方式组织系统,STS成为一个专家系统,它知道用户的一切,知道如何保护用户信息,并知道如何保护这些信息的传输。

Implementing all of this is a set of .NET libraries called Windows Identity Foundation , these libraries make it easy to integrate STS into your application.实现这一切的是一组名为 “Windows 身份验证基础的。NET库,这些库很容易地集成到应用程序中的STS。 With WIF, you'll be able to receive a claims based token, verify the signature and read the claims it contains. WIF,你就可以收到索赔令牌,验证签名,阅读声称它包含。 WIF supports tokens created using SAML 1.1 or SAML 2.0 formats.WIF支持创建的令牌使用SAML 1.1或SAML 2.0格式。 ADFS 2.0 and ACS are able to issue tokens in those formats and WIF can work with those issuers as well as other STSs as long as they produce tokens using SAML version 1.1 and higher. ADFS 2.0和ACS是能够发出这些格式和WIF的标记,只要他们产生令牌使用SAML 1.1或更高版本,可以与发行人以及其他的STS。

STSs communicate using WS-* standards, policy is retrieved using HTTP GET technology.的STS通信使用WS-*标准,政策检索使用HTTP GET科技。 The claims token is written using the SAML standard mentioned above and all of that together provides an interoperable way for STSs to communicate with each other.声明令牌使用SAML标准上面提到的所有的STS相互沟通,共同提供了一个可互操作的方式写的。 This is especially useful in federated system, where STSs in different environments and on different platforms can communicate with each other.在联邦系统,其中在不同的环境中,并在不同的平台上的STS可以相互通信,这是特别有用的。

In the next few blogs, I'll show example solutions implementing WIF in a federated environment as well as using WIF to integrate with Windows Live, and Facebook.在接下来的几个博客中,我会告诉例如,在联合环境中实施WIF以及,使用WIF整合的Windows Live和Facebook的解决方案。