Appearance
SAML 单点登录集成
HAProxy 可作为 SAML Service Provider (SP) 的前置代理。
SAML 认证流程
用户 → HAProxy(SP) → IdP → HAProxy → 后端应用
Header 转发用户信息
haproxy
backend app_backend
http-request set-header X-Auth-User %[req.hdr(X-Auth-User)]
http-request set-header X-Auth-Email %[req.hdr(X-Auth-Email)]
http-request set-header X-Auth-Groups %[req.hdr(X-Auth-Groups)]多 IdP 配置
haproxy
acl is_google_auth hdr(host) -i -m beg accounts.google.com
acl is_azure_auth hdr(host) -i -m beg login.microsoftonline.com
http-request redirect location https://accounts.google.com/o/saml2?... if is_google_auth
http-request redirect location https://login.microsoftonline.com/... if is_azure_auth与 Keycloak 集成
在 Keycloak 创建 Client,Redirect URI 设置为 https://yourdomain.com/saml/callback