Hi Gina
The fediz project is used to protect your web application where the client is a browser. Right now, Fediz supports WS-Federation Passive Requestor Profile which is supported by ADFS and usually used in the .NET world as a the default mechanism. You don't have to implement that in your application - that's done by the Fediz plugin. Fediz uses opensaml for SAML processing. The original URL is stored in the wreply parameter. .NET uses a combination of the wtrealm and wctx parameter. Your Airline application can use CXF for the web services communication (for the REST communication also, if you like). The built-in support in CXF for the IssuedToken assertion (WS-SecurityPolicy) supports to get a token from ADFS using actas. In my example, just use actas instead of onbehalfof property. >>> ADFS generate SAMLtoken and this SAML token is sent back to Airline(Airline does all validation work) and cached in the session. - This part is implemented. >>> The validation work is already done by Fediz. Session management is then done by the JEE container. Your application is called after the SAML token issued by ADFS is successfully validated. The container will create the session and check every incoming request whether the used token is still valid - otherwise, the browser is redirected again to ADFS. You could also configure some roles in ADFS to protect your web application as the fediz plugin tells the container the userid as well as its roles. You could even use claims if you like. Which Servlet container do you use? In your current setup, how does the samlp:Response look like? Thanks Oli ------ Oliver Wulff Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/> Solution Architect http://coders.talend.com <http://coders.talend.com>Talend Application Integration Division http://www.talend.com ________________________________ From: Gina Choi [[email protected]] Sent: 07 May 2012 20:24 To: [email protected] Cc: Oliver Wulff Subject: Re: CXF supporting scope Hi Oliver, I did notice that your sample application used both opensaml and openws libraries. Are they used by Apache CXF or just by Frediz project? I need to clarify my environment further to give you better picture. 1. All web services in my application are REST. The only reason that I use SOAP is to create a soap client to call .NET SOAP web service which resides on another application. I am working with a .NET guy to prove some prototypes. His sample application is BookingService which I provided you wsdl. I am working on Airline. BookingService: .NET4.0 SOAP Airline: Java with REST 2. Both BookingService and Airline use same ADFS as STS. We have set up relying parties for BookingService and Airline in ADFS. 3. SSO: A user will be using both Airline and BookingService. So, she/he should be able to log on once for both applications. In Airline(my application), I used SP initialed POST redirect bindings. So, when a user make a request to Airline at first time, the user will be redirected to ADFS and asked credentials. After user provide username/password, ADFS generate SAMLtoken and this SAML token is sent back to Airline(Airline does all validation work) and cached in the session. - This part is implemented. 4. Now a user call BookingService which is claim aware. So, I need to inject Assertion token get from previous step inside actas element to call STS(ADFS2.0) to get a new token. With that new token, I will be calling Booking service. So, I don't think that I am able to use Apach CXF STS part since my STS will be ADFS. So, I am hoping that Apache CXF can work with ADFS(STS) to support my prototypes. Thanks. Gina On Sat, May 5, 2012 at 6:22 AM, Oliver Wulff <[email protected]<mailto:[email protected]>> wrote: Hi Gina >>> So, what I need is after user log on using Web SSO, the SAML token should be cached in web context and being used as actas token when making a call to .NET web service. >>> This is supported by CXF without writing any single line of code. I do have a sample web application here: http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/ This example illustrates: - fediz is configured for web sso - SAML token is cached in the session and used to request a new token from the STS The code to call the web service is in FederationServlet.doPost(): ... Greeter service = (Greeter)ApplicationContextProvider.getContext().getBean("HelloServiceClient"); String reply = service.greetMe(); ... The magic is in the configuration I used here: http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/wsclientWebapp/webapp/src/main/webapp/WEB-INF/beans.xml?view=markup The following property registers a callback handler to provide the STSClient the token of the Web Login: <property name="onBehalfOf" ref="delegationCallbackHandler" /> (There is also a property for actAs) The above example should exactly do what you need. You just have to change the above property to use ActAs instead of OnBehalfOf. The details for this example are described here: http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html To test this easily, you can use the Mock IDP as part of Fediz for the authentication. You could also attach Active Directory in the Mock if you like. See here: http://owulff.blogspot.com/2011/10/configure-ldap-directory-for-cxf-sts.html I use that within a customer set up to connect the CXF STS to Active Directory. >>> What is Spring role in CXF? >>> You can use Spring to configure your services. The above example is based on spring. As you see, all security related stuff is enabled by configuration (Convention of Configuration). You can also write an application without spring but I wouldn't write an application without spring nowadays but this is up to you. >>> I don't know much LDAP, but it should be used as an attribute store. I consider it as an alternative of Active Directory. Please correct me if I am wrong. >>> Active Directory provides different interfaces. One of them is LDAP. You can use the LDAPLoginModule of the JDK for authentication. But you don't have to care that much as ADFS (and maybe the Fediz Mock for testing) will access ActiveDirectory to read the claims to add them to the SAML token. Could you zip the wsdl before attaching? Thanks ------ Oliver Wulff Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/> Solution Architect http://coders.talend.com <http://coders.talend.com>Talend Application Integration Division http://www.talend.com ________________________________ Von: Gina Choi [[email protected]<mailto:[email protected]>] Gesendet: Freitag, 4. Mai 2012 20:54 Bis: [email protected]<mailto:[email protected]> Betreff: Re: CXF supporting scope Hi Oliver, Thanks for your response. >You mean that WIF is deployed in the ASP.NET<http://ASP.NET><http://asp.net/> >web service using the Active Requestor Profile? >The SAML token should contain the claims as an AttributeStatement? >Can you share with us the WS-SecurityPolicy of this Web Service? I have attached two wsdl file. BookingService.wsdl and BookingService_imported.wsdl. BookingService.wsdl is importing BookingService_imported.wsdl and if you open BookingService.wsdl, in line 10 there is a importing statement like bellow. This .NET4.0 service is not owned by me and I don't know if separating wsdl file is common practice. Is there anyway to combin them into one when generate artifact using wsimport? I will be calling CheckIn operation. <wsdl:import location="http://mecdevapp02.global.sdl.corp/BookingService/BookingService.svc?wsdl=wsdl0"; namespace="http://tempuri.org/"/> >I haven't used ADFS using WS-Trust so far. Usually, it uses a Symmetric and >Asymmetric binding. >What roles does ADFS 2.0 play? >Once as the IDP for the Web application SSO and once to let issue a token >onbehalfof/actas the original token >from the Web SSO? (this is supported by >CXF-Fediz) >http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html I am using Active Directory as an attribute store. So, I could say ADFS role should be IDP. So, what I need is after user log on using Web SSO, the SAML token should be cached in web context and being used as actas token when making a call to .NET web service. > Yes, the passive profile is supported by Fediz. Is ADFS the IDP? In which > application server is your web >application deployed? ADFS is IDP and my Java web application is Service Provider. >What do you mean exactly? Is LDAP used for authentication by the STS? Or >should the service provider retrieve >the claims/roles from LDAP? I don't know much LDAP, but it should be used as an attribute store. I consider it as an alternative of Active Directory. Please correct me if I am wrong. I have been reading many specifications, but I am still having hard time to straiten up correct terms. >No, Spring is not a requirement. What is Spring role in CXF? Thanks. Gina On Thu, May 3, 2012 at 2:24 PM, Oliver Wulff <[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>> wrote: >>> 1. I have to create a client for .NET4.0 web service which claim aware. So, how is CXF interoperability with .NET? >>> You mean that WIF is deployed in the ASP.NET<http://ASP.NET><http://ASP.NET> web service using the Active Requestor Profile? The SAML token should contain the claims as an AttributeStatement? Can you share with us the WS-SecurityPolicy of this Web Service? >>> 2. If CXF support ADFS2.0 as STS. >>> I haven't used ADFS using WS-Trust so far. Usually, it uses a Symmetric and Asymmetric binding. What roles does ADFS 2.0 play? Once as the IDP for the Web application SSO and once to let issue a token onbehalfof/actas the original token from the Web SSO? (this is supported by CXF-Fediz) http://owulff.blogspot.com/2012/04/sso-across-web-applications-and-web_16.html >>> 3. If CXF support passive profile. Especially SP initiated Redirect -> POST binding. >>> Yes, the passive profile is supported by Fediz. Is ADFS the IDP? In which application server is your web application deployed? >>> 4. If CXF can work with LDAP. >>> What do you mean exactly? Is LDAP used for authentication by the STS? Or should the service provider retrieve the claims/roles from LDAP? >>>> 5. My application doesn't use Spring frame work. Do I have to use Spring Frame work to use CXF. >>> No, Spring is not a requirement. ------ Oliver Wulff Blog: http://owulff.blogspot.com Solution Architect http://coders.talend.com Talend Application Integration Division http://www.talend.com ________________________________________ Von: gchoi [[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>] Gesendet: Mittwoch, 2. Mai 2012 17:29 Bis: [email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>> Betreff: CXF supporting scope Hi All, So far, I evaluated several frame works, but they seem don't do what I expect. Several people suggested me that I should consider CXF. Before I dig into CXF, I would like know if CXF support following things. By the way, I just joined this user group. 1. I have to create a client for .NET4.0 web service which claim aware. So, how is CXF interoperability with .NET? 2. If CXF support ADFS2.0 as STS. 3. If CXF support passive profile. Especially SP initiated Redirect -> POST binding. 4. If CXF can work with LDAP. 5. My application doesn't use Spring frame work. Do I have to use Spring Frame work to use CXF. Thank in advance. -- View this message in context: http://cxf.547215.n5.nabble.com/CXF-supporting-scope-tp5680855.html Sent from the cxf-user mailing list archive at Nabble.com.
