Hi Dan I do have a very similar scenario. Just to double check, - there are two security domains/realms in this use case - does a person has got an identity in both security domains which means that when the STS issues TOKEN_B it must first map the identity (see STS IdentityMapper) and the retrieve the claims for this identity OR does the person has got an identity in one security domain and you map for instance the roles of TOKEN_A to the required claims (Claims transformation).
Unfortunately, this set up is not yet fully implemented. The CXF STS supports already to map identities and write custom claims handler or use the LdapClaimsHandler as described here: http://owulff.blogspot.com/2011/10/configure-ldap-directory-for-cxf-sts.html Maybe the following blog might be of interest to you too: http://coheigea.blogspot.com/2011/11/apache-cxf-sts-documentation-part-x.html Claims transformation is not yet supported in the CXF STS but already raised here: https://issues.apache.org/jira/browse/CXF-3882 A CXF client doesn't yet send a request to more than one STS. I've raised this here: https://issues.apache.org/jira/browse/CXF-3520 The idea is that the WS-SecurityPolicy definition of the service provider defines in the IssuedToken policy where its trusted STS (security domain B) is deployed. The CXF client has also configured the STSClient bean which defines the location of its STS (security domain A). If the STS url's differ (when calling service B), the CXF Client should first go to STS A and get TOKEN_A and then send this token to STS B to get TOKEN_B which is sent to the service. Does that make sense to you? I've also raised an enhancement to parse the claims information in the SAML token and add it to a ClaimsSecurityContext here: https://issues.apache.org/jira/browse/CXF-3522 Of course, you can access the SAML token also directly in your code. Thanks Oli ------ Oliver Wulff http://owulff.blogspot.com Solution Architect Talend Application Integration Division http://www.talend.com ________________________________________ Von: DTaylor [[email protected]] Gesendet: Mittwoch, 18. Januar 2012 17:53 Bis: [email protected] Betreff: Multiple STS Authentication and Authorization Good day, I've run into a situation where we are using CXF, but the client at this point wants to have a multiple STS setup as follows: STS A: Takes a username and login, returns a SAML 1.1 token (TOKEN_A) with a basic set of claims (username, role, given name) STS B: Takes TOKEN_A, and creates a new SAML 1.1 token (TOKEN_B) from it (perhaps my phrasing here is incorrect, my apologies I'm going directly from the req's doc) with additional claims added (custom_claim1, custom_claim2, custom_claim3). Service A (SA) takes TOKEN_A as credentials, while Service B takes TOKEN_B (SB)as credentials. From our client, we want to make a series of calls to both SA and SB. My questions are: 1) Is CXF capable of this in general? 2) Is CXF able to handle this case using the WSDL 2 Java generated classes and code across the two services and two STSs? 3) For custom / manual security code, if I've retrieved a security token, TOKEN_A, using one STSClient instance, do I retrieve TOKEN_B utilizing a new STSClient instance and the method: requestSecurityToken(String appliesTo, String action, String requestType, SecurityToken target)? Thanks, Dan. -- View this message in context: http://cxf.547215.n5.nabble.com/Multiple-STS-Authentication-and-Authorization-tp5155338p5155338.html Sent from the cxf-user mailing list archive at Nabble.com.
