Re: Using Fediz as SAML 2.0 IdP or OpenID Connect Provider for tests
Hi Colm, it works like a charm now, thanks! Regards. On 02/05/2018 17:10, Colm O hEigeartaigh wrote: Hi Francesco, I fixed this in Fediz. Could you rebuild 1.4.4-SNAPSHOT (and also CXF 3.1.x-SNAPSHOT) and try again with it? Colm. On Mon, Apr 30, 2018 at 1:00 PM, Francesco Chicchiriccòwrote: Hi Colm, thanks for your answer. Currently, I am quite stuck into the following. I have configured CAS 5.2.4 as SP, and Fediz 1.4.3 as IdP according to your instructions from the post below. The problem seems to be that CAS (via Pac4J) generates an AuthnRequest as follows: https://localhost:8443/fediz-ip/saml?SAMLRequest=fVJdb5swFH3 fr0B%2BrQgOYVNqBSLaKlqlbosaWk19qRxzCW7BBl%2FD2vz6GUi19mF9tHX PuefjrtYvdeX1YFBqFZP5jBIPlNC5VIeY3GUbf0nWyZcV8roKG5Z2tlS30Ha A1ksRwViHu9QKuxrMDkwvBdzd3sSktLZBFgSVFrwqNVq2jKJFIDi6r4NUa1F JUPZR8RritOGihLPL35uzDeTySLzUWiP3nYWJ26k5kV%2BrHF5i4mReOQ1ScTsK%2F8%2B6YmD zZd4EgwHibbQRMJqIScErBOJdX8XksaP41P8RQI%2BF%2BWqr47HteVmU% 2B0OPvLfPr%2Fy5bUVbuGncckTZwz88YudUoeXKxiSk86VPI39BszllEWXhY vbtfPlAvK3RVgtdXUg1hdsZxTRHiWzIAJkVbJf%2BuGHhjLL9NITse5Zt%2F e2vXTYS9DIH83NIjLjEoid%2FcnX%2FVl841OcKVcimwj7f0pwkkWTql41ez HuGzwn42wWQZBiruYARxkZ1M20Oq%2BA9c3J6fjyk5C8%3D=h ttps%3A%2F%2Flocalhost%3A8443%2Fcas%2Flogin%3Fclient_name% 3DApache%2BCXF%2BFediz=http%3A%2F%2Fwww.w3.org% 2F2001%2F04%2Fxmldsig-more%23rsa-sha256=hs%2BIp n0wqNKaAR2qCpqbdDSVMMiuB998iRI3teAx7b68WRwcrGynHy8CVCWqX70jX crYd7VuiMz2I1TPPIm23%2BfyYXpWM5XjUTVYB%2BV4SJLssodBdtIh0U9GC mVQ6FBNlIjgiI4E%2FvaPZyjAAT246cP%2FB8nrLUxv7bt3EtwmCwRT%2BrbWiTOK08u0S% 2Fuh9frZnjy%2FFqoGEn4GoMacVjMnPomqZaU2xgcLvlRQy%2BKd2BXftLC6 QGU7nKozRXJNRsyGexRhUxeedtttUWeHV8PKgib3UCzAbXKHWP%2By94pzBd yDT0BrE46bxOLX8QoZOZsNbsLLEgdmMu%2BAnf4QEFcfMg%3D%3D where, as you can see, the request itself is not signed, but the signature is provided as query parameter, with SigAlg=http://www.w3.org/2001/ 04/xmldsig-more#rsa-sha256 Now, I see that this causes an error in https://github.com/apache/cxf-fediz/blob/fediz-1.4.3/service s/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/ beans/samlsso/AuthnRequestParser.java#L263 as, just few lines above, SignAlg is statically set to http://www.w3.org/2000/09/xmldsig#rsa-sha1 Since I am building such a setup only for running integration tests, I could anyway skip signature validation, but I cannot find an obvious way to configure AuthnRequestParser#setRequireSignature Am I missing something? Regards. On 27/04/2018 18:45, Colm O hEigeartaigh wrote: Hi Francesco, It's not (currently) possible to register a service provider in Fediz using metadata. You have to do it manually by editing the config files instead, e.g. 'webapps/fediz-idp/WEB-INF/classes/entities-realma.xml'. See here for how to do it (interop demo with Syncope): http://coheigea.blogspot.ie/2017/12/saml-sso-support-for-apa che-syncope-web.html For OIDC there's a test-case here: http://coheigea.blogspot.ie/2016/08/openid-connect-in-apache -cxf-fediz-130.html The instructions are probably not very clear though...I should write a blog post explaining how to set it up from scratch. Colm. On Fri, Apr 27, 2018 at 1:39 PM, Francesco Chicchiriccò < ilgro...@apache.org wrote: Hi there, are there instructions around to run org.apache.cxf.fediz fediz-idp 1.4.3 war as standalone "general purpose" SAML 2.0 IdP? I am able to run it (" https://localhost:8443/fediz-idp/metadata; responds fine), but I would like to register my own SAML 2.0 Service Provider's metadata: is that possible? Same question for org.apache.cxf.fediz fediz-oidc 1.4.3 war where I would like to add my own OpenID Connect Client. TIA Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Using Fediz as SAML 2.0 IdP or OpenID Connect Provider for tests
Hi Francesco, I fixed this in Fediz. Could you rebuild 1.4.4-SNAPSHOT (and also CXF 3.1.x-SNAPSHOT) and try again with it? Colm. On Mon, Apr 30, 2018 at 1:00 PM, Francesco Chicchiriccòwrote: > Hi Colm, > thanks for your answer. > > Currently, I am quite stuck into the following. > > I have configured CAS 5.2.4 as SP, and Fediz 1.4.3 as IdP according to > your instructions from the post below. > > The problem seems to be that CAS (via Pac4J) generates an AuthnRequest as > follows: > > https://localhost:8443/fediz-ip/saml?SAMLRequest=fVJdb5swFH3 > fr0B%2BrQgOYVNqBSLaKlqlbosaWk19qRxzCW7BBl%2FD2vz6GUi19mF9tHX > PuefjrtYvdeX1YFBqFZP5jBIPlNC5VIeY3GUbf0nWyZcV8roKG5Z2tlS30Ha > A1ksRwViHu9QKuxrMDkwvBdzd3sSktLZBFgSVFrwqNVq2jKJFIDi6r4NUa1F > JUPZR8RritOGihLPL35uzDeTySLzUWiP3nYWJ26k5kV%2BrHF5i4mReOQ1ScTsK%2F8%2B6YmD > zZd4EgwHibbQRMJqIScErBOJdX8XksaP41P8RQI%2BF%2BWqr47HteVmU% > 2B0OPvLfPr%2Fy5bUVbuGncckTZwz88YudUoeXKxiSk86VPI39BszllEWXhY > vbtfPlAvK3RVgtdXUg1hdsZxTRHiWzIAJkVbJf%2BuGHhjLL9NITse5Zt%2F > e2vXTYS9DIH83NIjLjEoid%2FcnX%2FVl841OcKVcimwj7f0pwkkWTql41ez > HuGzwn42wWQZBiruYARxkZ1M20Oq%2BA9c3J6fjyk5C8%3D=h > ttps%3A%2F%2Flocalhost%3A8443%2Fcas%2Flogin%3Fclient_name% > 3DApache%2BCXF%2BFediz=http%3A%2F%2Fwww.w3.org% > 2F2001%2F04%2Fxmldsig-more%23rsa-sha256=hs%2BIp > n0wqNKaAR2qCpqbdDSVMMiuB998iRI3teAx7b68WRwcrGynHy8CVCWqX70jX > crYd7VuiMz2I1TPPIm23%2BfyYXpWM5XjUTVYB%2BV4SJLssodBdtIh0U9GC > mVQ6FBNlIjgiI4E%2FvaPZyjAAT246cP%2FB8nrLUxv7bt3EtwmCwRT%2BrbWiTOK08u0S% > 2Fuh9frZnjy%2FFqoGEn4GoMacVjMnPomqZaU2xgcLvlRQy%2BKd2BXftLC6 > QGU7nKozRXJNRsyGexRhUxeedtttUWeHV8PKgib3UCzAbXKHWP%2By94pzBd > yDT0BrE46bxOLX8QoZOZsNbsLLEgdmMu%2BAnf4QEFcfMg%3D%3D > > where, as you can see, the request itself is not signed, but the signature > is provided as query parameter, with SigAlg=http://www.w3.org/2001/ > 04/xmldsig-more#rsa-sha256 > > Now, I see that this causes an error in > > https://github.com/apache/cxf-fediz/blob/fediz-1.4.3/service > s/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/ > beans/samlsso/AuthnRequestParser.java#L263 > > as, just few lines above, SignAlg is statically set to > http://www.w3.org/2000/09/xmldsig#rsa-sha1 > > Since I am building such a setup only for running integration tests, I > could anyway skip signature validation, but I cannot find an obvious way to > configure AuthnRequestParser#setRequireSignature > > Am I missing something? > > Regards. > > On 27/04/2018 18:45, Colm O hEigeartaigh wrote: > >> Hi Francesco, >> >> It's not (currently) possible to register a service provider in Fediz >> using >> metadata. You have to do it manually by editing the config files instead, >> e.g. 'webapps/fediz-idp/WEB-INF/classes/entities-realma.xml'. See here >> for >> how to do it (interop demo with Syncope): >> >> http://coheigea.blogspot.ie/2017/12/saml-sso-support-for-apa >> che-syncope-web.html >> >> For OIDC there's a test-case here: >> >> http://coheigea.blogspot.ie/2016/08/openid-connect-in-apache >> -cxf-fediz-130.html >> >> The instructions are probably not very clear though...I should write a >> blog >> post explaining how to set it up from scratch. >> >> Colm. >> >> On Fri, Apr 27, 2018 at 1:39 PM, Francesco Chicchiriccò < >> ilgro...@apache.org >> >>> wrote: >>> Hi there, >>> are there instructions around to run >>> >>> >>>org.apache.cxf.fediz >>>fediz-idp >>>1.4.3 >>>war >>> >>> >>> as standalone "general purpose" SAML 2.0 IdP? I am able to run it (" >>> https://localhost:8443/fediz-idp/metadata; responds fine), but I would >>> like to register my own SAML 2.0 Service Provider's metadata: is that >>> possible? >>> >>> Same question for >>> >>> >>> org.apache.cxf.fediz >>> fediz-oidc >>> 1.4.3 >>> war >>> >>> >>> where I would like to add my own OpenID Connect Client. >>> >>> TIA >>> Regards. >>> >> > -- > Francesco Chicchiriccò > > Tirasa - Open Source Excellence > http://www.tirasa.net/ > > Member at The Apache Software Foundation > Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail > http://home.apache.org/~ilgrosso/ > > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
Re: Using Fediz as SAML 2.0 IdP or OpenID Connect Provider for tests
Hi Colm, thanks for your answer. Currently, I am quite stuck into the following. I have configured CAS 5.2.4 as SP, and Fediz 1.4.3 as IdP according to your instructions from the post below. The problem seems to be that CAS (via Pac4J) generates an AuthnRequest as follows: https://localhost:8443/fediz-ip/saml?SAMLRequest=fVJdb5swFH3fr0B%2BrQgOYVNqBSLaKlqlbosaWk19qRxzCW7BBl%2FD2vz6GUi19mF9tHXPuefjrtYvdeX1YFBqFZP5jBIPlNC5VIeY3GUbf0nWyZcV8roKG5Z2tlS30HaA1ksRwViHu9QKuxrMDkwvBdzd3sSktLZBFgSVFrwqNVq2jKJFIDi6r4NUa1FJUPZR8RritOGihLPL35uzDeTySLzUWiP3nYWJ26k5kV%2BrHF5i4mReOQ1ScTsK%2F8%2B6YmDzZd4EgwHibbQRMJqIScErBOJdX8XksaP41P8RQI%2BF%2BWqr47HteVmU%2B0OPvLfPr%2Fy5bUVbuGncckTZwz88YudUoeXKxiSk86VPI39BszllEWXhYvbtfPlAvK3RVgtdXUg1hdsZxTRHiWzIAJkVbJf%2BuGHhjLL9NITse5Zt%2Fe2vXTYS9DIH83NIjLjEoid%2FcnX%2FVl841OcKVcimwj7f0pwkkWTql41ezHuGzwn42wWQZBiruYARxkZ1M20Oq%2BA9c3J6fjyk5C8%3D=https%3A%2F%2Flocalhost%3A8443%2Fcas%2Flogin%3Fclient_name%3DApache%2BCXF%2BFediz=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256=hs%2BIpn0wqNKaAR2qCpqbdDSVMMiuB998iRI3teAx7b68WRwcrGynHy8CVCWqX70jXcrYd7VuiMz2I1TPPIm23%2BfyYXpWM5XjUTVYB%2BV4SJLssodBdtIh0U9GCmVQ6FBNlIjgiI4E%2FvaPZyjAAT246cP%2FB8nrLUxv7bt3EtwmCwRT%2BrbWiTOK08u0S%2Fuh9frZnjy%2FFqoGEn4GoMacVjMnPomqZaU2xgcLvlRQy%2BKd2BXftLC6QGU7nKozRXJNRsyGexRhUxeedtttUWeHV8PKgib3UCzAbXKHWP%2By94pzBdyDT0BrE46bxOLX8QoZOZsNbsLLEgdmMu%2BAnf4QEFcfMg%3D%3D where, as you can see, the request itself is not signed, but the signature is provided as query parameter, with SigAlg=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 Now, I see that this causes an error in https://github.com/apache/cxf-fediz/blob/fediz-1.4.3/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java#L263 as, just few lines above, SignAlg is statically set to http://www.w3.org/2000/09/xmldsig#rsa-sha1 Since I am building such a setup only for running integration tests, I could anyway skip signature validation, but I cannot find an obvious way to configure AuthnRequestParser#setRequireSignature Am I missing something? Regards. On 27/04/2018 18:45, Colm O hEigeartaigh wrote: Hi Francesco, It's not (currently) possible to register a service provider in Fediz using metadata. You have to do it manually by editing the config files instead, e.g. 'webapps/fediz-idp/WEB-INF/classes/entities-realma.xml'. See here for how to do it (interop demo with Syncope): http://coheigea.blogspot.ie/2017/12/saml-sso-support-for-apache-syncope-web.html For OIDC there's a test-case here: http://coheigea.blogspot.ie/2016/08/openid-connect-in-apache-cxf-fediz-130.html The instructions are probably not very clear though...I should write a blog post explaining how to set it up from scratch. Colm. On Fri, Apr 27, 2018 at 1:39 PM, Francesco Chicchiriccò
Re: Using Fediz as SAML 2.0 IdP or OpenID Connect Provider for tests
Hi Francesco, It's not (currently) possible to register a service provider in Fediz using metadata. You have to do it manually by editing the config files instead, e.g. 'webapps/fediz-idp/WEB-INF/classes/entities-realma.xml'. See here for how to do it (interop demo with Syncope): http://coheigea.blogspot.ie/2017/12/saml-sso-support-for-apache-syncope-web.html For OIDC there's a test-case here: http://coheigea.blogspot.ie/2016/08/openid-connect-in-apache-cxf-fediz-130.html The instructions are probably not very clear though...I should write a blog post explaining how to set it up from scratch. Colm. On Fri, Apr 27, 2018 at 1:39 PM, Francesco Chicchiriccòwrote: > Hi there, > are there instructions around to run > > > org.apache.cxf.fediz > fediz-idp > 1.4.3 > war > > > as standalone "general purpose" SAML 2.0 IdP? I am able to run it (" > https://localhost:8443/fediz-idp/metadata; responds fine), but I would > like to register my own SAML 2.0 Service Provider's metadata: is that > possible? > > Same question for > > > org.apache.cxf.fediz > fediz-oidc > 1.4.3 > war > > > where I would like to add my own OpenID Connect Client. > > TIA > Regards. > > -- > Francesco Chicchiriccò > > Tirasa - Open Source Excellence > http://www.tirasa.net/ > > Member at The Apache Software Foundation > Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail > http://home.apache.org/~ilgrosso/ > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com