Hi Oliver, I did notice that your sample application used both opensaml and openws libraries. Are they used by Apache CXF or just by Frediz project?
I need to clarify my environment further to give you better picture. 1. All web services in my application are REST. The only reason that I use SOAP is to create a soap client to call .NET SOAP web service which resides on another application. I am working with a .NET guy to prove some prototypes. His sample application is BookingService which I provided you wsdl. I am working on Airline. BookingService: .NET4.0 SOAP Airline: Java with REST 2. Both BookingService and Airline use same ADFS as STS. We have set up relying parties for BookingService and Airline in ADFS. 3. SSO: A user will be using both Airline and BookingService. So, she/he should be able to log on once for both applications. In Airline(my application), I used SP initialed POST redirect bindings. So, when a user make a request to Airline at first time, the user will be redirected to ADFS and asked credentials. After user provide username/password, ADFS generate SAMLtoken and this SAML token is sent back to Airline(Airline does all validation work) and cached in the session. - This part is implemented. 4. Now a user call BookingService which is claim aware. So, I need to inject Assertion token get from previous step inside actas element to call STS(ADFS2.0) to get a new token. With that new token, I will be calling Booking service. So, I don't think that I am able to use Apach CXF STS part since my STS will be ADFS. So, I am hoping that Apache CXF can work with ADFS(STS) to support my prototypes. Thanks. Gina On Sat, May 5, 2012 at 6:22 AM, Oliver Wulff <[email protected]> wrote: > Hi Gina > > >>> > So, what I need is after user log on using Web SSO, the SAML token should > be cached in web context and being used as actas token when making a call > to .NET web service. > >>> > This is supported by CXF without writing any single line of code. I do > have a sample web application here: > > http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/ > > This example illustrates: > - fediz is configured for web sso > - SAML token is cached in the session and used to request a new token from > the STS > > The code to call the web service is in FederationServlet.doPost(): > ... > Greeter service = > (Greeter)ApplicationContextProvider.getContext().getBean("HelloServiceClient"); > String reply = service.greetMe(); > ... > > The magic is in the configuration I used here: > > http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/src/main/webapp/WEB-INF/beans.xml?view=markup > > The following property registers a callback handler to provide the > STSClient the token of the Web Login: > <property name="onBehalfOf" ref="delegationCallbackHandler" /> > > (There is also a property for actAs) > > The above example should exactly do what you need. You just have to change > the above property to use ActAs instead of OnBehalfOf. The details for this > example are described here: > > http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html > > > To test this easily, you can use the Mock IDP as part of Fediz for the > authentication. You could also attach Active Directory in the Mock if you > like. See here: > > http://owulff.blogspot.com/2011/10/configure-ldap-directory-for-cxf-sts.html > > I use that within a customer set up to connect the CXF STS to Active > Directory. > > >>> > What is Spring role in CXF? > >>> > You can use Spring to configure your services. The above example is based > on spring. As you see, all security related stuff is enabled by > configuration (Convention of Configuration). You can also write an > application without spring but I wouldn't write an application without > spring nowadays but this is up to you. > > >>> > I don't know much LDAP, but it should be used as an attribute store. I > consider it as an alternative of Active Directory. Please correct me if I > am wrong. > >>> > Active Directory provides different interfaces. One of them is LDAP. You > can use the LDAPLoginModule of the JDK for authentication. But you don't > have to care that much as ADFS (and maybe the Fediz Mock for testing) will > access ActiveDirectory to read the claims to add them to the SAML token. > > Could you zip the wsdl before attaching? > > Thanks > > > > ------ > > Oliver Wulff > > Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/> > Solution Architect > http://coders.talend.com > > <http://coders.talend.com>Talend Application Integration Division > http://www.talend.com > > ________________________________ > Von: Gina Choi [[email protected]] > Gesendet: Freitag, 4. Mai 2012 20:54 > Bis: [email protected] > Betreff: Re: CXF supporting scope > > Hi Oliver, > > Thanks for your response. > > >You mean that WIF is deployed in the ASP.NET<http://asp.net/> web > service using the Active Requestor Profile? > >The SAML token should contain the claims as an AttributeStatement? > >Can you share with us the WS-SecurityPolicy of this Web Service? > I have attached two wsdl file. BookingService.wsdl and > BookingService_imported.wsdl. BookingService.wsdl is importing > BookingService_imported.wsdl and if you open BookingService.wsdl, in line > 10 there is a importing statement like bellow. This .NET4.0 service is not > owned by me and I don't know if separating wsdl file is common practice. Is > there anyway to combin them into one when generate artifact using wsimport? > I will be calling CheckIn operation. > > <wsdl:import location=" > http://mecdevapp02.global.sdl.corp/BookingService/BookingService.svc?wsdl=wsdl0"; > namespace="http://tempuri.org/"/> > > >I haven't used ADFS using WS-Trust so far. Usually, it uses a Symmetric > and Asymmetric binding. > >What roles does ADFS 2.0 play? > >Once as the IDP for the Web application SSO and once to let issue a token > onbehalfof/actas the original token >from the Web SSO? (this is supported > by CXF-Fediz) > > > http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html > I am using Active Directory as an attribute store. So, I could say ADFS > role should be IDP. So, what I need is after user log on using Web SSO, the > SAML token should be cached in web context and being used as actas token > when making a call to .NET web service. > > > Yes, the passive profile is supported by Fediz. Is ADFS the IDP? In > which application server is your web >application deployed? > ADFS is IDP and my Java web application is Service Provider. > > >What do you mean exactly? Is LDAP used for authentication by the STS? Or > should the service provider retrieve >the claims/roles from LDAP? > I don't know much LDAP, but it should be used as an attribute store. I > consider it as an alternative of Active Directory. Please correct me if I > am wrong. I have been reading many specifications, but I am still having > hard time to straiten up correct terms. > > >No, Spring is not a requirement. > What is Spring role in CXF? > > Thanks. > > Gina > On Thu, May 3, 2012 at 2:24 PM, Oliver Wulff <[email protected]<mailto: > [email protected]>> wrote: > >>> > 1. I have to create a client for .NET4.0 web service which claim aware. So, > how is CXF interoperability with .NET? > >>> > You mean that WIF is deployed in the ASP.NET<http://ASP.NET> web service > using the Active Requestor Profile? > The SAML token should contain the claims as an AttributeStatement? > Can you share with us the WS-SecurityPolicy of this Web Service? > > >>> > 2. If CXF support ADFS2.0 as STS. > >>> > I haven't used ADFS using WS-Trust so far. Usually, it uses a Symmetric > and Asymmetric binding. > What roles does ADFS 2.0 play? > Once as the IDP for the Web application SSO and once to let issue a token > onbehalfof/actas the original token from the Web SSO? (this is supported by > CXF-Fediz) > > http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html > > >>> > 3. If CXF support passive profile. Especially SP initiated Redirect -> > POST > binding. > >>> > Yes, the passive profile is supported by Fediz. Is ADFS the IDP? In which > application server is your web application deployed? > > >>> > 4. If CXF can work with LDAP. > >>> > What do you mean exactly? Is LDAP used for authentication by the STS? Or > should the service provider retrieve the claims/roles from LDAP? > > >>>> > 5. My application doesn't use Spring frame work. Do I have to use Spring > Frame work to use CXF. > >>> > No, Spring is not a requirement. > > > > > ------ > > Oliver Wulff > > Blog: http://owulff.blogspot.com > Solution Architect > http://coders.talend.com > > Talend Application Integration Division http://www.talend.com > > ________________________________________ > Von: gchoi [[email protected]<mailto:[email protected]>] > Gesendet: Mittwoch, 2. Mai 2012 17:29 > Bis: [email protected]<mailto:[email protected]> > Betreff: CXF supporting scope > > Hi All, > > So far, I evaluated several frame works, but they seem don't do what I > expect. Several people suggested me that I should consider CXF. Before I > dig > into CXF, I would like know if CXF support following things. By the way, I > just joined this user group. > > > 1. I have to create a client for .NET4.0 web service which claim aware. So, > how is CXF interoperability with .NET? > > 2. If CXF support ADFS2.0 as STS. > > 3. If CXF support passive profile. Especially SP initiated Redirect -> > POST > binding. > > 4. If CXF can work with LDAP. > > 5. My application doesn't use Spring frame work. Do I have to use Spring > Frame work to use CXF. > > > > Thank in advance. > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/CXF-supporting-scope-tp5680855.html > Sent from the cxf-user mailing list archive at Nabble.com. > >
