Repository: cxf-fediz Updated Branches: refs/heads/master 0006581e9 -> 374b33fa8
Adding some system tests for audience restriction Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/374b33fa Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/374b33fa Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/374b33fa Branch: refs/heads/master Commit: 374b33fa80070018e67f40db99e03a32c1cbaab9 Parents: 0006581 Author: Colm O hEigeartaigh <[email protected]> Authored: Fri Jun 10 13:41:23 2016 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Fri Jun 10 13:41:23 2016 +0100 ---------------------------------------------------------------------- .../AudienceRestrictionTest.java | 210 +++++++++++++++++++ .../test/resources/fediz_config_aud_restr.xml | 61 ++++++ .../AudienceRestrictionTest.java | 210 +++++++++++++++++++ .../test/resources/fediz_config_aud_restr.xml | 61 ++++++ 4 files changed, 542 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/374b33fa/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/AudienceRestrictionTest.java ---------------------------------------------------------------------- diff --git a/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/AudienceRestrictionTest.java b/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/AudienceRestrictionTest.java new file mode 100644 index 0000000..d9822cb --- /dev/null +++ b/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/AudienceRestrictionTest.java @@ -0,0 +1,210 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.fediz.integrationtests; + + +import java.io.File; +import java.io.FileInputStream; +import java.io.FileOutputStream; +import java.io.IOException; + +import javax.servlet.ServletException; + +import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException; +import com.gargoylesoftware.htmlunit.WebClient; +import com.gargoylesoftware.htmlunit.html.HtmlForm; +import com.gargoylesoftware.htmlunit.html.HtmlPage; +import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput; + +import org.apache.catalina.Context; +import org.apache.catalina.LifecycleException; +import org.apache.catalina.LifecycleState; +import org.apache.catalina.connector.Connector; +import org.apache.catalina.startup.Tomcat; +import org.apache.commons.io.IOUtils; +import org.apache.cxf.fediz.tomcat7.FederationAuthenticator; +import org.apache.http.auth.AuthScope; +import org.apache.http.auth.UsernamePasswordCredentials; +import org.junit.AfterClass; +import org.junit.Assert; +import org.junit.BeforeClass; + +/** + * A test to make sure that audience restriction validation is working correctly in the plugin. + */ +public class AudienceRestrictionTest { + + static String idpHttpsPort; + static String rpHttpsPort; + + private static Tomcat idpServer; + private static Tomcat rpServer; + + @BeforeClass + public static void init() throws Exception { + System.setProperty("org.apache.commons.logging.Log", "org.apache.commons.logging.impl.SimpleLog"); + System.setProperty("org.apache.commons.logging.simplelog.showdatetime", "true"); + System.setProperty("org.apache.commons.logging.simplelog.log.httpclient.wire", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.commons.httpclient", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.webflow", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.security.web", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf.fediz", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf", "info"); + + idpHttpsPort = System.getProperty("idp.https.port"); + Assert.assertNotNull("Property 'idp.https.port' null", idpHttpsPort); + rpHttpsPort = System.getProperty("rp.https.port"); + Assert.assertNotNull("Property 'rp.https.port' null", rpHttpsPort); + + idpServer = startServer(true, idpHttpsPort); + rpServer = startServer(false, rpHttpsPort); + } + + private static Tomcat startServer(boolean idp, String port) + throws ServletException, LifecycleException, IOException { + Tomcat server = new Tomcat(); + server.setPort(0); + String currentDir = new File(".").getCanonicalPath(); + String baseDir = currentDir + File.separator + "target"; + server.setBaseDir(baseDir); + + if (idp) { + server.getHost().setAppBase("tomcat/idp/webapps"); + } else { + server.getHost().setAppBase("tomcat/rp/webapps"); + } + server.getHost().setAutoDeploy(true); + server.getHost().setDeployOnStartup(true); + + Connector httpsConnector = new Connector(); + httpsConnector.setPort(Integer.parseInt(port)); + httpsConnector.setSecure(true); + httpsConnector.setScheme("https"); + //httpsConnector.setAttribute("keyAlias", keyAlias); + httpsConnector.setAttribute("keystorePass", "tompass"); + httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks"); + httpsConnector.setAttribute("truststorePass", "tompass"); + httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks"); + httpsConnector.setAttribute("clientAuth", "want"); + // httpsConnector.setAttribute("clientAuth", "false"); + httpsConnector.setAttribute("sslProtocol", "TLS"); + httpsConnector.setAttribute("SSLEnabled", true); + + server.getService().addConnector(httpsConnector); + + if (idp) { + File stsWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(), "fediz-idp-sts"); + server.addWebapp("/fediz-idp-sts", stsWebapp.getAbsolutePath()); + + File idpWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(), "fediz-idp"); + server.addWebapp("/fediz-idp", idpWebapp.getAbsolutePath()); + } else { + File rpWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(), "simpleWebapp"); + Context cxt = server.addWebapp("/fedizhelloworld", rpWebapp.getAbsolutePath()); + + // Substitute the IDP port. Necessary if running the test in eclipse where port filtering doesn't seem + // to work + File f = new File(currentDir + "/src/test/resources/fediz_config_aud_restr.xml"); + FileInputStream inputStream = new FileInputStream(f); + String content = IOUtils.toString(inputStream, "UTF-8"); + inputStream.close(); + if (content.contains("idp.https.port")) { + content = content.replaceAll("\\$\\{idp.https.port\\}", "" + idpHttpsPort); + + File f2 = new File(baseDir + "/test-classes/fediz_config_aud_restr.xml"); + try (FileOutputStream outputStream = new FileOutputStream(f2)) { + IOUtils.write(content, outputStream, "UTF-8"); + } + } + + FederationAuthenticator fa = new FederationAuthenticator(); + fa.setConfigFile(currentDir + File.separator + "target" + File.separator + + "test-classes" + File.separator + "fediz_config_aud_restr.xml"); + cxt.getPipeline().addValve(fa); + } + + server.start(); + + return server; + } + + @AfterClass + public static void cleanup() { + shutdownServer(idpServer); + shutdownServer(rpServer); + } + + private static void shutdownServer(Tomcat server) { + try { + if (server != null && server.getServer() != null + && server.getServer().getState() != LifecycleState.DESTROYED) { + if (server.getServer().getState() != LifecycleState.STOPPED) { + server.stop(); + } + server.destroy(); + } + } catch (Exception e) { + e.printStackTrace(); + } + } + + public String getIdpHttpsPort() { + return idpHttpsPort; + } + + public String getRpHttpsPort() { + return rpHttpsPort; + } + + public String getServletContextName() { + return "fedizhelloworld"; + } + + @org.junit.Test + public void testSAMLTokenWithNonMatchingAudienceRestriction() throws Exception { + String url = "https://localhost:"; + getRpHttpsPort() + "/fedizhelloworld/secure/fedservlet"; + String user = "alice"; + String password = "ecila"; + + final WebClient webClient = new WebClient(); + webClient.getOptions().setUseInsecureSSL(true); + webClient.getCredentialsProvider().setCredentials( + new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())), + new UsernamePasswordCredentials(user, password)); + + webClient.getOptions().setJavaScriptEnabled(false); + final HtmlPage idpPage = webClient.getPage(url); + webClient.getOptions().setJavaScriptEnabled(true); + Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText()); + + final HtmlForm form = idpPage.getFormByName("signinresponseform"); + final HtmlSubmitInput button = form.getInputByName("_eventId_submit"); + + try { + button.click(); + Assert.fail("Failure expected on a bad audience restriction value"); + } catch (FailingHttpStatusCodeException ex) { + Assert.assertEquals(ex.getStatusCode(), 401); + } + + webClient.close(); + } + +} http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/374b33fa/systests/tomcat7/src/test/resources/fediz_config_aud_restr.xml ---------------------------------------------------------------------- diff --git a/systests/tomcat7/src/test/resources/fediz_config_aud_restr.xml b/systests/tomcat7/src/test/resources/fediz_config_aud_restr.xml new file mode 100644 index 0000000..8a663bf --- /dev/null +++ b/systests/tomcat7/src/test/resources/fediz_config_aud_restr.xml @@ -0,0 +1,61 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<!-- Place in Tomcat conf folder or other location as designated in this sample's webapp/META-INF/context.xml file. + Keystore referenced below must have IDP STS' public cert included in it. This example re-uses the Tomcat SSL + keystore (tomcat-rp.jks) for this task; alternatively you may wish to use a Fediz-specific keystore instead. +--> +<FedizConfig> + <contextConfig name="/fedizhelloworld"> + <audienceUris> + <audienceItem>urn:org:apache:cxf:fediz:fedizhelloworld2</audienceItem> + </audienceUris> + <certificateStores> + <trustManager> + <keyStore file="test-classes/clienttrust.jks" + password="storepass" type="JKS" /> + </trustManager> + </certificateStores> + <trustedIssuers> + <issuer certificateValidation="PeerTrust" /> + </trustedIssuers> + <maximumClockSkew>1000</maximumClockSkew> + <signingKey keyAlias="mytomidpkey" keyPassword="tompass"> + <keyStore file="test-classes/server.jks" password="tompass" type="JKS" /> + </signingKey> + <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xsi:type="federationProtocolType" version="1.0.0"> + <realm>urn:org:apache:cxf:fediz:fedizhelloworld</realm> + <issuer>https://localhost:${idp.https.port}/fediz-idp/federation</issuer> + <roleDelimiter>,</roleDelimiter> + <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI> + <freshness>10</freshness> + <homeRealm type="String">urn:org:apache:cxf:fediz:idp:realm-A</homeRealm> + <claimTypesRequested> + <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"; optional="false" /> + <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"; optional="true" /> + <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"; optional="true" /> + <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"; optional="true" /> + </claimTypesRequested> + </protocol> + <logoutURL>/secure/logout</logoutURL> + <logoutRedirectTo>/index.html</logoutRedirectTo> + </contextConfig> +</FedizConfig> + http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/374b33fa/systests/tomcat8/src/test/java/org/apache/cxf/fediz/integrationtests/AudienceRestrictionTest.java ---------------------------------------------------------------------- diff --git a/systests/tomcat8/src/test/java/org/apache/cxf/fediz/integrationtests/AudienceRestrictionTest.java b/systests/tomcat8/src/test/java/org/apache/cxf/fediz/integrationtests/AudienceRestrictionTest.java new file mode 100644 index 0000000..673b868 --- /dev/null +++ b/systests/tomcat8/src/test/java/org/apache/cxf/fediz/integrationtests/AudienceRestrictionTest.java @@ -0,0 +1,210 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.fediz.integrationtests; + + +import java.io.File; +import java.io.FileInputStream; +import java.io.FileOutputStream; +import java.io.IOException; + +import javax.servlet.ServletException; + +import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException; +import com.gargoylesoftware.htmlunit.WebClient; +import com.gargoylesoftware.htmlunit.html.HtmlForm; +import com.gargoylesoftware.htmlunit.html.HtmlPage; +import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput; + +import org.apache.catalina.Context; +import org.apache.catalina.LifecycleException; +import org.apache.catalina.LifecycleState; +import org.apache.catalina.connector.Connector; +import org.apache.catalina.startup.Tomcat; +import org.apache.commons.io.IOUtils; +import org.apache.cxf.fediz.tomcat8.FederationAuthenticator; +import org.apache.http.auth.AuthScope; +import org.apache.http.auth.UsernamePasswordCredentials; +import org.junit.AfterClass; +import org.junit.Assert; +import org.junit.BeforeClass; + +/** + * A test to make sure that audience restriction validation is working correctly in the plugin. + */ +public class AudienceRestrictionTest { + + static String idpHttpsPort; + static String rpHttpsPort; + + private static Tomcat idpServer; + private static Tomcat rpServer; + + @BeforeClass + public static void init() throws Exception { + System.setProperty("org.apache.commons.logging.Log", "org.apache.commons.logging.impl.SimpleLog"); + System.setProperty("org.apache.commons.logging.simplelog.showdatetime", "true"); + System.setProperty("org.apache.commons.logging.simplelog.log.httpclient.wire", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.commons.httpclient", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.webflow", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.security.web", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf.fediz", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf", "info"); + + idpHttpsPort = System.getProperty("idp.https.port"); + Assert.assertNotNull("Property 'idp.https.port' null", idpHttpsPort); + rpHttpsPort = System.getProperty("rp.https.port"); + Assert.assertNotNull("Property 'rp.https.port' null", rpHttpsPort); + + idpServer = startServer(true, idpHttpsPort); + rpServer = startServer(false, rpHttpsPort); + } + + private static Tomcat startServer(boolean idp, String port) + throws ServletException, LifecycleException, IOException { + Tomcat server = new Tomcat(); + server.setPort(0); + String currentDir = new File(".").getCanonicalPath(); + String baseDir = currentDir + File.separator + "target"; + server.setBaseDir(baseDir); + + if (idp) { + server.getHost().setAppBase("tomcat/idp/webapps"); + } else { + server.getHost().setAppBase("tomcat/rp/webapps"); + } + server.getHost().setAutoDeploy(true); + server.getHost().setDeployOnStartup(true); + + Connector httpsConnector = new Connector(); + httpsConnector.setPort(Integer.parseInt(port)); + httpsConnector.setSecure(true); + httpsConnector.setScheme("https"); + //httpsConnector.setAttribute("keyAlias", keyAlias); + httpsConnector.setAttribute("keystorePass", "tompass"); + httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks"); + httpsConnector.setAttribute("truststorePass", "tompass"); + httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks"); + httpsConnector.setAttribute("clientAuth", "want"); + // httpsConnector.setAttribute("clientAuth", "false"); + httpsConnector.setAttribute("sslProtocol", "TLS"); + httpsConnector.setAttribute("SSLEnabled", true); + + server.getService().addConnector(httpsConnector); + + if (idp) { + File stsWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(), "fediz-idp-sts"); + server.addWebapp("/fediz-idp-sts", stsWebapp.getAbsolutePath()); + + File idpWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(), "fediz-idp"); + server.addWebapp("/fediz-idp", idpWebapp.getAbsolutePath()); + } else { + File rpWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(), "simpleWebapp"); + Context cxt = server.addWebapp("/fedizhelloworld", rpWebapp.getAbsolutePath()); + + // Substitute the IDP port. Necessary if running the test in eclipse where port filtering doesn't seem + // to work + File f = new File(currentDir + "/src/test/resources/fediz_config_aud_restr.xml"); + FileInputStream inputStream = new FileInputStream(f); + String content = IOUtils.toString(inputStream, "UTF-8"); + inputStream.close(); + if (content.contains("idp.https.port")) { + content = content.replaceAll("\\$\\{idp.https.port\\}", "" + idpHttpsPort); + + File f2 = new File(baseDir + "/test-classes/fediz_config_aud_restr.xml"); + try (FileOutputStream outputStream = new FileOutputStream(f2)) { + IOUtils.write(content, outputStream, "UTF-8"); + } + } + + FederationAuthenticator fa = new FederationAuthenticator(); + fa.setConfigFile(currentDir + File.separator + "target" + File.separator + + "test-classes" + File.separator + "fediz_config_aud_restr.xml"); + cxt.getPipeline().addValve(fa); + } + + server.start(); + + return server; + } + + @AfterClass + public static void cleanup() { + shutdownServer(idpServer); + shutdownServer(rpServer); + } + + private static void shutdownServer(Tomcat server) { + try { + if (server != null && server.getServer() != null + && server.getServer().getState() != LifecycleState.DESTROYED) { + if (server.getServer().getState() != LifecycleState.STOPPED) { + server.stop(); + } + server.destroy(); + } + } catch (Exception e) { + e.printStackTrace(); + } + } + + public String getIdpHttpsPort() { + return idpHttpsPort; + } + + public String getRpHttpsPort() { + return rpHttpsPort; + } + + public String getServletContextName() { + return "fedizhelloworld"; + } + + @org.junit.Test + public void testSAMLTokenWithNonMatchingAudienceRestriction() throws Exception { + String url = "https://localhost:"; + getRpHttpsPort() + "/fedizhelloworld/secure/fedservlet"; + String user = "alice"; + String password = "ecila"; + + final WebClient webClient = new WebClient(); + webClient.getOptions().setUseInsecureSSL(true); + webClient.getCredentialsProvider().setCredentials( + new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())), + new UsernamePasswordCredentials(user, password)); + + webClient.getOptions().setJavaScriptEnabled(false); + final HtmlPage idpPage = webClient.getPage(url); + webClient.getOptions().setJavaScriptEnabled(true); + Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText()); + + final HtmlForm form = idpPage.getFormByName("signinresponseform"); + final HtmlSubmitInput button = form.getInputByName("_eventId_submit"); + + try { + button.click(); + Assert.fail("Failure expected on a bad audience restriction value"); + } catch (FailingHttpStatusCodeException ex) { + Assert.assertEquals(ex.getStatusCode(), 401); + } + + webClient.close(); + } + +} http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/374b33fa/systests/tomcat8/src/test/resources/fediz_config_aud_restr.xml ---------------------------------------------------------------------- diff --git a/systests/tomcat8/src/test/resources/fediz_config_aud_restr.xml b/systests/tomcat8/src/test/resources/fediz_config_aud_restr.xml new file mode 100644 index 0000000..8a663bf --- /dev/null +++ b/systests/tomcat8/src/test/resources/fediz_config_aud_restr.xml @@ -0,0 +1,61 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<!-- Place in Tomcat conf folder or other location as designated in this sample's webapp/META-INF/context.xml file. + Keystore referenced below must have IDP STS' public cert included in it. This example re-uses the Tomcat SSL + keystore (tomcat-rp.jks) for this task; alternatively you may wish to use a Fediz-specific keystore instead. +--> +<FedizConfig> + <contextConfig name="/fedizhelloworld"> + <audienceUris> + <audienceItem>urn:org:apache:cxf:fediz:fedizhelloworld2</audienceItem> + </audienceUris> + <certificateStores> + <trustManager> + <keyStore file="test-classes/clienttrust.jks" + password="storepass" type="JKS" /> + </trustManager> + </certificateStores> + <trustedIssuers> + <issuer certificateValidation="PeerTrust" /> + </trustedIssuers> + <maximumClockSkew>1000</maximumClockSkew> + <signingKey keyAlias="mytomidpkey" keyPassword="tompass"> + <keyStore file="test-classes/server.jks" password="tompass" type="JKS" /> + </signingKey> + <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xsi:type="federationProtocolType" version="1.0.0"> + <realm>urn:org:apache:cxf:fediz:fedizhelloworld</realm> + <issuer>https://localhost:${idp.https.port}/fediz-idp/federation</issuer> + <roleDelimiter>,</roleDelimiter> + <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI> + <freshness>10</freshness> + <homeRealm type="String">urn:org:apache:cxf:fediz:idp:realm-A</homeRealm> + <claimTypesRequested> + <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"; optional="false" /> + <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"; optional="true" /> + <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"; optional="true" /> + <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"; optional="true" /> + </claimTypesRequested> + </protocol> + <logoutURL>/secure/logout</logoutURL> + <logoutRedirectTo>/index.html</logoutRedirectTo> + </contextConfig> +</FedizConfig> +
